Picketlink-seam 2.x anyone?
marius.oancea Oct 17, 2012 3:12 PMHello,
Context: seam 2.1.2GA application using today picketLink 1.0.3, jboss 4.2.3
What works: I can succesfully Login using a Novell IDp and also with ADFS IDps.
What does not work: logout
I wanted to try to upgrade my app to use latest picketlink but:
1) i did not found any newer picket-link seam? I did not found - except the sources
2) i took the version from SVN and tried to build it myself. All was ok. I added the jars from picketlink 2.0.3 into my jboss 4.2.3 but login does not work anymore. It looks to be a pb in parsing Authn XML. Is jboss 4.2 not suported anymore? Or is a different problem.
With picketlink-seam 1.0.3, when i logout the following messages is sent to the server:
<ns3:LogoutRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" Destination="<idp-hostname>/nidp/saml2/slo" ID="ID_10cfa40d6-5f0d-4189-b94f-eb63eb9eb094" IssueInstant="2012-10-10T09:19:44.897Z" Version="2.0">
<Issuer>http://<mysite>/portal</Issuer>
<NameID>REMOVED</NameID>
<ns3:SessionIndex>id1wgBKusxzjJPXl0EW1YkURkBYIU</ns3:SessionIndex>
</ns3:LogoutRequest>
But answer is:
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://<mysite>/portal/SingleLogoutService.seam" ID="idtDjVJWkyrW757aU4ktwCI23CIgo" InResponseTo="ID_10cfa40d6-5f0d-4189-b94f-eb63eb9eb094" IssueInstant="2012-10-10T09:19:39Z" Version="2.0">
<saml:Issuer>https://<idp-host>/nidp/saml2/metadata</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:LogoutResponse>
What do you think, makes sense to dig into migration to a newer picketlink-seam? Will this solve the pb?
Iny ideea how to debug this as long as I do not have access to the logs of IDp?
Note: I tried to remove POST from metadata to force using redirect. I also tested the reverse (to only use redirect). But no result.
Final note: I tested also an OpenAM Idp and here the whole suite (login/logout) work perfectly.
Any idea appreciated.
Marius