Message Boards

"Please enter a valid metadata endpoint URL" error even for valid metadata

Bobby r, modified 3 Years ago.

"Please enter a valid metadata endpoint URL" error even for valid metadata

New Member Posts: 9 Join Date: 3/22/20 Recent Posts
I am trying to configure Okta to liferay through SAML portlet.  while configuring "SAML Admin" settings in liferay, in  "identity provider connections " tab, even tough i upload a valid SAML metadata  URL which i got from okta, when i save the settings, it i s still throwing the error "Please enter a valid metadata endpoint URL." Can someone please advise what is causing the issue ?
thumbnail
Andrew Jardine, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
I'm going to ask a, possibly, dumb question because your original post was tagged with 6.2ee. Which version of SAML has been configured for use in Okta? Are you using SAML 2.0? If not that might be your problem. I don't believe Liferay supports 3.0 until you get to the 7.1 version of the portal.
Bobby r, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

New Member Posts: 9 Join Date: 3/22/20 Recent Posts
Hi Andrew, Thanks for responding!  Yes, we are using SAML 2.0 version only for connecting our liferay  6.2 EE to OKTA! Please let me know, If you got any suggestions/Recommendations regarding this metadata error we are facing with!? Or Do you need any additional information?
thumbnail
Andrew Jardine, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Did you check to make sure that, in Okta, you have configured the version of SAML to use as 2.0? I would guess that it defaults to 3.0 since that is the latest version. 
Chandra Kolagotla, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

New Member Posts: 2 Join Date: 4/10/20 Recent Posts
I am also facing the same issue with liferay 6.2 + saml 2.0 package.  Appreciate for any suggestions or recommendations.
thumbnail
Andrew Jardine, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Are you using Okta as well? Do you have a stacktrace you can share?
Chandra Kolagotla, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

New Member Posts: 2 Join Date: 4/10/20 Recent Posts
Thanks Andrew for the reply, Yes, OKTA is set up with SAML 2.0.  We see an error on the SAML Admin in the control panel but we don't get to see any stacktrace in the logs. Can you point us on where we can find the logs for this configuration. 
thumbnail
Andrew Jardine, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Shoot - that sucks. Ok, well the good news is that, as an enterprise subscriber, you can get the source code for the plugin. There are two avenues you can explore next I think. Here is what I would try, in order of effort. 


1. Use the Control Panel > Server Administration > Logging tab to increase the logging level for one of the SAML packages to see if maybe with DEBUG enabled a little more meat is dumped into the logs. It's a long shot though, so I wouldn't expect much. 


2. Setup a remote debugging port, unpack the source, and step through the code. Personally, I tend to go this route right away for a few reasons. First and foremost it normally provides the greatest clarity as to everything that is going on. I like to go this route as well because it almost always teaches me something else about what is happening under the hood -- so I inevitably learn more about Liferay that'll help me out down the road. 


Do you know how to get a hold of the source code?
Bobby r, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

New Member Posts: 9 Join Date: 3/22/20 Recent Posts
Hello Andrew,
Thank You for the suggestions. We were able to figure out the issue we had earlier, There was an issue with the Liferay patching tool and also one more issue was with nameid format in metadata provided by okta team,  We corrected them and it is resolved now. Now we are facing another issue when the session Expiry on Liferay,  We are implementing okta login for only few users and the regular users still uses liferay standard login for log into application. Issue here is,  After post session expiry on Liferay, weather the user Is logged in via OKTA or Standard Liferay Login, Both of them are redirecting back to OKTA for authentication, Due to this, it’s going to be an issue for the users logged through standard Liferay login, As those users are not part of OKTA. We tried some approaches but not completely successful to avoid this. So, Do you have any options or Recommendations for this issue? Please let us know if more details are needed. Thanks in advance!!
thumbnail
Andrew Jardine, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts
Hey Bobby,

Hmm -- so the issue here is that you need two separate logout workflows based on how the user is authenticated. That's a tricky one. Normally for a SAML based solution I think what happens is Liferay will run is own "session expiration" logic to make sure that everything is cleaned up and then use the single logout url endpoint that you configure to redirect the user to the IdP so that it can do the same. One thing you could try is tapping into the event that occurs when the session end is run and then routing the next step (regular logout page, or redirect to Okta) from there. You can define an OSGI service to tap into the session expiration process. I can't remember off the top of my head if the LogoutPostAction is run when the session expires, but I want to say that it is. If that is the case then you can define -- 

@Component(
   immediate = true, property = "key=logout.events.post",
   service = LifecycleAction.class
)


Get the user, and then use something about them (a role? a custom field? etc.) to figure out the next step. If you have a look at the portal source you will find a class called LogoutPostAction that has an example of how you can do it. 

To be honest, I'm not entirely sure that what I am suggesting is the "best solution", so hopefully anyone else reading this thread who has an alternate approach can suggest something as well emoticon. Honestly, the best solution here would be if you could avoid all of this and just offload all authentication to Okta, meaning you put all user accounts in the one central system. If you want to have two different "groupings" of users, I understand, but I would simply use two different Okta profiles and two different LDAP OUs, etc. 

Out of curiosity, what is the reason you have some users in Okta, but not others?
Bobby r, modified 3 Years ago.

RE: "Please enter a valid metadata endpoint URL" error even for valid metad

New Member Posts: 9 Join Date: 3/22/20 Recent Posts
Hi Andrew,We are currently using the custom hook for handling the login, logout and session expiry of the application. For the session expiration scenario,  we are performing the clearing of role and permission operation of the user and clearing the session cache through "getMultiVMPool().clear()", Later it is automatically redirected to Login hook ( I believe, c/portal/login), And LogoutPostAction process in not involved in this session expiry scenario. So, could you please recommend/suggest any alternate approach if possible?And, The Reason behind having only some users on okta is because, as per the company's current road map, OKTA is only available for the users belong/works for company, And onboarding the the external users who still uses the application to okta is in future consideration, so till then we want both login processes for this different set of logins!Thank You!