[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [higgins-dev] SAML2 IdP Deployment Problems
|
Hi,
Thanks Markus for your help.
1. I updated from SVN which solved the NullPointerException, thanks.
2. 3. Finally the problem came from the eclipse integrated browser. It's
working fine with firefox :/
Thanks a lot
Regards
Wen
____________________
Wenceslas Wolfersperger
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge,
Dublin 4
|------------>
| From: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|Markus Sabadello <msabadello@xxxxxxxxxxxxx> |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|"Higgins (Trust Framework) Project developer discussions" <higgins-dev@xxxxxxxxxxx> |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|Smriti Talwar/Ireland/IBM@IBMIE, He Yuan Huang <huanghey@xxxxxxxxxx> |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|26/02/2009 01:23 |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|Re: [higgins-dev] SAML2 IdP Deployment Problems |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Sent by: |
|------------>
>-------------------------------------------------------------------------------------------------------------------------------------------------|
|higgins-dev-bounces@xxxxxxxxxxx |
>-------------------------------------------------------------------------------------------------------------------------------------------------|
Hi,
Thanks for the detailed input.
1. Regarding your NullPointerException during Init, I just checked in a fix
for this. The idea is that for creating SAML 2.0 tokens, you can configure
the SAML2 IdP to either use the Higgins STS for doing that, or use
internal, simpler code instead. The latter requires much less configuration
work. Please update from SVN and see if it works now.
2. Not sure what you mean with "The SAML2Request is not redirected to the
IdP".
Try make sure that "saml2-idp-endpoint" and "saml2-sp-endpoint" are
configured correctly in the conf/application.properties file of the
saml2idp.test project (i.e. the Test SP).
3. The way the SAMLRequest is sent from the SP to the IdP is the SAML HTTP
Binding (see
http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf.).
It involves compression and Base64 encoding. Not sure why it doesn't work
when you manually do that? Do you have any more information?
4. There used to be a helper project called
org.eclipse.higgins.saml2idp.saml2, which was used both by the SP and IdP.
It has been renamed to org.eclipse.higgins.util.saml because other project
started to use it too.
Hope that helps
Markus
On Wed, Feb 25, 2009 at 6:01 PM, Wenceslas Wolfersperger <
WOLFERSP@xxxxxxxxxx> wrote:
Hi all,
Following instructions from here:
http://wiki.eclipse.org/SAML2_IdP_Overview_1.1
http://wiki.eclipse.org/SAML2_IdP_Deployment_1.1
http://wiki.eclipse.org/SAML2_IdP_Development_1.1
I got few problems during the deployment of the SAML2 IdP solution.
2 NullPointerException in the Init class from the package
org.eclipse.higgins.saml2idp.server:
(Embedded image moved to file: pic02582.gif)
It corresponds to the line 337, (i got the same on the line 343):
(Embedded image moved to file: pic20898.gif)
Finally i commented those 2 lines which "solved" the problem
The SAML2Request is not redirected to the IdP. Once the
samlAuthnRequest
is formed in the redirectAuthnRequest from the SAMLUtil class which is
called in the Login class from the SP. I'm not sure that my
explanations
are really clear, it's quite hard to explain in a mail and maybe even
more to understand :/. The fact is that we never reach the server
SAMLendpoint.
It gives me this trace:
18186 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Login
- doPost()
18186 [http-8080-Processor24] INFO
org.eclipse.higgins.saml2idp.test.Login
- Sending SAML2 AuthnRequest to IdP.
18587 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getSAML2SPEndpoint()
18587 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getMinimal()
18587 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint()
18587 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getSAML2ProviderName()
18587 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getSAML2Issuer()
19348 [http-8080-Processor24] DEBUG
org.eclipse.higgins.saml2idp.test.Init
- getSAML2IdPEndpoint())
instead of the trace shown in the wiki:
DEBUG org.eclipse.higgins.saml2idp.test.Login - doPost()
INFO org.eclipse.higgins.saml2idp.test.Login - Sending SAML2
AuthnRequest
to IdP.
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2IdPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2ProviderName()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2SPEndpoint()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - doGet()
DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - processRequest
()
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - The SAML2
AuthnRequest's signature has a KeyInfo element. We try to use this to
verify the signature.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest XML Signature successfully verified with KeyInfo element.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest contains a signature. Checking if we have a matching RP
certificate.
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2
AuthnRequest XML Signature successfully verified with certificate from
CN=Markus Sabadello, O=Parity, L=Needham, ST=Massachusetts, C=US
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - Accepting the
SAML2 AuthnRequest.
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameParameterName()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameHeaderName()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getExtractUsernameCookieName()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextType()
INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - User is not
logged in. Displaying credentials form for context type $context+ldap.
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getHigginsContextFactory
()
WARN org.eclipse.higgins.saml2idp.server.LDAPLogin - Cannot login user:
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
Object], Username=badguy (fail #1).
DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost()
DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getHigginsContextFactory
()
INFO org.eclipse.higgins.saml2idp.server.LDAPLogin - User saba logged
in.
Sending SAML2 Response to SP.
INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil - Creating SAML
Response for destination
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint with
relaystate Test relay state!!
DEBUG org.eclipse.higgins.saml2idp.server.Init - getSAML2Issuer()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getSAML2AssertionValidityMillis()
DEBUG org.eclipse.higgins.saml2idp.server.Init -
getSAML2AssertionValidityMillis()
INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil -
http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint
DEBUG org.eclipse.higgins.saml2idp.test.SAMLEndpoint - doPost()
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response
XML
Signature verified with certificate from
EMAILADDRESS=msabadello@xxxxxxxxxxxxx, CN=Markus Sabadello, OU=Higgins,
O=Parity Communications, L=Vienna, ST=Some-State, C=AT
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response
StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response
NameID: saba
INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - User successfully
logged in.
Then the third thing which i'm currently working on is that the
SAMLRequest in the URL sent by the SP to the IdP SAMLEndpoint (which
i'm
sending manually as the redirection is not working, because of the
problem above^^) is not parsed. So far this is what i've found:
On the SP side, the SAMLRequest parameter is an xml that is
compressed with the deflater class and then encoded in base64.
On the IdP side, the SAMLRequest is received via the getParameter
method and then decoded with the base64 and decompressed with the
inflater class.
The problem is that the SAMLRequest is not full after the decoding
or
the decompression. As the xml is not complete, a parsing error
occurs.
I have a last little thing about the Base64, it seems that the
org.eclipse.higgins.sts.spi.IBase64Extension class was removed from sts
to use instead the common Base64 class (sources:
http://www.nabble.com/SAML-utility-code-td17788915.html#a17874867 and
http://graceland.parityinc.net/pub/higginsirc/log_2008-06-16.txt.) In
the
different higgins components i used, the org.eclipse.higgins.idp.saml2
was still using this IBase64Extension class, so i just changed it to
Base64. I don't know if it was an oversight or if the
org.eclipse.higgins.idp.saml2 has been replaced by another one as in
the
wiki (http://wiki.eclipse.org/SAML2_IdP_Development_1.1) they are
talking about a org.eclipse.higgins.saml2idp component that wasn't in
the repository :/.
That's pretty it, hoping it wasn't to bad explained.
Thanks a lot
Regards
Wen
____________________
Wenceslas Wolfersperger
IBM Ireland Product Distribution Limited registered in Ireland with
number
92815. Registered office: Oldbrook House, 24-32 Pembroke Road,
Ballsbridge,
Dublin 4
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
