Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] SAML2 IdP Deployment Problems 
Hi all,

Following instructions from here:
http://wiki.eclipse.org/SAML2_IdP_Overview_1.1
http://wiki.eclipse.org/SAML2_IdP_Deployment_1.1
http://wiki.eclipse.org/SAML2_IdP_Development_1.1

I got few problems during the deployment of the SAML2 IdP solution.

   2  NullPointerException in the Init class from the package
   org.eclipse.higgins.saml2idp.server:

(Embedded image moved to file: pic02582.gif)

It corresponds to the line 337, (i got the same on the line 343):

(Embedded image moved to file: pic20898.gif)

Finally i commented those 2 lines which "solved" the problem


   The SAML2Request is not redirected to the IdP. Once the samlAuthnRequest
   is formed in the redirectAuthnRequest from the SAMLUtil class which is
   called in the Login class from the SP. I'm not sure that my explanations
   are really clear, it's quite hard to explain in a mail and maybe even
   more to understand :/. The fact is that we never reach the server
   SAMLendpoint.

It gives me this trace:
18186 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Login
- doPost()
18186 [http-8080-Processor24] INFO  org.eclipse.higgins.saml2idp.test.Login
- Sending SAML2 AuthnRequest to IdP.
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2SPEndpoint()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getMinimal()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2ProviderName()
18587 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2Issuer()
19348 [http-8080-Processor24] DEBUG org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint())

instead of the trace shown in the wiki:
DEBUG org.eclipse.higgins.saml2idp.test.Login  - doPost()
INFO  org.eclipse.higgins.saml2idp.test.Login  - Sending SAML2 AuthnRequest
to IdP.
DEBUG org.eclipse.higgins.saml2idp.test.Init  - getSAML2IdPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.test.Init  - getSAML2ProviderName()
DEBUG org.eclipse.higgins.saml2idp.test.Init  - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.test.Init  - getSAML2SPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - doGet()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - processRequest()
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - The SAML2
AuthnRequest's signature has a KeyInfo element. We try to use this to
verify the signature.
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - SAML2
AuthnRequest XML Signature successfully verified with KeyInfo element.
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - SAML2
AuthnRequest contains a signature. Checking if we have a matching RP
certificate.
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - SAML2
AuthnRequest XML Signature successfully verified with certificate from
CN=Markus Sabadello, O=Parity, L=Needham, ST=Massachusetts, C=US
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - Accepting the
SAML2 AuthnRequest.
DEBUG org.eclipse.higgins.saml2idp.server.Init  -
getExtractUsernameParameterName()
DEBUG org.eclipse.higgins.saml2idp.server.Init  -
getExtractUsernameHeaderName()
DEBUG org.eclipse.higgins.saml2idp.server.Init  -
getExtractUsernameCookieName()
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getHigginsContextType()
INFO  org.eclipse.higgins.saml2idp.server.SAMLEndpoint  - User is not
logged in. Displaying credentials form for context type $context+ldap.
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin  - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getHigginsContextFactory
()
WARN  org.eclipse.higgins.saml2idp.server.LDAPLogin  - Cannot login user:
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object], Username=badguy (fail #1).
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin  - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getHigginsContextFactory
()
INFO  org.eclipse.higgins.saml2idp.server.LDAPLogin  - User saba logged in.
Sending SAML2 Response to SP.
INFO  org.eclipse.higgins.saml2idp.server.util.SAMLUtil  - Creating SAML
Response for destination
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint with
relaystate Test relay state!!
DEBUG org.eclipse.higgins.saml2idp.server.Init  - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.server.Init  -
getSAML2AssertionValidityMillis()
DEBUG org.eclipse.higgins.saml2idp.server.Init  -
getSAML2AssertionValidityMillis()
INFO  org.eclipse.higgins.saml2idp.server.util.SAMLUtil  -
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint
DEBUG org.eclipse.higgins.saml2idp.test.SAMLEndpoint  - doPost()
INFO  org.eclipse.higgins.saml2idp.test.SAMLEndpoint  - SAML2 Response XML
Signature verified with certificate from
EMAILADDRESS=msabadello@xxxxxxxxxxxxx, CN=Markus Sabadello, OU=Higgins,
O=Parity Communications, L=Vienna, ST=Some-State, C=AT
INFO  org.eclipse.higgins.saml2idp.test.SAMLEndpoint  - SAML2 Response
StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success
INFO  org.eclipse.higgins.saml2idp.test.SAMLEndpoint  - SAML2 Response
NameID: saba
INFO  org.eclipse.higgins.saml2idp.test.SAMLEndpoint  - User successfully
logged in.

   Then the third thing which i'm currently working on is that the
   SAMLRequest in the URL sent by the SP to the IdP SAMLEndpoint (which i'm
   sending manually as the redirection is not working, because of the
   problem above^^) is not parsed. So far this is what i've found:
      On the SP side, the SAMLRequest parameter is an xml that is
      compressed with the deflater class and then encoded in base64.
      On the IdP side, the SAMLRequest is received via the getParameter
      method and then decoded with the base64 and decompressed with the
      inflater class.
      The problem is that the SAMLRequest is not full after the decoding or
      the decompression. As the xml is not complete, a parsing error
      occurs.


   I have a last little thing about the Base64, it seems that the
   org.eclipse.higgins.sts.spi.IBase64Extension class was removed from sts
   to use instead the common Base64 class (sources:
   http://www.nabble.com/SAML-utility-code-td17788915.html#a17874867  and
   http://graceland.parityinc.net/pub/higginsirc/log_2008-06-16.txt) In the
   different higgins components i used, the org.eclipse.higgins.idp.saml2
   was still using this IBase64Extension class, so i just changed it to
   Base64. I don't know if it was an oversight or if the
   org.eclipse.higgins.idp.saml2 has been replaced by another one as in the
   wiki (http://wiki.eclipse.org/SAML2_IdP_Development_1.1) they are
   talking about a org.eclipse.higgins.saml2idp component that wasn't in
   the repository :/.


That's pretty it, hoping it wasn't to bad explained.

Thanks a lot
Regards
Wen


____________________
Wenceslas Wolfersperger

IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge,
Dublin 4

Attachment: pic02582.gif
Description: GIF image

Attachment: pic20898.gif
Description: GIF image

Back to the top