-
1. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
bigman921 Aug 8, 2010 10:19 AM (in response to bigman921)OK, I did some more digging and found the redirect binding in the SAML2 Binding specs. That being said, is there planned support for the idp to produce a post binding?
Thanks
Marc
-
2. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
marcelkolsteren Aug 8, 2010 10:42 AM (in response to bigman921)1 of 1 people found this helpfulHi Marc,
I think that your initial remark was right. The HTTP Redirect binding does exist, and is sometimes used for sending responses (for example, when responding to a single logout request). But in the context of the Web Browser SSO Profile, the redirect binding must not be not used when an IDP replies to an AuthnRequest of the SP. In the OASIS document "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, section 4.1.2, point 5:
"Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider [...]. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents."
So if PicketLink IDP sends a redirect in response to an authentication request, I agree with you: that is not spec-compliant. Did you test with other SAMLv2 IDP's as well? For example OpenSSO?
Regarding the base64 decoding that leads to garbage: did you deflate the message as described in the SAML spec?
Regards,
Marcel
-
3. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
bigman921 Aug 8, 2010 10:50 AM (in response to marcelkolsteren)Thanks Marcel. My SP worked with OpenAM/OpenSSO with the post binding. You are correct I did not do a deflate the SAMResponse parameter. I didn't see the section of the spec you mentioned but it does make sense. Has anyone tried testing the idp with another system such as opensso or ping?
-
4. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
marcelkolsteren Aug 8, 2010 11:10 AM (in response to bigman921)I did not, because my focus was the Service Provider part of PicketLink, and in particular the Seam SP. But Anil will probably be able to answer your question.
-
5. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
anil.saldhana Aug 9, 2010 12:43 AM (in response to marcelkolsteren)IDPWebBrowserValve on the IDP does both redirect and post binding. Look in the wikis. The user guide may be dated.
-
6. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
bigman921 Aug 9, 2010 6:50 AM (in response to anil.saldhana)Thanks Anil. I did both a google search and a jboss community search on IDPWebBrowserSSOValve and didn't find anything. I tried setting the classname to IDPWebBrowserSSOValve in my context.xml and received the following exception:
06:48:59,578 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POSTSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vc3AuYXV0b2lkbS5jb206OTA5MC9hdXRoL1NBTUwyQXV0aCIgRGVzdGluYXRpb249Imh0dHA6Ly9pZHAucGFydG5lci5kb21haW4uY29tOjgwODAvVGVzdElEUC8iIElEPSIzNTUyOTM4OTYxODcxMzQwNjk1IiBJc3N1ZUluc3RhbnQ9IjIwMTAtMDgtMDlUMTA6NDg6NTkuNTEzWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9zcC5hdXRvaWRtLmNvbTo5MDkwL2F1dGgvU0FNTDJBdXRoPC9zYW1sMjpJc3N1ZXI+PC9zYW1sMnA6QXV0aG5SZXF1ZXN0Pg==SAMLResponse=nulltrue06:49:13,341 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POSTSAMLRequest=nullSAMLResponse=nulltrue06:49:13,357 DEBUG [IDPSAMLDebugValve] SP Sent::Method = GETSAMLRequest=nullSAMLResponse=nulltrueAug 9, 2010 6:49:13 AM org.apache.catalina.connector.CoyoteAdapter serviceSEVERE: An exception or error occurred in the container during the request processingjava.lang.IllegalArgumentException: responseType is nullat org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:393)at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:517)at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)at java.lang.Thread.run(Thread.java:619)I'm guessing there is some additional configuration thats needed?
Thanks
Marc
-
7. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
anil.saldhana Aug 9, 2010 10:33 AM (in response to bigman921)Download the idp.war from PicketLink. That should have the configuration.
I will try to update the documentation accordingly.
-
8. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
acoliver Nov 11, 2010 3:37 PM (in response to bigman921)I get this when I access the default sample apps from anyplace but the localhost. Thus you need to change it to the actual FQN of the machine (i.e. what you call it in DNS).
replace /cygdrive/e/jboss-eap-5.1-pl with wherever you put jboss.
1. Copy /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation/*.jar to /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/lib
2. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war
3. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war
4. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/sales.war
5. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war
6. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war
7. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/idp.war
8. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war/WEB-INF/*.xml
Change each instance of localhost to youractualmachinename.yourdomain.com
9. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/*.xml
Change each instance of localhost to youractualmachinename.yourdomain.com
10. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/picketlink-idfed.xml
11. Make <Domains> entry read like this:
<Domains>localhost,yourdomain.com,jboss.com,jboss.org</Domains>
Ignore basically what the user guide says. It has lies. Particularly glaring is page 15 section 3.1.2.2 where it advises a blank context.xml (leaving the valves out) and that it has no info on what the username/password is by default.
-Andy