1 2 Previous Next 16 Replies Latest reply on Aug 8, 2011 3:53 PM by karencoulter

    For an SP, does the ValidatingAlias key need to be the hostname/IP of the IDP or enduser?

    karencoulter

      I have an SP on jboss 5.1.0GA and the most recent snapshot jars for picketlink.  I am connecting to ADFS as the IDP.  When I originally set it up, it seemed to be working correctly.  I could send the samlp:AuthnRequest and receive the samlp:Response, get attributes from the Response, etc.  However, as testing was opened up to additional people (rather than just me and the guy on the ADFS side), I kept seeing errors in the logs for "Domain Alias missing for xxx.xxx.xxx.xxx'.  If I added the IP from the error message as an additional ValidatingAlias Key in the picketlink-idfed.xml file, the problem would go away for that IP until another one showed up in the logs.  These IPs appear to be the enduser's IP, not the IP of the IDP.  Obviously, this is not sustainable. 

       

      I can see that the error is occuring in SPRedirectSignatureFormAuthenticator.validate() where it is trying to get the validatingKey = this.keyManager.getValidatingKey(request.getRemoteAddr()).  In my case, the request.getRemoteAddr() is the enduser's IP, not the IP of the IDP.  It is entirely possible that the ADFS IDP is sending me the incorrect information, but I also need to find out if there is any configuration issues on my end or any other ideas on what might need to be changed.

       

      Here are my configuration files:

      jboss-web.xml

      <jboss-web>

         <security-domain>sp</security-domain>

      </jboss-web>

       

      picketlink-sp-jboss-beans.xml

      <deployment xmlns="urn:jboss:bean-deployer:2.0">

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="sp">

         <authentication>

           <login-module code = "org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag = "required" />

         </authentication>

      </application-policy>

      </deployment>

       

      picketlink-handler.xml

      <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>

        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

          <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/>

        </Handler> 

        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

          <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="false"/>

        </Handler>

      </Handlers>

       

      context.xml

      <Context>

        <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator"/>

      </Context>

       

      picketlink-idfed.xml

      <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="jboss">

      <IdentityURL>https://hostnameforadfsserver.com/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=xxxxx</IdentityURL>

      <ServiceURL>https://mysphostname/</ServiceURL>

      <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

         <Auth Key="KeyStoreURL" Value="/my.keystore" />

         <Auth Key="KeyStorePass" Value="keystorepass" />

         <Auth Key="SigningKeyPass" Value="signingpass" />

         <Auth Key="SigningKeyAlias" Value="signingalias" />

         <ValidatingAlias Key="hostnameforadfsserver" Value="adfssigningtoken"/>

         <ValidatingAlias Key="xxx.xxx.xxx.xxx" Value="adfssigningtoken"/>

         ... (here's where I've added each IP that shows up in that "Domain Alias missing for .." error

         <ValidatingAlias Key="xxx.xxx.xxx.xxx" Value="adfssigningtoken"/>

      </KeyProvider>

      </PicketLinkSP>

       

       

      Stack trace:

      Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1a61c6,      org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@94ed7,      org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler@15f2f60]

       

      Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1a61c6,      org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@94ed7,      org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler@15f2f60]

       

      Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler

      Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

      Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler

       

      SAML Document=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://mysphostname" ID="ID_49c4daec-e64d-4290-a356-63f9e79fb75d" IssueInstant="2011-08-04T11:14:57.702-04:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><Issuer>https://mysphostname</Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/></samlp:AuthnRequest>

       

      URL used for sending:https://hostnameforadfsserver/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=xxx&SAMLRequest=xxx&SigAlg=xxx&    Signature=xxx

       

      Exception:

      java.lang.IllegalStateException: Domain Alias missing for xxx.xxx.xxx.xxx

          at org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:250)

          at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator.validate(SPRedirectSignatureFormAuthenticator.java:147)

          at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:219)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

       

      Other:
      picketlink v2 SNAPSHOT jars from 7/27

      SP is using SPRedirectSignatureFormAuthenticator  (ADFS person told me they didn't support Post)

      jboss 5.1.0.GA

      jdk 1.6.0_25

      Windows Server 2003 R2

       

      And in case this makes a difference, the ADFS server is currently only accessible via VPN, so in order to get to it, the server I'm on is connected via VPN (Cisco AnyConnect) to the ADFS server.

        1 2 Previous Next