3 Replies Latest reply on Feb 25, 2015 7:56 AM by Pedro Igor

    Cannot not use dynamic resolution of idp with different domain

    Dozie Agbai Newbie

      Hi all, I am pretty new to picketlink and working with picketlink 2.7.0 CR3 on a JBOSS wildfly (8.2.0) server.

      I am working with a picketlink server and I took the example from the dynamic resolution of idp which is part of the quickstart package provided by picketlink. When I tried to modify the example to support different domains, I get a signature validation error and upon further investigation, the public key set on the picketlink.xml file (not intended public key) is the key passed to my sp server.

       

      Does picketlink handle multiple idp with different domain?

       

      Here's a snippet of my xml file...

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"

                        ServerEnvironment="tomcat"

                        SupportsSignatures="true"

                        BindingType="REDIRECT">

              <IdentityURL>${idp-sig.url::<idAddress>}</IdentityURL>

              <ServiceURL>${employee-sig.url::<spAddress>}</ServiceURL>

              <Trust>

                  <Domains>localhost, acquisio.com, adfs.cc.dev, 10.30.163.167</Domains>

              </Trust>

              <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">

                  <Auth Key="KeyStoreURL" Value="/mykestore.jks" />

                  <Auth Key="KeyStorePass" Value="privatestore" />

                  <Auth Key="SigningKeyPass" Value="privatekey" />

                  <Auth Key="SigningKeyAlias" Value="spcert" />

                  <ValidatingAlias Key="localhost" Value="idpalias"/>

                  <ValidatingAlias Key="127.0.0.1" Value="idpalias"/>

                  <ValidatingAlias Key="10.30.163.167" Value="idpalias" />

                  <ValidatingAlias Key="adfs.cc.dev" Value="adfs_tokensigning"/>

              </KeyProvider>

          </PicketLinkSP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

             ...........

              ...........

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />

          </Handlers>

      </PicketLink>

       

      Dozie

        • 1. Re: Cannot not use dynamic resolution of idp with different domain
          Pedro Igor Master

          Hey Dozie,

           

          Yes, it should work fine if you are using multiple domains. Each IdP you are "choosing" must have a corresponding ValidatingAlias in picketlink.xml. Where the Key attribute references the host of the IdP and value the alias of a public key in the keystore.

           

          Regards.

          • 2. Re: Re: Cannot not use dynamic resolution of idp with different domain
            Dozie Agbai Newbie

            Hello Pedro. I just tried it again to make sure and I am still getting the same error. I used the dynamic resolution and when I tried navigate to a different domain I get the following error


            2015-02-24 14:19:54,223 ERROR [org.picketlink.common] (default task-117) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.constructSignatureException(SAML2SignatureValidationHandler.java:179) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:103) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.handleSAML2Response(SPFilter.java:642) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.handleSAMLResponse(SPFilter.java:329) [picketlink-federation-2.7.0.CR3.jar:]

              at org.picketlink.identity.federation.web.filters.SPFilter.doFilter(SPFilter.java:221) [picketlink-federation-2.7.0.CR3.jar:]

              at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_55]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_55]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]

            Caused by: org.picketlink.common.exceptions.fed.SignatureValidationException: PL00009: Invalid Digital Signature:Signature Validation Failed

              at org.picketlink.common.DefaultPicketLinkLogger.samlHandlerSignatureValidationFailed(DefaultPicketLinkLogger.java:1583) [picketlink-common-2.7.0.CR3.jar:]

              ... 39 more

             

             

            This suggests that there is an issue with the validation of the signature when using dynamic resolution and the alias for both domains have been saved in the keystore. I had to write a messy workaround that handles different domains but the issue still exists

            • 3. Re: Cannot not use dynamic resolution of idp with different domain
              Pedro Igor Master

              Can you open a JIRA describing your use case ? Configuration files and maybe some running example would be welcome

               

              Regards.