PicketLink 2.0 not processing response with requested NameIDPolicy
ryanfernandes Sep 19, 2011 5:14 AMIDP: ADFS 2.0
PicketLink : 2.0
PicketLink 2.0 seems to issue a SAML Request with a NameIDPolicy tag
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> |
This causes the IDP to correctly issue a SAML Response containing
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">MyeHAMeGLojBt7fcc2DQtntXXFka0kybkR42ZTitTUs=</NameID> |
However, post this PicketLink doesn't seem to do anything post receiving this response.
It doesn't redirect to the protected content and there are no errors in the log.
Turning the logging for org.picketlink to TRACE yeilds:
[ServiceProviderBaseProcessor] Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler.. [ServiceProviderBaseProcessor] Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandl.. [ServiceProviderBaseProcessor] Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML.. [ServiceProviderBaseProcessor] Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML.. [SPRedirectFormAuthenticator] SAML Document=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xm.. [SPRedirectFormAuthenticator] URL used for sending:https://mymachine.mydomain.com/adfs/ls/?SAMLRequest=lZLdT... |
If I intercept the SAMLResponse and change the NameID tag contents to:
<NameID>myuser</NameID> |
..picketlink works! (however defeating the NameIDPolicy)
The logs for org.picketlink at TRACE now yeild:
[ServiceProviderBaseProcessor] Handlers are:[org.picketlink.identity.federation.we.. [ServiceProviderBaseProcessor] Handlers are : [org.picketlink.identity.federation... [ServiceProviderBaseProcessor] Finished Processing handler:org.picketlink.identity... [ServiceProviderBaseProcessor] Finished Processing handler:org.picketlink.identity... [SPRedirectFormAuthenticator] SAML Document=<samlp:AuthnRequest xmlns:samlp="urn:o... [SPRedirectFormAuthenticator] URL used for sending:https://mymachine.mydom..... [SAML2Response] RESPONSE=<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0: [TransformerUtil] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:xml [TransformerUtil] Creating an Attribute Namespace=:Algorithm [TransformerUtil] Creating an Attribute Namespace=:Algorithm [TransformerUtil] Creating an Attribute Namespace=:URI [TransformerUtil] Creating an Attribute Namespace=:Algorithm [TransformerUtil] Creating an Attribute Namespace=:Algorithm [TransformerUtil] Creating an Attribute Namespace=:Algorithm [TransformerUtil] Set Attribute Namespace=http://www.w3.org/2000/xmlns/::Qual=:Key [AssertionUtil] Now=2011-09-16T10:52:24.634+05:30 ::notBefore=2011-09-16T05:19:21. [SAML2LoginModule] initialize [SAML2LoginModule] Security domain: sp [SAML2LoginModule] login
[SAML2LoginModule] User 'myuser ' authenticated, loginOk=true
[SAML2LoginModule] commit, loginOk=true |
So the questions are:
1. Does PicketLink 2.0 support and process NameIDPolicy?
2. Can I configure PicketLink 2.0 to NOT send the NameIDPolicy?
3. Does NameIDPolicy have any bearing on the Logout behaviour of PicketLink?
4. PicketLink 1.0 does not send NameIDPolicy in the request. Can PicketLink 1.0 participate in Global / Local SSO Logout?
Please let me know if you need further information