Error while processing saml 2.0 response with signature when using third party IdP
jboss/picketlink is throwing a xml parser error while trying to process the saml 2.0 response generated by a third party IdP.
i am using jboss EAP 6.3, picketlink 2.6.0 final and the quick start sp application with signature available at jboss-picketlink-quickstarts/picketlink-federation-saml-sp-post-with-signature at v2.6.0.Final · jboss-developer/jboss-p…
I believe that xml parser did not recognised the dsig namespace declared at root tag.
when comparing the saml response generated by jboss idp (jboss-picketlink-quickstarts/picketlink-federation-saml-idp-with-signature at master · jboss-developer/jboss-picketlink-…) and the saml response generated by my third party IdP we could see that jboss Idp declares the dsig namespace inline at tag level and the third party IdP declares the dsig namespace at root tag level.
I attached both saml response files for further analysis
[org.picketlink.common] (http-/127.0.0.1:8080-2) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: PL00102: Processing Exception:
at org.picketlink.common.DefaultPicketLinkLogger.processingError(DefaultPicketLinkLogger.java:175)
at org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil.asDocument(AssertionUtil.java:104) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:448) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:140) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:101) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:83) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:488) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:467) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:338) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:266) [picketlink-jbas7-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]
Caused by: ParsingException [location=null]org.picketlink.common.exceptions.ParsingException: PL00074: Parsing Error:The prefix "dsig" for element "dsig:Signature" is not bound.
at org.picketlink.common.DefaultPicketLinkLogger.parserError(DefaultPicketLinkLogger.java:486)
at org.picketlink.common.util.DocumentUtil.getDocument(DocumentUtil.java:217)
at org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil.asDocument(AssertionUtil.java:102) [picketlink-federation-2.5.3.SP10-redhat-1.jar:2.5.3.SP10-redhat-1]
... 19 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 348; The prefix "dsig" for element "dsig:Signature" is not bound.
at org.apache.xerces.parsers.DOMParser.parse(DOMParser.java:244)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:285)
at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) [rt.jar:1.7.0_60]
at org.picketlink.common.util.DocumentUtil.getDocument(DocumentUtil.java:213)
... 20 more
-
jboss.out.zip 1.5 KB
-
saml_response.xml 35.0 KB
-
saml_response_jboss.xml 62.1 KB
