0 Replies Latest reply on Oct 17, 2012 3:12 PM by marius.oancea

    Picketlink-seam 2.x anyone?

    marius.oancea

      Hello,

      Context: seam 2.1.2GA application using today picketLink 1.0.3, jboss 4.2.3

      What works: I can succesfully Login using a Novell IDp and also with ADFS IDps.

      What does not work: logout

       

      I wanted to try to upgrade my app to use latest picketlink but:

      1) i did not found any newer picket-link seam? I did not found - except the sources

      2) i took the version from SVN and tried to build it myself. All was ok. I added the jars from picketlink 2.0.3 into my jboss 4.2.3 but login does not work anymore. It looks to be a pb in parsing Authn XML. Is jboss 4.2 not suported anymore? Or is a different problem.

       

       

      With picketlink-seam 1.0.3, when i logout the following messages is sent to the server:

      <ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" Destination="<idp-hostname>/nidp/saml2/slo" ID="ID_10cfa40d6-5f0d-4189-b94f-eb63eb9eb094" IssueInstant="2012-10-10T09:19:44.897Z" Version="2.0">
                  <Issuer>http://<mysite>/portal</Issuer>
                  <NameID>REMOVED</NameID>
                  <ns3:SessionIndex>id1wgBKusxzjJPXl0EW1YkURkBYIU</ns3:SessionIndex>
      </ns3:LogoutRequest>

       

      But answer is:
      <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://<mysite>/portal/SingleLogoutService.seam" ID="idtDjVJWkyrW757aU4ktwCI23CIgo" InResponseTo="ID_10cfa40d6-5f0d-4189-b94f-eb63eb9eb094" IssueInstant="2012-10-10T09:19:39Z" Version="2.0">
                  <saml:Issuer>https://<idp-host>/nidp/saml2/metadata</saml:Issuer>
                  <samlp:Status>
                              <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
                  </samlp:Status>
      </samlp:LogoutResponse>

       

      What do you think, makes sense to dig into migration to a newer picketlink-seam?  Will this solve the pb?

       

      Iny ideea how to debug this as long as I do not have access to the logs of IDp?

       

      Note: I tried to remove POST from metadata to force using redirect. I also tested the reverse (to only use redirect). But no result.

       

      Final note: I tested also an OpenAM Idp and here the whole suite (login/logout) work perfectly.

       

      Any idea appreciated.

       

      Marius