2 Replies Latest reply on Jan 8, 2015 5:55 PM by jdonofrio

    IDP Sending wrong SAML Token Version

    jdonofrio
    jdonofrio Jan 5, 2015 4:17 PM

      I was following some of the quickstarts for picketlink federation and noticed that when I do IDP initiated SSO to my SP, the token is version 1.1 even though I am specifiying the parameter SAML_VERSION=2.0 in the request.

       

      I am using wildfly-8.2.0.Final.

       

      The link in my jsp file looks like this:

       

      <li>SAML 2.0 IdP-Initiated SSO: <a id="saml_2_sales_link2" href="?SAML_VERSION=2.0&TARGET=http%3A//localhost%3a8080/picketWeb2/">Picket Web2 SAML 2.0</a> (<i>make sure you have deployed the picketWeb2 application</i>)</li>

       

      This is the decoded SAML respnse token.

       

      <?xml version="1.0"?>

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" IssueInstant="2015-01-04T02:11:10.301Z" MajorVersion="1" MinorVersion="1" ResponseID="ID_19056c2c-e0c6-454b-b25a-ff4f750b4ad0">

          <samlp:Status>

              <samlp:StatusCode Value="samlp:Success"/>

          </samlp:Status>

          <saml:Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="ID_8ad36896-86a0-4d26-b81b-5de8618f8d06" IssueInstant="2015-01-04T02:11:10.279Z" Issuer="http://localhost:8080/picketIdp/" MajorVersion="1" MinorVersion="1">

          <saml:Conditions NotBefore="2015-01-04T02:11:09.279Z" NotOnOrAfter="2015-01-04T02:11:16.279Z"/>

          <saml:AuthenticationStatement AuthenticationInstant="2015-01-04T02:11:10.279Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">

              <saml:Subject>

                  <saml:NameIdentifier>user1</saml:NameIdentifier>

              </saml:Subject>

          </saml:AuthenticationStatement>

          <saml:AttributeStatement>

              <saml:Attribute AttributeName="Role" AttributeNamespace="urn:picketlink:role">

                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml:AttributeValue>

              </saml:Attribute>

              <saml:Attribute AttributeName="Role" AttributeNamespace="urn:picketlink:role">

                  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role2</saml:AttributeValue>

              </saml:Attribute>

          </saml:AttributeStatement>

      </saml:Assertion>

      </samlp:Response>

       

      Any ideas why the token being sent is for SAML 1.1?