|
Description:
|
When you try to initiate SAML login from sample idp.war to any remote
sample
SP
like sales.war
, you get exception:
08-01 15:06:10,355 ERROR [org.picketlink.identity.federation] (ajp 2) PLFED000263: Service Provider could not handle the request.: java.lang.ClassCastException: org.picketlink.identity.federation.saml.v1.protocol.SAML11ResponseType cannot be cast to org.picketlink.identity.federation.saml.v2.SAML2Object
at org.picketlink.identity.federation.api.saml.v2.response.SAML2Response.getSAML2ObjectFromStream(SAML2Response.java:447) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.getSAMLDocumentHolder(ServiceProviderSAMLResponseProcessor.java:130) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:84) [picketlink-core-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:422) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:298) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSAML11SPRedirectFormAuthenticator.authenticate(AbstractSAML11SPRedirectFormAuthenticator.java:117) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:253) [picketlink-jbas7-2.1.6.Final.jar:2.1.6.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.4.Final-SNAPSHOT.jar:7.1.4.Final-SNAPSHOT]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final.jar:]
at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:346) [jboss-as-web-7.1.4.Final-SNAPSHOT.jar:7.1.4.Final-SNAPSHOT]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:491) [jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:487) [jbossweb-7.0.17.Final.jar:]
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2516) [jbossweb-7.0.17.Final.jar:]
at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)
at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:801)
at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)
at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:821)
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_13]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
Changing SP valve to SAML11SPRedirectFormAuthenticator didn't help.
Another issue sample idp.war always send SAML 1.1 request via HTTP redirect that causes errors due to truncating URL. StrictPost flag inside IDP is ignored.
h4. SP configuration:
valve - SAML11SPRedirectFormAuthenticator or ServiceProviderAuthenticator
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
ServerEnvironment="tomcat" BindingType="POST">
<IdentityURL>...</IdentityURL>
<ServiceURL>...</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
h4. IDP configuration:
valve - IDPWebBrowserSSOValve
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
<IdentityURL>...</IdentityURL>
<Trust>
<Domains>...</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
|
