0 Replies Latest reply on Sep 14, 2017 6:15 PM by Sarab Duhra

    AudienceRestriction issue

    Sarab Duhra Newbie

      I am running the V2.7.1 of picketlink as SP(JBOSS v7.1.1.Final)  and pingFederate is the IDP.

       

      I am trying to understand the commit [PLINK-PLINK-692] - Audience restriction check is too strict. · sarabd/picketlink@7ea29ca · GitHub

      for audience restriction.

       

      Here is the relevant stacktrace :

      2017-09-14 14:51:12,279 WARN  [org.picketlink.common] (http--0.0.0.0-8443-1) Assertion [OusTdEOGX3ybnrZKnXx0qPQLD-E] does not contain [https://localhost:8443/sales/index.html/] in audience list [[https://localhost:8443/sales/index.html]]. Expected audience is [https://localhost:8443/sales/index.html/].

      2017-09-14 14:51:12,281 ERROR [org.picketlink.common] (http--0.0.0.0-8443-1) Service Provider could not handle the request.: org.picketlink.common.exceptions.ProcessingException: Wrong audience [https://localhost:8443/sales/index.html/].

      at org.picketlink.common.DefaultPicketLinkLogger.samlAssertionWrongAudience(DefaultPicketLinkLogger.java:2388) [picketlink-common-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleSAMLResponse(SAML2AuthenticationHandler.java:627) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:517) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:145) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.2.final.jar:]

      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:503) [picketlink-jbas7-2.7.2.final.jar:2.7.1.Final]

      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:481) [picketlink-jbas7-2.7.2.final.jar:2.7.1.Final]

      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:342) [picketlink-jbas7-2.7.2.final.jar:2.7.1.Final]

      at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:269) [picketlink-jbas7-2.7.2.final.jar:2.7.1.Final]

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]

      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_51]

       

       

      Here is my picketlink.xml file:

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1" EnableAudit="true">

      <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="REDIRECT">

      <IdentityURL>${idp.url::https://cas-sduh-w541.panduit.com:9031/idp/startSSO.ping?PartnerSpId=123}</IdentityURL>

      <ServiceURL>${sales.url::https://localhost:8443/sales/index.html/}</ServiceURL>      

      </PicketLinkSP>

      <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

      </Handlers>

      </PicketLink>

       

       

      Any recommendations on how to resolve this issue ?