Hi I have one more question regarding SSO. I have ...
# gooddata-platformp
Paul H
08/03/2023, 3:48 PMHi I have one more question regarding SSO. I have now set up an SSO provider, added a user to a workspace and am trying to perform the SSO login for this user. I have followed the instructions for signing the encryptedClaims JSON with my SSO provider private key and then encrypting the signed JSON with the GoodData public key, however, when making the request I am receiving an error:
{"error":{"errorClass":"PgpMessageDecryptException","trace":"","message":"Cannot decrypt SSO message from sso provider=redacted. Invalid sessionId","component":"Webapp","errorId":"10c6f670-0a1e-4a22-8e95-6558e9d046a2","errorCode":"sso.decrypt","parameters":[]}}
I notice the invalid sessionId, but can't see any mention of sessionId in the documentation.
m
Moises Morales
08/03/2023, 4:24 PMHi Paul, it is failing because the SSO message is broken and cannot be decrypted. I would check if the claims were encrypted using the GoodData public PGP key. Please also make sure the SSO was created with your own public key and not GoodData’s.
p
Paul H
08/03/2023, 5:04 PMHi thanks Moises. I have checked and I have created the SSO with my own public key and am using the GoodData public key to encrypt to, but it still isn't working. I'll check through my code again to see if I can see what's wrong
m
Moises Morales
08/03/2023, 5:05 PMNext thing I would check is that the encrypted claims have been stringified correctly. You can also use an online tool such as: https://www.freeformatter.com/json-escape.html#ad-output
p
Paul H
08/03/2023, 5:07 PMGood idea, thank you I'll try that. Should the encrypted claims include the signature directly under the original JSON like this?
{"email":"<mailto:email@domain.com|email@domain.com>","validity":"1691168491","notBefore":"1691082091","notOnOrAfter":"1691082691"}-----BEGIN PGP SIGNATURE-----...-----END PGP SIGNATURE-----m
Moises Morales
08/03/2023, 5:14 PMNo, it shouldn’t. Encrypted claims is only the PGP message that is used in this call: API Reference | GoodData Enterprise
Moises Morales
08/03/2023, 5:14 PMThe claims include the following:
Copy code
{
"email": "<mailto:end.user@domain.com|end.user@domain.com>",
"validity": 123456789,
"notBefore": 11515111,
"notOnOrAfter": 11515211
}p
Paul H
08/03/2023, 5:16 PMI'm not sure I understand. So my process is that I start with the JSON like this:
Copy code
{
"email": "<mailto:end.user@domain.com|end.user@domain.com>",
"validity": 123456789,
"notBefore": 11515111,
"notOnOrAfter": 11515211
}Paul H
08/03/2023, 5:16 PM.. Then sign that with my private key to produce this:
Copy code
{
"email": "<mailto:end.user@domain.com|end.user@domain.com>",
"validity": 123456789,
"notBefore": 11515111,
"notOnOrAfter": 11515211
}
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----Paul H
08/03/2023, 5:16 PMThat block is then encrypted and sent as encryptedClaims
m
Moises Morales
08/03/2023, 5:30 PMYes, that’s how the JSON should look like, then you sign the file with the command in our documentation. No key is included in the body of the JSON file.
p
Paul H
08/04/2023, 8:07 AMThanks Moises, I think I have figured it out. I was using PHP to sign the JSON and the default PHP sign function uses clear signing instead of normal signing. Once I switched the sign mode it worked
🙌 1