Versions Compared

Old Version 14

changes.mady.by.user Shraddha Shejawal

Saved on

compared with

New Version Current

changes.mady.by.user Shraddha Shejawal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem

If you are using SSO version 8.9.x and have perfromed key-rotation, when trying to use suomi.fi authentiction method you get Internal Server Error error in browser 

...

2022-03-11 13:04:58,078 protocol [11.88.10.98] AuthorizationServlet
com.ubisecure.ubilogin.sso.ui.conversation.authn.AccessDeniedException: Access to the requested resource is denied
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:428)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:398)
	at com.ubisecure.ubilogin.sso.ui.servlet.AbstractMainServlet.main(AbstractMainServlet.java:201)

Solution

This kind of error occurs if there arent any keys configured to be encryption key. This means that all keys are configured as signing keys and the integration with suomi.fi  is probably configured to use encryption. 

Panel
bgColor#fff

You can check if  key has added only usage to be -d "use : sig" using below GET method 

curl -H "Authorization: Bearer XXXXXX" -X GET https://HOSTNAME/uas/oauth2/metadata.jwks --insecure

Tip
titleHTTP 200 Response


Expand
titleSuccessfully Fetched key details


{
    "keys": [
        {
            "use": "sig",
            "kid": "sig-key1",
            "kty": "RSA",
            "n": "... redacted ...",
            "e": "AQAB"
        }
    ]
}



You can remove the usage by following command : 

curl -H "Authorization: Bearer XXXXXX" -X PUT https://HOSTNAME/sso-api/credential/System/ServerKeyContainer/sig-key1 -d "use= " --insecure

Tip
titleHTTP 200 Response


Expand
titleSuccessfully created or updated a key

Accept: application/json

FieldTypeDescription
typestringThe type of the object. Currently this is always set to credential.
idstringThe unique id of the key.
attributes.namestringThe name of the key.
attributes.ktystringThe type of the key. For example RSA
attributes.kidstringThe key identifier as defined by RFC 7517 JSON Web Key specification
attributes.usestring

The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are

  • enc - for encryption
  • sig - for signing
attributes.enabledbooleanDenotes whether the key is enabled or not.
attributes.notBeforedatetimeThe epoch timestamp after which the key is valid.
attributes.notOnOrAfterdatetimeThe epoch timestamp after which the key is not valid.
attributes.descriptionstring arrayA human-readable description of the key.



Now the same key will be used as encrypion key as well as sig key. 

Filter by label (Content by label)
showLabelsfalse
max5
spacesKNB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "authentication" , "totp" ) and type = "page" and space = "KNB"
labelstotp authentication

...