For an SP, does the ValidatingAlias key need to be the hostname/IP of the IDP or enduser?
karencoulter Aug 5, 2011 10:46 AMI have an SP on jboss 5.1.0GA and the most recent snapshot jars for picketlink. I am connecting to ADFS as the IDP. When I originally set it up, it seemed to be working correctly. I could send the samlp:AuthnRequest and receive the samlp:Response, get attributes from the Response, etc. However, as testing was opened up to additional people (rather than just me and the guy on the ADFS side), I kept seeing errors in the logs for "Domain Alias missing for xxx.xxx.xxx.xxx'. If I added the IP from the error message as an additional ValidatingAlias Key in the picketlink-idfed.xml file, the problem would go away for that IP until another one showed up in the logs. These IPs appear to be the enduser's IP, not the IP of the IDP. Obviously, this is not sustainable.
I can see that the error is occuring in SPRedirectSignatureFormAuthenticator.validate() where it is trying to get the validatingKey = this.keyManager.getValidatingKey(request.getRemoteAddr()). In my case, the request.getRemoteAddr() is the enduser's IP, not the IP of the IDP. It is entirely possible that the ADFS IDP is sending me the incorrect information, but I also need to find out if there is any configuration issues on my end or any other ideas on what might need to be changed.
Here are my configuration files:
jboss-web.xml
<jboss-web>
<security-domain>sp</security-domain>
</jboss-web>
picketlink-sp-jboss-beans.xml
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="sp">
<authentication>
<login-module code = "org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag = "required" />
</authentication>
</application-policy>
</deployment>
picketlink-handler.xml
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/>
</Handler>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="false"/>
</Handler>
</Handlers>
context.xml
<Context>
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator"/>
</Context>
picketlink-idfed.xml
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="jboss">
<IdentityURL>https://hostnameforadfsserver.com/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=xxxxx</IdentityURL>
<ServiceURL>https://mysphostname/</ServiceURL>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/my.keystore" />
<Auth Key="KeyStorePass" Value="keystorepass" />
<Auth Key="SigningKeyPass" Value="signingpass" />
<Auth Key="SigningKeyAlias" Value="signingalias" />
<ValidatingAlias Key="hostnameforadfsserver" Value="adfssigningtoken"/>
<ValidatingAlias Key="xxx.xxx.xxx.xxx" Value="adfssigningtoken"/>
... (here's where I've added each IP that shows up in that "Domain Alias missing for .." error
<ValidatingAlias Key="xxx.xxx.xxx.xxx" Value="adfssigningtoken"/>
</KeyProvider>
</PicketLinkSP>
Stack trace:
Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1a61c6, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@94ed7, org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler@15f2f60]
Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1a61c6, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@94ed7, org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler@15f2f60]
Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler
Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler
Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler
SAML Document=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://mysphostname" ID="ID_49c4daec-e64d-4290-a356-63f9e79fb75d" IssueInstant="2011-08-04T11:14:57.702-04:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><Issuer>https://mysphostname</Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/></samlp:AuthnRequest>
URL used for sending:https://hostnameforadfsserver/adfs/ls/IdpInitiatedSignOn.aspx?LoginToRp=xxx&SAMLRequest=xxx&SigAlg=xxx& Signature=xxx
Exception:
java.lang.IllegalStateException: Domain Alias missing for xxx.xxx.xxx.xxx
at org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:250)
at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator.validate(SPRedirectSignatureFormAuthenticator.java:147)
at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:219)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
Other:
picketlink v2 SNAPSHOT jars from 7/27
SP is using SPRedirectSignatureFormAuthenticator (ADFS person told me they didn't support Post)
jboss 5.1.0.GA
jdk 1.6.0_25
Windows Server 2003 R2
And in case this makes a difference, the ADFS server is currently only accessible via VPN, so in order to get to it, the server I'm on is connected via VPN (Cisco AnyConnect) to the ADFS server.