https://www.gooddata.com/ logo
Join Slack
Powered by
Hello GoodPeople of GoodData :wave: I have a prob...
# gooddata-platform
b
Hello GoodPeople of GoodData 👋 I have a problem with PGP SSO login. TLDR: Error message is 
Cannot decrypt SSO message from sso provider=test.provider. Invalid sessionId
. Unfortunately, I can’t find anything useful in documentation about this error. I assume it may be related to the encryption procedure, so here are the steps I used to create encryptedClaims params: 1. Generated PGP keys, following instructions from How to Generate a Public-Private Key Pair • gpg tool version: gpg (GnuPG) 2.3.7, libgcrypt 1.10.1 • On the first step (type of a key), I have selected: (9) ECC (sign and encrypt) • For the second step (elliptic curve): (1) Curve 25519 • Key does not expire • For the user ID (key identification), I used email that is not registered to GoodData 2. Added PGP SSO to the domain, using public key from step 1 (https://help.gooddata.com/doc/enterprise/en/expand-your-gooddata-platform/gooddata-integration-into-your-application/set-up-user-authentication-and-sso/gooddata-pgp-single-sign-on) 3. Updated one user’s account (user.email@company.com) and set ssoProvider property to the one registered in step 2 (e.g. test.provider) 4. Created a JSON file with only 2 lines, like this:
Copy code
{
	"email": "<mailto:user.email@company.com|user.email@company.com>",
	"validity": 1234 (set to 24hrs from now)
}
5. Signed JSON file with key generated in step 1 6. Encrypted signed file with GoodData key Hopefully someone can point me into right direction and tell me what is wrong
🙌 1
m
Hi Bilal, can you please provide me with the related Error ID or Request ID? With this, I will take a look in our logs for you
b
Sure thing, here is the error ID: 
f446c95a-d1b8-474b-b8a8-927e6c0a16e6
And thanks for taking a look 🙏
m
Sorry for the delay - From our logs, the error states 
"Cannot get instance of PGPEncryptedDataList from input stream".
What’s most likely happening there is that the PGP message is somehow broken. Can you please check if you are using the right key for encrypting the signed message?
b
I used GoodData public key provided on the website. Can you confirm this is correct:
Copy code
sub  rsa2048/5D6D5F514B53D73B 2010-08-17 GoodData SSO <security@gooddata.com>
 Primary key fingerprint: DCAF 35FE 4985 F529 DBDB  A99E 877B 2C47 2043 41F5
      Subkey fingerprint: 7732 C7A0 FFDE 3A29 F0FC  5850 5D6D 5F51 4B53 D73B
m
Yes, this is correct - It might be the case that the PGP message is somehow broken and it was changed after it was encrypted (i.e. by adding some hidden characters like line breaks when it’s being copied from one system to another, by using incorrect encoding or something similar). Could you please try doing it manually using command line as described in our documentation here: https://help.gooddata.com/pages/viewpage.action?pageId=86797148
b
I was actually doing just that, manually trying to repeat steps from that page and instead of website, I was doing it from Postman. Here is (trimmed) cUrl request:
Copy code
curl -L -X POST '<https://custom.domain.com/gdc/account/customerlogin>' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'targetUrl=/dashboards/embedded/#/workspace/…someId…/dashboard/…anotherId…?showNavigation=false' \
--data-urlencode 'ssoProvider=test.provider' \
--data-urlencode 'encryptedClaims=-----BEGIN PGP MESSAGE-----\n\nhQEM……dhfU58GPaTI\n=0Q/l\n-----END PGP MESSAGE-----'
I did modified encoded output and replace all new line characters with \n literals, as you can see in part of encryptedClaims param
Suggested solution (that worked) is to post params in body, as a JSON of this format:
Copy code
{
  "pgpLoginRequest": {
    "encryptedClaims": "………",
    "ssoProvider": "registered.provider",
    "targetUrl": "/dashboards/embedded/#/workspace/id_here/dashboard/another_id_here?showNavigation=false"
  }
}
Open in Slack
PreviousNext
Powered by