3 Replies Latest reply on Nov 15, 2011 5:01 PM by pcraveiro

The IDP forces the validatingAlias to be the end user's IP

pcraveiro Nov 11, 2011 12:24 PM

Hi,

I'm facing a problem that seems to be the same discussed in http://community.jboss.org/thread/170571?tstart=0.

The difference is that the "Domain Alias missing for xxx.xxx.xxx.xxx" exception is throwed in a different place. In the previous post the class throwing the expcetion was the SPRedirectSignatureFormAuthenticator (that for me is OK when it tries to validate the token with the idpAddress attribute) and now is the IDPWebBrowserSSOValve, from the IDP side.

If the client trying to access the SP is on the same machine everything works fine, but when he is in a different one the problem occurs.

Here is the stack trace:

java.lang.IllegalStateException: PL00058: KeyStoreKeyManager : Domain Alias missing for :x.x.x.x

at org.picketlink.identity.federation.core.impl.KeyStoreKeyManager.getValidatingKey(KeyStoreKeyManager.java:256)

at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.validate(IDPWebBrowserSSOValve.java:912)

at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:516)

at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:383)

at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)

at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

at java.lang.Thread.run(Thread.java:662)

1. Re: The IDP forces the validatingAlias to be the end user's IP

anil.saldhana Nov 11, 2011 1:17 PM (in response to pcraveiro)

Pedro,

take the code from http://anonsvn.jboss.org/repos/picketlink/federation/trunk/

put in a fix for the code. Submit a patch to https://issues.jboss.org/browse/PLFED-248

If the patch looks good, we can give you commit rights to commit the patch yourself.
1 of 1 people found this helpful
Actions
2. Re: The IDP forces the validatingAlias to be the end user's IP

pcraveiro Nov 11, 2011 1:42 PM (in response to anil.saldhana)

Thanks again Anil,

I'll take the code from the repo and submit a patch as you said.
Actions
3. Re: The IDP forces the validatingAlias to be the end user's IP

pcraveiro Nov 15, 2011 5:01 PM (in response to pcraveiro)

Patch commited. Issue marked as resolved.
Actions

Go to original post