2 Replies Latest reply on Sep 16, 2014 10:53 AM by Rodrigo Silva

    Cross Domain Requests to Picketlink SAML IDP

    Rodrigo Silva Newbie

      What i'm trying to do ?

      I have on application that works as a portal, it is a service provider(SP) that render many others SPs via AJAX. The initial problem was that when i made a GET from a SP to another SP, the picketlink intercept this request and the response from this GET was a form with SAMLRequest.

      I solved it simulating the web browser flow (all via ajax)

       

      SP(x) --------- request ------------> SP(y)

      SP(y) --------- request (SamlRequest) ------------> IDP

      IDP    --------- request (SamlResponse) ----------> SP(y)

      SP(x) ---------- request (with new JSESSIONID ----> SP(y)

       

      Legend: SP(x) current SP that works like a portal. This module that init all ajax calls.

                    SP(y) SP not initialized.

                    IDP Identity Provider.

       

      This javascript source: https://github.com/hodrigohamalho/picketlink-sp-communication/blob/master/picketlink-federation-saml-sp-central/src/main/webapp/javascript/index.js (line 19)

       

      The problems seens to be solved at here. But when I enable SSL, the IDP now is on 443 and when ajax from localhost:8080/sp to localhost:8443/idp is made the CORS message "not allowed origin" shows up on browser console.

      I create a servlet filter that allow origin on response:

       

      HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("Access-Control-Allow-Origin", "localhost:8080");
        res.setHeader("Access-Control-Allow-Methods", "POST, GET");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");
      

       

      But, picketlink is configured by a listener on web.xml. The listeners are executed before filters, so that filter isn't above isn't executed.

       

      <listener>
         <listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>
      </listener>
      

       

      So, is possible to enable CORS on picketlink SAML IDP?