8 Replies Latest reply on Nov 11, 2010 3:37 PM by Andrew Oliver

    Is IDPRedirectWithSignatureValve SAML2 Compliant?

    Marc Boorshtein Newbie

      I've gotten picketlink up and running as an IDP on tomcat.  When my SP posts an AuthnRequest instead of the browser getting a form with an embedded SAMLResponse parameter I am receiving a 302 redirect with a SAMLResponse parameter in the URL.  I checked the SAML2 specs at OASIS and every mention of SAMLResponse is in the context of a POST, not a GET.  Also, when I attempt to base64 decode the SAMLResponse parameter all I get is garbage, not a <Response>.




        • 1. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
          Marc Boorshtein Newbie

          OK, I did some more digging and found the redirect binding in the SAML2 Binding specs. That being said, is there planned support for the idp to produce a post binding?




          • 2. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
            Marcel Kolsteren Apprentice

            Hi Marc,


            I think that your initial remark was right. The HTTP Redirect binding does exist, and is sometimes used for sending responses (for example, when responding to a single logout request). But in the context of the Web Browser SSO Profile, the redirect binding must not be not used when an IDP replies to an AuthnRequest of the SP. In the OASIS document "Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, section 4.1.2, point 5:


            "Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider [...]. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents."


            So if PicketLink IDP sends a redirect in response to an authentication request, I agree with you: that is not spec-compliant. Did you test with other SAMLv2 IDP's as well? For example OpenSSO?


            Regarding the base64 decoding that leads to garbage: did you deflate the message as described in the SAML spec?




            1 of 1 people found this helpful
            • 3. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
              Marc Boorshtein Newbie

              Thanks Marcel.  My SP worked with OpenAM/OpenSSO with the post binding.  You are correct I did not do a deflate the SAMResponse parameter. I didn't see the section of the spec you mentioned but it does make sense.  Has anyone tried testing the idp with another system such as opensso or ping?

              • 4. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                Marcel Kolsteren Apprentice

                I did not, because my focus was the Service Provider part of PicketLink, and in particular the Seam SP. But Anil will probably be able to answer your question.

                • 5. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                  Anil Saldanha Master

                  IDPWebBrowserValve on the IDP does both redirect and post binding.  Look in the wikis.  The user guide may be dated.

                  • 6. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                    Marc Boorshtein Newbie

                    Thanks Anil.  I did both a google search and a jboss community search on IDPWebBrowserSSOValve and didn't find anything.  I tried setting the classname to IDPWebBrowserSSOValve in my context.xml and received the following exception:



                    06:48:59,578 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POST
                    06:49:13,341 DEBUG [IDPSAMLDebugValve] SP Sent::Method = POST
                    06:49:13,357 DEBUG [IDPSAMLDebugValve] SP Sent::Method = GET
                    Aug 9, 2010 6:49:13 AM org.apache.catalina.connector.CoyoteAdapter service
                    SEVERE: An exception or error occurred in the container during the request processing
                    java.lang.IllegalArgumentException: responseType is null
                    at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:393)
                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:517)
                    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
                    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
                    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
                    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
                    at java.lang.Thread.run(Thread.java:619)


                    I'm guessing there is some additional configuration thats needed?




                    • 7. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                      Anil Saldanha Master

                      Download the idp.war from PicketLink.  That should have the configuration.


                      I will try to update the documentation accordingly.

                      • 8. Re: Is IDPRedirectWithSignatureValve SAML2 Compliant?
                        Andrew Oliver Master

                        I get this when I access the default sample apps from anyplace but the localhost.  Thus you need to change it to the actual FQN of the machine (i.e. what you call it in DNS).


                        replace /cygdrive/e/jboss-eap-5.1-pl with wherever you put jboss.


                        1. Copy /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation/*.jar to /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/lib

                        2. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war

                        3. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war

                        4. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/sales.war

                        5. mkdir /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war

                        6. cd /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war

                        7. jar -xf /cygdrive/e/jboss-eap-5.1-pl/picketlink/picketlink-federation-webapps/idp.war

                        8. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/sales.war/WEB-INF/*.xml

                        Change each instance of localhost to youractualmachinename.yourdomain.com

                        9. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/*.xml

                        Change each instance of localhost to youractualmachinename.yourdomain.com

                        10. vi /cygdrive/e/jboss-eap-5.1-pl/jboss-as/server/default/deploy/idp.war/WEB-INF/picketlink-idfed.xml

                        11. Make <Domains> entry read like this:



                        Ignore basically what the user guide says. It has lies.  Particularly glaring is page 15 section  where it advises a blank context.xml (leaving the valves out) and that it has no info on what the username/password is by default.