[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[higgins-dev] SAML2 IdP Deployment Problems
|
Hi all,
Following instructions from here:
http://wiki.eclipse.org/SAML2_IdP_Overview_1.1
http://wiki.eclipse.org/SAML2_IdP_Deployment_1.1
http://wiki.eclipse.org/SAML2_IdP_Development_1.1
I got few problems during the deployment of the SAML2 IdP solution.
2 NullPointerException in the Init class from the package
org.eclipse.higgins.saml2idp.server:
(Embedded image moved to file: pic02582.gif)
It corresponds to the line 337, (i got the same on the line 343):
(Embedded image moved to file: pic20898.gif)
Finally i commented those 2 lines which "solved" the problem
The SAML2Request is not redirected to the IdP. Once the samlAuthnRequest
is formed in the redirectAuthnRequest from the SAMLUtil class which is
called in the Login class from the SP. I'm not sure that my explanations
are really clear, it's quite hard to explain in a mail and maybe even
more to understand :/. The fact is that we never reach the server
SAMLendpoint.
It gives me this trace:
18186 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Login
- doPost()
18186 [http-8080-Processor24] INFO org.eclipse.higgins.saml2idp.test.Login
- Sending SAML2 AuthnRequest to IdP.
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2SPEndpoint()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getMinimal()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2ProviderName()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2Issuer()
19348 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint())
instead of the trace shown in the wiki:
DEBUG org.eclipse.higgins.saml2idp.test.Login - doPost()
INFO org.eclipse.higgins.saml2idp.test.Login - Sending SAML2 AuthnRequest
to IdP.
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2IdPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2ProviderName()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2SPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - doGet()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - processRequest()
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - The SAML2
AuthnRequest's signature has a KeyInfo element. We try to use this to
verify the signature.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest XML Signature successfully verified with KeyInfo element.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest contains a signature. Checking if we have a matching RP
certificate.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest XML Signature successfully verified with certificate from
CN=Markus Sabadello, O=Parity, L=Needham, ST=Massachusetts, C=US
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - Accepting the
SAML2 AuthnRequest.
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameParameterName()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameHeaderName()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameCookieName()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextType()
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - User is not
logged in. Displaying credentials form for context type $context+ldap.
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextFactory
()
WARN org.eclipse.higgins.saml2idp.server.LDAPLogin - Cannot login user:
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object], Username=badguy (fail #1).
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextFactory
()
INFO org.eclipse.higgins.saml2idp.server.LDAPLogin - User saba logged in.
Sending SAML2 Response to SP.
INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil - Creating SAML
Response for destination
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint with
relaystate Test relay state!!
DEBUG org.eclipse.higgins.saml2idp.server.Init - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getSAML2AssertionValidityMillis()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getSAML2AssertionValidityMillis()
INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil -
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint
DEBUG org.eclipse.higgins.saml2idp.test.SAMLEndpoint - doPost()
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response XML
Signature verified with certificate from
EMAILADDRESS=msabadello@xxxxxxxxxxxxx, CN=Markus Sabadello, OU=Higgins,
O=Parity Communications, L=Vienna, ST=Some-State, C=AT
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response
StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response
NameID: saba
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - User successfully
logged in.
Then the third thing which i'm currently working on is that the
SAMLRequest in the URL sent by the SP to the IdP SAMLEndpoint (which i'm
sending manually as the redirection is not working, because of the
problem above^^) is not parsed. So far this is what i've found:
On the SP side, the SAMLRequest parameter is an xml that is
compressed with the deflater class and then encoded in base64.
On the IdP side, the SAMLRequest is received via the getParameter
method and then decoded with the base64 and decompressed with the
inflater class.
The problem is that the SAMLRequest is not full after the decoding or
the decompression. As the xml is not complete, a parsing error
occurs.
I have a last little thing about the Base64, it seems that the
org.eclipse.higgins.sts.spi.IBase64Extension class was removed from sts
to use instead the common Base64 class (sources:
http://www.nabble.com/SAML-utility-code-td17788915.html#a17874867 and
http://graceland.parityinc.net/pub/higginsirc/log_2008-06-16.txt) In the
different higgins components i used, the org.eclipse.higgins.idp.saml2
was still using this IBase64Extension class, so i just changed it to
Base64. I don't know if it was an oversight or if the
org.eclipse.higgins.idp.saml2 has been replaced by another one as in the
wiki (http://wiki.eclipse.org/SAML2_IdP_Development_1.1) they are
talking about a org.eclipse.higgins.saml2idp component that wasn't in
the repository :/.
That's pretty it, hoping it wasn't to bad explained.
Thanks a lot
Regards
Wen
____________________
Wenceslas Wolfersperger
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge,
Dublin 4
Attachment:
pic02582.gif
Description: GIF image
Attachment:
pic20898.gif
Description: GIF image