Bilal Ćatić
11/30/2022, 11:25 AMCannot decrypt SSO message from sso provider=test.provider. Invalid sessionId
. Unfortunately, I can’t find anything useful in documentation about this error. I assume it may be related to the encryption procedure, so here are the steps I used to create encryptedClaims params:
1. Generated PGP keys, following instructions from How to Generate a Public-Private Key Pair
• gpg tool version: gpg (GnuPG) 2.3.7, libgcrypt 1.10.1
• On the first step (type of a key), I have selected: (9) ECC (sign and encrypt)
• For the second step (elliptic curve): (1) Curve 25519
• Key does not expire
• For the user ID (key identification), I used email that is not registered to GoodData
2. Added PGP SSO to the domain, using public key from step 1 (https://help.gooddata.com/doc/enterprise/en/expand-your-gooddata-platform/gooddata-integration-into-your-application/set-up-user-authentication-and-sso/gooddata-pgp-single-sign-on)
3. Updated one user’s account (user.email@company.com) and set ssoProvider property to the one registered in step 2 (e.g. test.provider)
4. Created a JSON file with only 2 lines, like this:
{
"email": "<mailto:user.email@company.com|user.email@company.com>",
"validity": 1234 (set to 24hrs from now)
}
5. Signed JSON file with key generated in step 1
6. Encrypted signed file with GoodData key
Hopefully someone can point me into right direction and tell me what is wrongMichael Ullock
11/30/2022, 12:03 PMBilal Ćatić
11/30/2022, 12:05 PMf446c95a-d1b8-474b-b8a8-927e6c0a16e6
And thanks for taking a look 🙏Michael Ullock
11/30/2022, 1:23 PM"Cannot get instance of PGPEncryptedDataList from input stream".
What’s most likely happening there is that the PGP message is somehow broken. Can you please check if you are using the right key for encrypting the signed message?Bilal Ćatić
11/30/2022, 2:24 PMsub rsa2048/5D6D5F514B53D73B 2010-08-17 GoodData SSO <security@gooddata.com>
Primary key fingerprint: DCAF 35FE 4985 F529 DBDB A99E 877B 2C47 2043 41F5
Subkey fingerprint: 7732 C7A0 FFDE 3A29 F0FC 5850 5D6D 5F51 4B53 D73B
Michael Ullock
11/30/2022, 3:51 PMBilal Ćatić
11/30/2022, 4:21 PMcurl -L -X POST '<https://custom.domain.com/gdc/account/customerlogin>' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'targetUrl=/dashboards/embedded/#/workspace/…someId…/dashboard/…anotherId…?showNavigation=false' \
--data-urlencode 'ssoProvider=test.provider' \
--data-urlencode 'encryptedClaims=-----BEGIN PGP MESSAGE-----\n\nhQEM……dhfU58GPaTI\n=0Q/l\n-----END PGP MESSAGE-----'
Bilal Ćatić
11/30/2022, 4:23 PMBilal Ćatić
12/02/2022, 11:57 AM{
"pgpLoginRequest": {
"encryptedClaims": "………",
"ssoProvider": "registered.provider",
"targetUrl": "/dashboards/embedded/#/workspace/id_here/dashboard/another_id_here?showNavigation=false"
}
}