2 Replies Latest reply on Sep 16, 2014 10:53 AM by Rodrigo Silva

    Cross Domain Requests to Picketlink SAML IDP

    Rodrigo Silva Newbie

      What i'm trying to do ?

      I have on application that works as a portal, it is a service provider(SP) that render many others SPs via AJAX. The initial problem was that when i made a GET from a SP to another SP, the picketlink intercept this request and the response from this GET was a form with SAMLRequest.

      I solved it simulating the web browser flow (all via ajax)


      SP(x) --------- request ------------> SP(y)

      SP(y) --------- request (SamlRequest) ------------> IDP

      IDP    --------- request (SamlResponse) ----------> SP(y)

      SP(x) ---------- request (with new JSESSIONID ----> SP(y)


      Legend: SP(x) current SP that works like a portal. This module that init all ajax calls.

                    SP(y) SP not initialized.

                    IDP Identity Provider.


      This javascript source: https://github.com/hodrigohamalho/picketlink-sp-communication/blob/master/picketlink-federation-saml-sp-central/src/main/webapp/javascript/index.js (line 19)


      The problems seens to be solved at here. But when I enable SSL, the IDP now is on 443 and when ajax from localhost:8080/sp to localhost:8443/idp is made the CORS message "not allowed origin" shows up on browser console.

      I create a servlet filter that allow origin on response:


      HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("Access-Control-Allow-Origin", "localhost:8080");
        res.setHeader("Access-Control-Allow-Methods", "POST, GET");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");


      But, picketlink is configured by a listener on web.xml. The listeners are executed before filters, so that filter isn't above isn't executed.




      So, is possible to enable CORS on picketlink SAML IDP?