Issue Type: Bug Bug
Affects Versions: PLINK_2.5.2.FInal
Assignee: Anil Saldhana
Components: Federation
Created: 11/Apr/14 2:29 PM
Description:

The picketlink IDP is sending a response to an AuthnRequest with an invalid top level status code value. For example:

Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://qa-app/Shibboleth.sso/SAML2/POST"
                    Destination="https://idp-dev1/idp/"
                    ID="_b5087728bfbb1ef6790558e47bcdbaf7"
                    IssueInstant="2014-04-11T18:12:43Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Version="2.0"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://qa-app/Shibboleth</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>

Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="ID_d8c4c4aa-721a-4790-91eb-4f07e7d6bf11"
                IssueInstant="2014-04-11T18:13:00.654Z"
                Version="2.0"
                >
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
    </samlp:Status>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/> <!-- truncated -->
</samlp:Response>

The statusCode: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
is a second level status code that should not be in the top level spot (per saml2 core spec, https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf, line 1693-1704)

This is causing third party Service providers to not process the message and fail (Shibboleth SP/opensaml).

In this case, the expected result, I think, should be:

    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
        </samlp:StatusCode>
    </samlp:Status>
Project: PicketLink
Priority: Major Major
Reporter: Stefan Winz
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira