-
1. Re: Best way to handle IDP exceptions
pcraveiro Mar 26, 2012 9:03 AM (in response to igoncalves)Hi Ismael,
The SAML2 spec says that errors have to be returned to the Service Provider.
If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.
I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:
javax.servlet.ServletException: PL00092: Null Value:Destination
Can you also attach your logs ?
-
2. Re: Best way to handle IDP exceptions
igoncalves Mar 26, 2012 9:33 AM (in response to pcraveiro)Hello Pedro.
I understood. Well, all the times that we got for an example a "PL00019 Check Validation" we also got a "Null Value: destination".
If the IDPBrowserSSOValve was supposed to sent the error back to the SP I think it doesn't happening, probably due the Null Value.
In order to simulate the below exception I just changed the "alias" in my picketlink-idfed.xml IDP making it matches other certificate.
Observe that everything is setup properly because once I assign the right certificate everything works fine.
Follow is the log:
10:24:43,558 ERROR [IDPWebBrowserSSOValve] Exception in processing request:
java.security.GeneralSecurityException: PL00019: Validation check failed
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:548)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:404)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
at java.lang.Thread.run(Thread.java:662)
10:24:44,491 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing
javax.servlet.ServletException: PL00092: Null Value:Destination
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLResponseMessage(IDPWebBrowserSSOValve.java:825)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:408)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
at java.lang.Thread.run(Thread.java:662)
Pedro Igor wrote:
Hi Ismael,
The SAML2 spec says that errors have to be returned to the Service Provider.
If you look at the IDPBroserSSOValve, a SAMLResponse is always created in case of failures and the valve try to send it back to the SP.
I think that the blank/white page you are facing is because the destination is not set. Please, look at the log files for an entry like this one:
javax.servlet.ServletException: PL00092: Null Value:Destination
Can you also attach your logs ?
-
3. Re: Best way to handle IDP exceptions
pcraveiro Mar 26, 2012 1:25 PM (in response to igoncalves)Hi Ismael,
I created a thread in the PL design forum to discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/thread/197488.
Regards.
Pedro Igor
-
4. Re: Best way to handle IDP exceptions
igoncalves Mar 26, 2012 1:21 PM (in response to pcraveiro)Hi Pedro.
Thanks for helping.
As I understood, it seems there is a "gap" in this part. We are going to follow the discussion in the PL design forum.
Best Regards.
Ismael Goncalves
Pedro Igor wrote:
Hi Ismael,
I created a thread in the PL design forum do discuss about this problem and find the best solution to solve it. Here is the link https://community.jboss.org/wiki/HandlingErrosDuringASP-InitiatedAuthentication.
Regards.
Pedro Igor