JBossDeveloper

Just show me what is in between <subject> </subject> in the assertion.

As you can see, http://anonsvn.jboss.org/repos/picketlink/federation/branches/Branch_1_x/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/saml/v2/assertion/SubjectType.java,

the subject inside the assertion can have the name id at the top level or embedded inside the subject confirmation.

So I think PL 1.x has not been tested for the latter case.  Again, we need more interoperability tests done.

Options include:

a) See if ADFS2 can send in the name id inside the subject. Some config maybe.

b)  The offending code can be changed to.

Object obj = subject.getContent().get(0);

if( obj instanceof JAXBElement)

{

   //Get the declared type of JAXBElement and see if it is name id or subject confrm

   //then drill down to the subject confirm and get hold of the nameid

}

All, ugliness in glory.

So with some bit twiddling I have confirmed that the List contains only the SubjectConfirmationType, but getting the NameID from the subjectConfirmationType returns null...  Let me see if I can get at the actual SAML response somewhere unencoded....   it doesn't show in the trace log.  I'll also hunt down if ADFS can do my bidding. 

Thanks,

Andy

SAML is still "designed by a committee".

There is a debug valve which I have rarely used.

http://anonsvn.jboss.org/repos/picketlink/federation/branches/Branch_1_x/picketlink-bindings/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/IDPSAMLDebugValve.java

Put it before the processing valves in WEB-INF/context.xml

How will that help?  the parameter is encoded.  I need it after it is decoded...

So ADFS won't do my bidding wrt this. 

I did this:

         SubjectType subject = assertion.getSubject();

         JAXBElement<NameIDType> jnameID = null;

         log.trace("subject.getContent() size is "+subject.getContent().size())

         log.trace("subject.getContent() type is "+((JAXBElement)subject.getCon

ent().get(0)).getValue().getClass().getName());

         if(((JAXBElement)subject.getContent().get(0)).getValue() instanceof Na

eIDType) {

            jnameID = (JAXBElement<NameIDType>) subject.getContent().get(0);

         }

         NameIDType nameID = jnameID != null ? jnameID.getValue() : null;

         if (jnameID == null) {

            log.trace("ATTEMPTING A VERY DIRTY HACK BY ACO");

            nameID = ((JAXBElement<SubjectConfirmationType>)subject.getContent(

.get(0)).getValue().getNameID();

            log.trace("AND THE DIRTY DEED WAS DONE DIRT CHEAP TOO!  (IT WORKED)

);  // THIS PRINTS IN THE LOG

         }

         final String userName = nameID.getValue(); //NPE thrown here

         log.trace("userName is: "+userName);

This results in an NPE when it gets the username, but the bla bla about the SubjectConfirmation prints.  So baring some binding issue it looks like there is not a NameID before or in the SubjectConfirmation.. 

http://lists.oasis-open.org/archives/saml-dev/200802/msg00026.html

this seems to indicate a reason...  I'm not sure why...

Andy, thanks for the link.

I am not sure how we can construct a subject with the information coming in from ADFS (due to lack of a nameid). As a design enhancement, definitely we should look at making the subject construction based on a saml response pluggable (for custom behavior).

Let me point out to code showing you can marshall response into a byte stream to sink into a log. Give me few mins.

OK I'm a doofus its base64 encoding.

sent you the SAML Response privately.  Note that my id isn't in it anywhere...

Seeing it.  I think the ID has to be derived from the key or some other local translation.

Even the example on wikipedia for bearer type assertions (http://en.wikipedia.org/wiki/SAML_2.0) has the name id.

Andy take a look at this:

http://social.msdn.microsoft.com/Forums/en/Geneva/thread/5babaa93-3f18-4c32-ad5e-9a0b49d0a27f

I was looking at this:

<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>

this is the outgoing saml

<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="https://myserver:8443/sales/" Destination="https://myadfs/adfs/ls/" ID="ID_c0199b74-7b95-49a6-b3f8-50909fe23b58" IssueInstant="2010-12-15T14:06:39.219-06:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">

<Issuer>https://myserver:8443/sales/</Issuer>

</ns3:AuthnRequest>

note that it doesn't specify a nameid policy like in the wikipedia page

   <samlp:NameIDPolicy
     AllowCreate="true"
     Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

So we got it working.  As it turns out there is one more step in the ADFS side to set the transform mapping.  I'm going to see if I can get a screenshot of that.

Andy, can you do a service to humanity by creating a fresh cheatsheet or updating the already existing wiki article? I am glad it worked.