Endless loop on SP with PingIdentity IDP
zcsoka May 18, 2012 1:41 AMHi,
I am trying to set up a PicketLink SP with a PingIdentity IDP. I use the PicketLink 2.1.1 on Tomcat 6. I got the quickstart projects from the repo and I try to use the example of the POST-sig (POST binding with signature, but actually I want to only verify the IDP cert. To reduce the number of possible errors I disabled the cert validation and my config looks like:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1" EnableAudit="true">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="no">
<IdentityURL>https://int-idp-dev.anonymous.com:9031/idp/startSSO.ping?PartnerSpId=SalesTest</IdentityURL>
<ServiceURL>http://iamsp.anonymous.com:8080/sales-post-sig/</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
</Handlers>
</PicketLink>
I use the tomcat-users.xml for the user definition and for my user id I defined the "manager" role, since I do not get any roles from the IDP.
The web.xml defines the
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
for the URI /*
If I try to run an SP initiated login and I put into the browser the http://iamsp.anonymous.com:8080/sales-post-sig/,
1. the SP redirects with the samlRequest to the IDP. The IDP authenticates via Kerberos and sends back the samlResponse
2. the SP does something with the response and redirects to the application with a 302
3. the response is a 200, but it contains an onload submit to the IDP with a samlRequest
It goes to the IDP again and these steps are looping forever.
I caught the samlResponse, decoded it and found that nameid is in the response under:
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"> and it is the correct user name.
and I also found that the Issuer has a discrepancy between the configured URL and the Issuer name (one is int-idp-dev.anonymous.com and the second one is : ext-idp-dev.anonymous.com)
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ext-idp-dev.anonymous.com</saml:Issuer>
According to the PingIdentity admin it should not make any problems.
On top of that, the log files are quasi emtpy, the server.log has only 1 entry, so I have no chance the troubleshoot. (although log4j root level is set to DEBUG):
main INFO sp.BaseFormAuthenticator - BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Questions:
1.) Do you have any idea what my problem is?
2.) Does PicketLink verifies the issuer against the IdentityURL?
3.) Is it normal, that the DEBUG level is not printing anything? I would ecpect some log entries for the SAML ticket verification.
Many thanks in advance for your help,
Kind Regards,
Zoltan