loop between the two sites
Hi all, I have the following scenario: managing two servers: the first governs authentication (picketlin IDP) and the second acts as a client (picketink SP). Both servers are on different IP and handle different domains.
The first has the following configuration
picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
<IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL>
<Trust>
<Domains>localhost,domain.com, domain2.com</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:2.1" TokenTimeout="5000" ClockSkew="0">
<TokenProviders>
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
</PicketLink>
jboss-web.xml
<jboss-web> <security-domain>idp</security-domain> <context-root>sso</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name> <param> <param-name>signOutgoingMessages</param-name> <param-value>false</param-value> </param> <param> <param-name>ignoreIncomingSignatures</param-name> <param-value>true</param-value> </param> </valve> </jboss-web>
The second that acts as a client has the following configuration
picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
ServerEnvironment="tomcat"
BindingType="POST"
LogOutPage="/logout"
RelayState="someURL">
<IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL>
<ServiceURL>${domain.url::http://localhost:8081/app/}</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
jboss-web.xml
<jboss-web> <security-domain>sp</security-domain> <context-root>app</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> </valve> </jboss-web>
The client to enter the url http://localhost:8081/app is correctly redirtect to http://sso.domain.com:8081/sso/, the user is authenticated but redirected back to http://localhost : 8081/app is a loop between the two sites