0 Replies Latest reply on Dec 13, 2013 6:16 PM by Juan Burgos

    loop between the two sites

    Juan Burgos Newbie

      Hi all, I have the following scenario: managing two servers: the first governs authentication (picketlin IDP) and the second acts as a client (picketink SP). Both servers are on different IP and handle different domains.


      The first has the following configuration


      picketlink.xml

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
         <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
            <IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL>
            <Trust>
               <Domains>localhost,domain.com, domain2.com</Domains>
            </Trust>
         </PicketLinkIDP>
         <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
            <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
            <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
            <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
            <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
         </Handlers>
         <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:2.1" TokenTimeout="5000" ClockSkew="0">
            <TokenProviders>
               <TokenProvider
                  ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
                  TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
                  TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
               <TokenProvider
                  ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
                  TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
                  TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
            </TokenProviders>
         </PicketLinkSTS>
      </PicketLink>
      

       

       

      jboss-web.xml

      <jboss-web>
         <security-domain>idp</security-domain>
         <context-root>sso</context-root>
         <valve>
            <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
            <param>
               <param-name>signOutgoingMessages</param-name>
               <param-value>false</param-value>
            </param>
            <param>
               <param-name>ignoreIncomingSignatures</param-name>
               <param-value>true</param-value>
            </param>
         </valve>
      </jboss-web>
      

       

      The second that acts as a client has the following configuration

      picketlink.xml

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
         <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
              ServerEnvironment="tomcat" 
                      BindingType="POST"
                      LogOutPage="/logout"
                      RelayState="someURL">
            <IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL>
            <ServiceURL>${domain.url::http://localhost:8081/app/}</ServiceURL>
         </PicketLinkSP>
         <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
            <Handler
               class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
            <Handler
               class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
            <Handler
               class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
         </Handlers>
      </PicketLink>
      

       

      jboss-web.xml

      <jboss-web>
        <security-domain>sp</security-domain>
        <context-root>app</context-root>
        <valve>
           <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
         </valve>
      </jboss-web>
      

       

      The client to enter the url http://localhost:8081/app is correctly redirtect to http://sso.domain.com:8081/sso/, the user is authenticated but redirected back to http://localhost : 8081/app is a loop between the two sites