6 Replies Latest reply on Feb 1, 2011 11:17 PM by matthew.hayes

PicketLink IDP Missing AuthnStatement in Response

matthew.hayes Jan 21, 2011 4:33 AM

I'm having an issue where the IDP is authenticating the user through Kerberos and returning a SAML response but the SAML response does not contain a AuthnStatement. One of the SPs requires one, is this something that needs to be configured?

Here is an emaple of the request and response

<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"

xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"

AssertionConsumerServiceURL="http://my.company.pvt:8080/seam-sp/AssertionConsumerService.seam"

Destination="http:/my.company.pvt/idp/" ID="ID_4358f9cc-ac51-498f-9c99-9eefad48f6ee"

IssueInstant="2011-01-20T17:06:19.819-05:00"

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">

<Issuer>http://my.company.pvt/seam-sp</Issuer>

</ns3:AuthnRequest>

<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"

xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"

Destination="http://my.company.pvt:8080/seam-sp/AssertionConsumerService.seam"

ID="ID_dd3b9ece-8496-425d-8628-ed0d3fe15f81"

InResponseTo="ID_4358f9cc-ac51-498f-9c99-9eefad48f6ee"

IssueInstant="2011-01-20T17:06:23.557-05:00"

Version="2.0">

<Issuer>http://my.company.pvt/idp/</Issuer>

<ns3:Status>

<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</ns3:Status>

<Issuer>http://my.company.pvt/idp/</Issuer>

<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">me@my.company.pvt</NameID>

</SubjectConfirmation>

</Subject>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Technology</AttributeValue>

</Attribute>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">organizationalPerson</AttributeValue>

</Attribute>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">person</AttributeValue>

</Attribute>

</Attribute>

</Attribute>

</AttributeStatement>

</Assertion>

</ns3:Response>

1. PicketLink IDP Missing AuthnStatement in Response

anil.saldhana Jan 24, 2011 9:01 PM (in response to matthew.hayes)

Matthew, this definitely is something that the IDP needs to be configurable. Currently it does not. I have the following JIRA issue recorded:
https://issues.jboss.org/browse/PLFED-123

I will take a look if there is any workarounds for the time being.
Actions
2. PicketLink IDP Missing AuthnStatement in Response

matthew.hayes Jan 25, 2011 1:37 AM (in response to anil.saldhana)

Thanks, any help would be appreciated.
Actions
3. PicketLink IDP Missing AuthnStatement in Response

anil.saldhana Jan 26, 2011 9:40 PM (in response to matthew.hayes)

Matthew, next week I am putting out a build of PL2 which will include this fix. I am presuming that you can accomodate it in your proof of concept testing.
Actions
4. PicketLink IDP Missing AuthnStatement in Response

matthew.hayes Jan 26, 2011 11:57 PM (in response to anil.saldhana)

Yes. I'll look forward to it.

Thanks,
Matt
Actions
5. PicketLink IDP Missing AuthnStatement in Response

anil.saldhana Feb 1, 2011 12:42 PM (in response to matthew.hayes)

Matt, you saw this?Looking for Test Volunteers[Seam/PicketLink]
http://community.jboss.org/thread/162048?tstart=0

I am ready to put out PL2 build out. I need people to report problems on that thread when the build is out.
Actions
6. PicketLink IDP Missing AuthnStatement in Response

matthew.hayes Feb 1, 2011 11:17 PM (in response to anil.saldhana)

Yes, its on my list for a bit later this week, just have to dig myself out from under a few other priorities.
Actions

Go to original post