8 Replies Latest reply on Nov 11, 2010 3:37 PM by acoliver

    Is IDPRedirectWithSignatureValve SAML2 Compliant?

    bigman921
    bigman921 Aug 8, 2010 1:24 AM

      I've gotten picketlink up and running as an IDP on tomcat.  When my SP posts an AuthnRequest instead of the browser getting a form with an embedded SAMLResponse parameter I am receiving a 302 redirect with a SAMLResponse parameter in the URL.  I checked the SAML2 specs at OASIS and every mention of SAMLResponse is in the context of a POST, not a GET.  Also, when I attempt to base64 decode the SAMLResponse parameter all I get is garbage, not a <Response>.

       

      Thanks

      Marc

      • 12497 Views
      • Tags:
        • 1. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
          bigman921
          bigman921 Aug 8, 2010 10:19 AM (in response to bigman921)

          OK, I did some more digging and found the redirect binding in the SAML2 Binding specs. That being said, is there planned support for the idp to produce a post binding?

           

          Thanks

          Marc

            • Actions
          • 2. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
            marcelkolsteren
            marcelkolsteren Aug 8, 2010 10:42 AM (in response to bigman921)

            Hi Marc,

             

            I think that your initial remark was right. The HTTP Redirect binding does exist, and is sometimes used for sending responses (for example, when responding to a single logout request). But in the context of the Web Browser SSO Profile, the redirect binding must not be not used when an IDP replies to an AuthnRequest of the SP. In the OASIS document "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, section 4.1.2, point 5:

             

            "Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider [...]. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents."

             

            So if PicketLink IDP sends a redirect in response to an authentication request, I agree with you: that is not spec-compliant. Did you test with other SAMLv2 IDP's as well? For example OpenSSO?

             

            Regarding the base64 decoding that leads to garbage: did you deflate the message as described in the SAML spec?

             

            Regards,

            Marcel

            1 of 1 people found this helpful
              • Actions
            • 3. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
              bigman921
              bigman921 Aug 8, 2010 10:50 AM (in response to marcelkolsteren)

              Thanks Marcel.  My SP worked with OpenAM/OpenSSO with the post binding.  You are correct I did not do a deflate the SAMResponse parameter. I didn't see the section of the spec you mentioned but it does make sense.  Has anyone tried testing the idp with another system such as opensso or ping?

                • Actions
              • 4. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                marcelkolsteren
                marcelkolsteren Aug 8, 2010 11:10 AM (in response to bigman921)

                I did not, because my focus was the Service Provider part of PicketLink, and in particular the Seam SP. But Anil will probably be able to answer your question.

                  • Actions
                • 5. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                  anil.saldhana
                  anil.saldhana Aug 9, 2010 12:43 AM (in response to marcelkolsteren)

                  IDPWebBrowserValve on the IDP does both redirect and post binding.  Look in the wikis.  The user guide may be dated.

                    • Actions
                  • 6. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                    bigman921
                    bigman921 Aug 9, 2010 6:50 AM (in response to anil.saldhana)

                    Thanks Anil.  I did both a google search and a jboss community search on IDPWebBrowserSSOValve and didn't find anything.  I tried setting the classname to IDPWebBrowserSSOValve in my context.xml and received the following exception:

                     

                     

                    06:48:59,578 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POST
                    SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vc3AuYXV0b2lkbS5jb206OTA5MC9hdXRoL1NBTUwyQXV0aCIgRGVzdGluYXRpb249Imh0dHA6Ly9pZHAucGFydG5lci5kb21haW4uY29tOjgwODAvVGVzdElEUC8iIElEPSIzNTUyOTM4OTYxODcxMzQwNjk1IiBJc3N1ZUluc3RhbnQ9IjIwMTAtMDgtMDlUMTA6NDg6NTkuNTEzWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zcC5hdXRvaWRtLmNvbTo5MDkwL2F1dGgvU0FNTDJBdXRoPC9zYW1sMjpJc3N1ZXI+PC9zYW1sMnA6QXV0aG5SZXF1ZXN0Pg==
                    SAMLResponse=null
                    true
                    06:49:13,341 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POST
                    SAMLRequest=null
                    SAMLResponse=null
                    true
                    06:49:13,357 DEBUG [IDPSAMLDebugValve] SP Sent::Method = GET
                    SAMLRequest=null
                    SAMLResponse=null
                    true
                    Aug 9, 2010 6:49:13 AM org.apache.catalina.connector.CoyoteAdapter service
                    SEVERE: An exception or error occurred in the container during the request processing
                    java.lang.IllegalArgumentException: responseType is null
                    at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:393)
                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:517)
                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
                    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
                    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
                    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
                    at java.lang.Thread.run(Thread.java:619)

                     

                    I'm guessing there is some additional configuration thats needed?

                     

                    Thanks

                    Marc

                      • Actions
                    • 7. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                      anil.saldhana
                      anil.saldhana Aug 9, 2010 10:33 AM (in response to bigman921)

                      Download the idp.war from PicketLink.  That should have the configuration.

                       

                      I will try to update the documentation accordingly.

                        • Actions
                      • 8. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                        acoliver
                        acoliver Nov 11, 2010 3:37 PM (in response to bigman921)

                        I get this when I access the default sample apps from anyplace but the localhost.  Thus you need to change it to the actual FQN of the machine (i.e. what you call it in DNS).

                         

                        replace /cygdrive/e/jboss-eap-5.1-pl with wherever you put jboss.

                         

                        1. Copy /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation/*.jar to /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/lib

                        2. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war

                        3. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war

                        4. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/sales.war

                        5. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war

                        6. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war

                        7. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/idp.war

                        8. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war/WEB-INF/*.xml

                        Change each instance of localhost to youractualmachinename.yourdomain.com

                        9. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/*.xml

                        Change each instance of localhost to youractualmachinename.yourdomain.com

                        10. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/picketlink-idfed.xml

                        11. Make <Domains> entry read like this:

                        <Domains>localhost,yourdomain.com,jboss.com,jboss.org</Domains>

                         

                        Ignore basically what the user guide says. It has lies.  Particularly glaring is page 15 section 3.1.2.2  where it advises a blank context.xml (leaving the valves out) and that it has no info on what the username/password is by default.

                         

                        -Andy

                          • Actions