loop between the two sites
burgosjc Dec 13, 2013 6:16 PMHi all, I have the following scenario: managing two servers: the first governs authentication (picketlin IDP) and the second acts as a client (picketink SP). Both servers are on different IP and handle different domains.
The first has the following configuration
picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"> <IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL> <Trust> <Domains>localhost,domain.com, domain2.com</Domains> </Trust> </PicketLinkIDP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:2.1" TokenTimeout="5000" ClockSkew="0"> <TokenProviders> <TokenProvider ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider" TokenType="urn:oasis:names:tc:SAML:1.0:assertion" TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" /> <TokenProvider ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider" TokenType="urn:oasis:names:tc:SAML:2.0:assertion" TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" /> </TokenProviders> </PicketLinkSTS> </PicketLink>
jboss-web.xml
<jboss-web> <security-domain>idp</security-domain> <context-root>sso</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name> <param> <param-name>signOutgoingMessages</param-name> <param-value>false</param-value> </param> <param> <param-name>ignoreIncomingSignatures</param-name> <param-value>true</param-value> </param> </valve> </jboss-web>
The second that acts as a client has the following configuration
picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat" BindingType="POST" LogOutPage="/logout" RelayState="someURL"> <IdentityURL>${sso.url::http://sso.domain.com:8081/sso/}</IdentityURL> <ServiceURL>${domain.url::http://localhost:8081/app/}</ServiceURL> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> </PicketLink>
jboss-web.xml
<jboss-web> <security-domain>sp</security-domain> <context-root>app</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> </valve> </jboss-web>
The client to enter the url http://localhost:8081/app is correctly redirtect to http://sso.domain.com:8081/sso/, the user is authenticated but redirected back to http://localhost : 8081/app is a loop between the two sites