8 Replies Latest reply on Feb 9, 2015 11:05 AM by dagbai

Picketlink not redirecting after succesfull authentication from IDP to SP

pawjanssen Dec 11, 2014 3:54 AM

Hi,

We are upgrading to wildfly 8.2.0 in our project from JBoss AS 7 (picketlink 2.1.4), and are using picketlink for authentication. I tried to get going with the picketlink-federation-saml-idp-basic and picketlink-federation-saml-sp-post-basic quickstarts, as we are already using SAML on our project running on JBoss. The following situation describes what happens when I try to login using JBoss AS 7 and picketlink 2.1.4 (SAML setup):

- Request the SP url

-> SP redirects to IDP with a SAML request

-> IDP displays a login form

-> User logs in

-> IDP redirects back to the SP with a SAML assertion (using the IdentityURL from the SAML request sent by the SP)

-> User is logged in to the SP

Here's what happens when using WildFly 8.2.0, when using either picketlink 2.6.0.Final/2.6.1.Final/2.7.0CR2:

- Request the SP url

-> SP redirects to IDP with a SAML request

-> IDP displays a login form

-> User logs in

-> IDP does not redirect back to the SP, a SAML assertion is not generated

When using the picketlink-federation-saml-idp-basic and picketlink-federation-saml-sp-post-basic quickstarts for WildFly, the behavior is the same as the latter example. However, a page is displayed from the IDP application where I can use a hyperlink to navigate back to the SP. This is not the behaviour I was expecting when using SAML. Could you please help? Does anyone have a working quickstart example with the redirect from IDP to SP in place after succesfull authentication?

1. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

pawjanssen Dec 11, 2014 10:55 AM (in response to pawjanssen)

After some debugging I think I found out the problem, however I still don't have any solution:

The flow is as follows:

- Request the SP url
-> SP redirects to IDP with a SAML request
-> IDP displays a login form
-> User logs in
-> Request is filtered by the IDPFilter, there is no user principle yet, so SAML assertion is not created -> no redirect is taking place back to SP
-> The JAAS login module "login" and "commit" methods are beeing called
-> IDP does not redirect back to the SP, because IDP filter is not called again, the JSP page of the example is displayed.
-> Clicking on the link to go the SP, the SP shows I'm logged in

When I then do the following instead of clicking on the link:
- Manually browse back to the SP
-> SP redirects to IDP with a SAML request
-> Request is filtered by the IDPFilter, there is a previously authenticated principl, so SAML assertion is created -> redirect is taking place to the SP
-> SP shows I'm logged in

I think this is an issue where the order of processing the authorisation is mixed up. When logging in, the IDP filter always filters the request, while the process of logging in via JAAS and creating a userPrinciple takes place after the filter. Thus, there is no way of having a userPrinciple when logging in for the first time, and because the IDPFilter takes care of redirecting to the SP, this never happens on login. Only when there is an authenticated user already (by making a request to the SP manually after authenticating via the IDP), the IDPFilter will be able to redirect back to the SP, because only then there is a userPrinciple available and the SAML assertion is created.

Please help how to fix this. When using JBoss with the org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve this problem didn't arise.
Actions
2. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

zcc39r Dec 12, 2014 4:08 AM (in response to pawjanssen)

Pascal, could you present your IdP configuration?
Actions
3. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

pcraveiro Dec 18, 2014 6:24 AM (in response to pawjanssen)

Hey Pascal,

Which PL version are you using with WildFly ? 2.7.0.CR2 ?

Also, we did some important improvements to the IDPFilter in upstream, which will be 2.7.0.CR3 (release soon). Wondering if you can try it out too.

Regards.
Pedro Igor
Actions
4. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

pawjanssen Jan 8, 2015 9:27 AM (in response to zcc39r)

@Rustam, as I said, I'm using the picketlink-federation-saml-idp-basic and picketlink-federation-saml-sp-post-basic quickstarts. The IDP configuration can be found here:

https://github.com/jboss-developer/jboss-picketlink-quickstarts/blob/master/picketlink-federation-saml-idp-basic/conf/wildfly/WEB-INF/picketlink.xml

@Pedro,

I'm using Wildfly 8.2.0 and Picketlink 2.7.0.CR2. I have tried CR3 just now, but it yields the same results.

With the quickstart examples, after loging, I'm taken to the index.jsp (jboss-picketlink-quickstarts/picketlink-federation-saml-idp-basic/src/main/webapp/hosted at master · jboss-developer/jbo…) instead of the SP.
Actions
5. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

pcraveiro Jan 9, 2015 8:38 PM (in response to pawjanssen)

Hey Pascal,

I`ve tested agains 2.7.0.CR3 and WIldFly, everything looks fine. We have also a bunch of integration tests and they are running fine either.

I'm wondering if you build the quickstart properly with

mvn clean install -Pwildfly

JBoss EAP and WildFly have different configuration. I may also suggest you to attach both idp and sp, so I can take a look.

Regards.
Actions
6. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

dagbai Jan 20, 2015 1:06 PM (in response to pcraveiro)
Hello pcraveiro I am having the same problem but I am working with a third party IDP I get a PL00092: Null Value:No assertions in reply from IDP error. I have configured my web.xml file to use SP Filter. I am using 2.7.0 CR3 and Wildfly 8.2.0 as well. I have attached my picketlink and web.xml files to this

picketlink.xml 2.8 KB

web.xml 2.3 KB
Actions
7. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

onkar.dhuri Feb 9, 2015 10:55 AM (in response to dagbai)

Dozie, were you able to resolve this issue ?
I am also getting similar error - "PLFED000132: No assertions in reply from IDP" and I am not able to figure out what is going wrong. Perhaps you could provide me the pointers.

Thanks,
Onkar
Actions
8. Re: Picketlink not redirecting after succesfull authentication from IDP to SP

dagbai Feb 9, 2015 11:05 AM (in response to onkar.dhuri)

Yes I was able to resolve my issue. I noticed that picketlink always set the value of Signature SIGN METHOD to http://www.w3.org/2000/09/xmldsig#rsa-sha1 regardless of the value set when using a REDIRECT binding type and the third party (adfs) needs both SIGN METHOD to be the same to have a successful communication.
Actions

Go to original post