4 Replies Latest reply on Mar 30, 2012 4:56 AM by firstlion

    SAML Binding and Parsing

    firstlion

      Hello,

       

      You've helped me with other problems very well, so here are two new ones

      We are running picketlink in a JBOSS AS 7.1 Server (picketlink 2.0.1) (tried in EAP 6 with picketlink 2.0.3 too). We use an external IDP. For the request we use a redirect- and for the response a post-Binding (Is it possible to configure the Response-Binding in SP?). The request works well and the response is send to the correct url. But there is only shown a blank page. After searching und debugging a time we found out, that there are some thins in picketlink, that we don't understand.

       

      1.) Although the response comes with post-binding, picketlink "thinks", that it is redirect-binding (in class ServiceProviderSAMLResponseProcessor attribute postBinding). Because of this we get some error:

       

      java.util.zip.ZipException: too many length or distance symbol

       

      2.) We have written a subclass of ServiceProviderSAMLResponseProcessor and there the attribute postBinding is always true. This way, we get another error:

       

      PL00066: Parser : Expected end tag:AuthnContext>.  Found </NoVerification>

       

      But the SAML-Response ist correct: (Only the important part is shown here):

       

      <saml:AuthnContext>

                      <saml:AuthnContextDecl>

                          <samlacpass:AuthenticationContextDeclaration>

                              <samlacpass:Identification nym="verinymity">

                                  <samlacpass:Extension>

                                      <safeac:NoVerification/>

                                  </samlacpass:Extension>

                              </samlacpass:Identification>

                          </samlacpass:AuthenticationContextDeclaration>

                      </saml:AuthnContextDecl>

      </saml:AuthnContext>

       

      It seems, that picketlink always searches for a start- and an end-tag.

      Is there something we could have done wrong or is it a bug in picketlink?

       

      Thanks for your help,

      Martin

        • 1. Re: SAML Binding and Parsing
          anil.saldhana

          In PL 2.0.3.Final  we have added the capabilities for the SP redirect authenticators to fallback to post.

           

          Check it out https://community.jboss.org/wiki/PicketLink203Final

           

          The reason is that even though your SP sends a redirect to IDP,  the IDP may be performing strict post binding (web browser sso profile) and sending back a response via http/post.

           

          We handled this via https://issues.jboss.org/browse/PLFED-271

           

           

          Note the following statement:

          ===================

          Similarly for the SPRedirectFormAuthenticator, the change would be idpPostBinding to true

          in jboss-web.xml of AS7 sales.war

          or WEB-INF/context.xml of AS6 sales.war

          ===================================

           

          So add the flag to the authenticator on the SP side.

          • 2. Re: SAML Binding and Parsing
            firstlion

            Thanks for your answer. But i think, i haven't explained the problem clear enough. Picketlink creates the following line in the request:

             

            ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

             

            This forces the IDP to use Http-Post-Binding. So Picketlink should know, that this binding is used for the response. Why do i have to tell it Picketlink with a parameter? I need a parameter to tell Picketlink not to create this line. Instead it should ask for Http-Redirect-Binding.

             

            For me the bigger problem is the one with the parsing of the SAML-Token. Do you have any idea what is going wrong there?

             

            Thanks,

            Martin

            • 3. Re: SAML Binding and Parsing
              anil.saldhana

              Martin,  can you create an PLFED (https://issues.jboss.org/jira/browse/PLFED) jira issue?  Attach the payload that PL is not parsing properly.  You can mask any company confidential things in the payload.

              • 4. Re: SAML Binding and Parsing
                firstlion

                Here is the issue: https://issues.jboss.org/browse/PLFED-274

                 

                I hope, there is everything correct and clear enough to understand. Please tell me, if not.

                 

                Thanks,

                Martin