Message Title

Sheetul Agrawal created an issue

PLINK-696

Issue Type:	Bug
Affects Versions:	PLINK_2.7.0.Final
Assignee:	Pedro Igor
Components:	SAML
Created:	30/Mar/15 1:33 PM
Environment:	Picketlink 2.7.0.Final with JBoss EAP 6.3
Priority:	Major
Reporter:	Sheetul Agrawal

I am trying to consume a Signed + Encrypted SAML token from ADFS on JBoss-EAP 6.3 using Picketlink version 2.7. The token is decrypted correctly but during the next step of signature validation following error is generated:

ERROR [org.picketlink.common] (http-/0.0.0.0:8443-1) Error validating signature:: java.lang.RuntimeException: PL00092: Null Value:Cannot find Signature element
at org.picketlink.common.DefaultPicketLinkLogger.nullValueError(DefaultPicketLinkLogger.java:205)
at org.picketlink.identity.federation.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:498) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:309) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.verifyPostBindingSignature(SAML2SignatureValidationHandler.java:142) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.validateSender(SAML2SignatureValidationHandler.java:88) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler.handleStatusResponseType(SAML2SignatureValidationHandler.java:62) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:67) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:88) [picketlink-federation-2.7.0.CR3.jar:]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAML2Response(AbstractSPFormAuthenticator.java:503) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:481) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:342) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:269) [picketlink-jbas7-2.7.0.CR3.jar:2.7.0.CR3]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_71]

On debugging I found that the decrypted assertion has all the necessary information for signature validation but the SAML2SignatureValidationHandler is not working with that decrypted assertion instead it is still trying to use the original encrypted SAML token. I am wondering if there is some setting on the SP side that I need to change for the handler chain to work correctly or I am running into a bug.

Add Comment

This message was sent by Atlassian JIRA