3 Replies Latest reply on Feb 25, 2015 7:56 AM by pcraveiro

    Cannot not use dynamic resolution of idp with different domain

    dagbai
    dagbai Jan 27, 2015 5:39 PM

      Hi all, I am pretty new to picketlink and working with picketlink 2.7.0 CR3 on a JBOSS wildfly (8.2.0) server.

      I am working with a picketlink server and I took the example from the dynamic resolution of idp which is part of the quickstart package provided by picketlink. When I tried to modify the example to support different domains, I get a signature validation error and upon further investigation, the public key set on the picketlink.xml file (not intended public key) is the key passed to my sp server.

       

      Does picketlink handle multiple idp with different domain?

       

      Here's a snippet of my xml file...

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"

                        ServerEnvironment="tomcat"

                        SupportsSignatures="true"

                        BindingType="REDIRECT">

              <IdentityURL>${idp-sig.url::<idAddress>}</IdentityURL>

              <ServiceURL>${employee-sig.url::<spAddress>}</ServiceURL>

              <Trust>

                  <Domains>localhost, acquisio.com, adfs.cc.dev, 10.30.163.167</Domains>

              </Trust>

              <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

                  <Auth Key="KeyStoreURL" Value="/mykestore.jks" />

                  <Auth Key="KeyStorePass" Value="privatestore" />

                  <Auth Key="SigningKeyPass" Value="privatekey" />

                  <Auth Key="SigningKeyAlias" Value="spcert" />

                  <ValidatingAlias Key="localhost" Value="idpalias"/>

                  <ValidatingAlias Key="127.0.0.1" Value="idpalias"/>

                  <ValidatingAlias Key="10.30.163.167" Value="idpalias" />

                  <ValidatingAlias Key="adfs.cc.dev" Value="adfs_tokensigning"/>

              </KeyProvider>

          </PicketLinkSP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

             ...........

              ...........

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />

          </Handlers>

      </PicketLink>

       

      Dozie

        • 1. Re: Cannot not use dynamic resolution of idp with different domain
          pcraveiro
          pcraveiro Feb 21, 2015 9:29 AM (in response to dagbai)

          Hey Dozie,

           

          Yes, it should work fine if you are using multiple domains. Each IdP you are "choosing" must have a corresponding ValidatingAlias in picketlink.xml. Where the Key attribute references the host of the IdP and value the alias of a public key in the keystore.

           

          Regards.

            • Actions
          • 2. Re: Re: Cannot not use dynamic resolution of idp with different domain
            dagbai
            dagbai Feb 24, 2015 2:34 PM (in response to pcraveiro)

            Hello Pedro. I just tried it again to make sure and I am still getting the same error. I used the dynamic resolution and when I tried navigate to a different domain I get the following error


            2015-02-24 14:19:54,223 ERROR [org.picketlink.common] (default task-117) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.constructSignatureException(SAML2SignatureValidationHandler.java:179) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:103) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.handleSAML2Response(SPFilter.java:642) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.handleSAMLResponse(SPFilter.java:329) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:221) [picketlink-federation-2.7.0.CR3.jar:]

              at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_55]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_55]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]

            Caused by: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed

              at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerSignatureValidationFailed(DefaultPicketLinkLogger.java:1583) [picketlink-common-2.7.0.CR3.jar:]

              ... 39 more

             

             

            This suggests that there is an issue with the validation of the signature when using dynamic resolution and the alias for both domains have been saved in the keystore. I had to write a messy workaround that handles different domains but the issue still exists

              • Actions
            • 3. Re: Cannot not use dynamic resolution of idp with different domain
              pcraveiro
              pcraveiro Feb 25, 2015 7:56 AM (in response to dagbai)

              Can you open a JIRA describing your use case ? Configuration files and maybe some running example would be welcome

               

              Regards.

                • Actions