-
1. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
pawjanssen Dec 11, 2014 10:55 AM (in response to pawjanssen)After some debugging I think I found out the problem, however I still don't have any solution:
The flow is as follows:
- Request the SP url
-> SP redirects to IDP with a SAML request
-> IDP displays a login form
-> User logs in
-> Request is filtered by the IDPFilter, there is no user principle yet, so SAML assertion is not created -> no redirect is taking place back to SP
-> The JAAS login module "login" and "commit" methods are beeing called
-> IDP does not redirect back to the SP, because IDP filter is not called again, the JSP page of the example is displayed.
-> Clicking on the link to go the SP, the SP shows I'm logged in
When I then do the following instead of clicking on the link:
- Manually browse back to the SP
-> SP redirects to IDP with a SAML request
-> Request is filtered by the IDPFilter, there is a previously authenticated principl, so SAML assertion is created -> redirect is taking place to the SP
-> SP shows I'm logged in
I think this is an issue where the order of processing the authorisation is mixed up. When logging in, the IDP filter always filters the request, while the process of logging in via JAAS and creating a userPrinciple takes place after the filter. Thus, there is no way of having a userPrinciple when logging in for the first time, and because the IDPFilter takes care of redirecting to the SP, this never happens on login. Only when there is an authenticated user already (by making a request to the SP manually after authenticating via the IDP), the IDPFilter will be able to redirect back to the SP, because only then there is a userPrinciple available and the SAML assertion is created.
Please help how to fix this. When using JBoss with the org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve this problem didn't arise.
-
2. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
zcc39r Dec 12, 2014 4:08 AM (in response to pawjanssen)Pascal, could you present your IdP configuration?
-
3. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
pcraveiro Dec 18, 2014 6:24 AM (in response to pawjanssen)Hey Pascal,
Which PL version are you using with WildFly ? 2.7.0.CR2 ?
Also, we did some important improvements to the IDPFilter in upstream, which will be 2.7.0.CR3 (release soon). Wondering if you can try it out too.
Regards.
Pedro Igor
-
4. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
pawjanssen Jan 8, 2015 9:27 AM (in response to zcc39r)@Rustam, as I said, I'm using the picketlink-federation-saml-idp-basic and picketlink-federation-saml-sp-post-basic quickstarts. The IDP configuration can be found here:
@Pedro,
I'm using Wildfly 8.2.0 and Picketlink 2.7.0.CR2. I have tried CR3 just now, but it yields the same results.
With the quickstart examples, after loging, I'm taken to the index.jsp (jboss-picketlink-quickstarts/picketlink-federation-saml-idp-basic/src/main/webapp/hosted at master · jboss-developer/jbo…) instead of the SP.
-
5. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
pcraveiro Jan 9, 2015 8:38 PM (in response to pawjanssen)Hey Pascal,
I`ve tested agains 2.7.0.CR3 and WIldFly, everything looks fine. We have also a bunch of integration tests and they are running fine either.
I'm wondering if you build the quickstart properly with
mvn clean install -Pwildfly
JBoss EAP and WildFly have different configuration. I may also suggest you to attach both idp and sp, so I can take a look.
Regards.
-
6. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
dagbai Jan 20, 2015 1:06 PM (in response to pcraveiro)Hello pcraveiro I am having the same problem but I am working with a third party IDP I get a PL00092: Null Value:No assertions in reply from IDP error. I have configured my web.xml file to use SP Filter. I am using 2.7.0 CR3 and Wildfly 8.2.0 as well. I have attached my picketlink and web.xml files to this
-
picketlink.xml 2.8 KB
-
web.xml 2.3 KB
-
-
7. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
onkar.dhuri Feb 9, 2015 10:55 AM (in response to dagbai)Dozie, were you able to resolve this issue ?
I am also getting similar error - "PLFED000132: No assertions in reply from IDP" and I am not able to figure out what is going wrong. Perhaps you could provide me the pointers.
Thanks,
Onkar
-
8. Re: Picketlink not redirecting after succesfull authentication from IDP to SP
dagbai Feb 9, 2015 11:05 AM (in response to onkar.dhuri)Yes I was able to resolve my issue. I noticed that picketlink always set the value of Signature SIGN METHOD to http://www.w3.org/2000/09/xmldsig#rsa-sha1 regardless of the value set when using a REDIRECT binding type and the third party (adfs) needs both SIGN METHOD to be the same to have a successful communication.