The SAML standard has the protocol binding as "optional" information. There are some 3rd party implementations of SAML which take this "optional" quite literally (such as OpenSAML) and do not use it on a default configuration. Picketlink IDP tends to crash and burn when it encounters a SAML authentication request without the Protocol Binding specified.
The patch to fix this in the master branch is:
| Header 1 |
|---|
--- modules/federation/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java (date 1464700764000) +++ modules/federation/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java (date 1485213800000) @@ -255,7 +255,11 @@ Document samlResponse = this.getResponse(request); // Update the Identity Server - boolean isPost = art.getProtocolBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get()); + //Protocol binding is set as Optional in the SAML specifications. Assume true, then switch to false if specified + boolean isPost = true; + if (art.getProtocolBinding() != null) { + isPost = art.getProtocolBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get()); + } IdentityServer identityServer = (IdentityServer) servletContext.getAttribute(GeneralConstants.IDENTITY_SERVER); // We will try to find URL for global logout from SP metadata (if they are provided) and use SP logout URL // for registration to IdentityServer |
