9 Replies Latest reply on Mar 27, 2012 1:12 PM by igoncalves

    Handling erros during a SP-Initiated authentication

    pcraveiro

      Background

       

           During a SP-Initiated authentication the IDP must reply to the SP a saml response with a status code urn:oasis:names:tc:SAML:2.0:status:AuthnFailed, in case of failure.

       

      Problems

       

           When some problem occurs during the authentication the IDPWebBrowserSSOValve try to redirect the user back to the SP with the appropriate response but the destination URL used is wrong. The AssertionConsumerServiceURL element from the AuthnRequestType (since we are handling a authentication request) is not used and an URL like this one is defined as the destination:

       

                http://localhost:8080/idp/null

       

           The SP does not receive the response and a blank page is displayed to the user.

       

      Solution Proposal

       

           One possible solution for this problem is change the IDPWebBrowserSSOValve to check when an AuthnRequestType is received and use its AssertionConsumerServiceURL element to get the destination URL.

        • 1. Re: Handling erros during a SP-Initiated authentication
          anil.saldhana

          During initial development, I had come across this issue but it fell through the cracks.  I am glad that there is a discussion thread on this.

           

          We can choose any number of solutions. We just got to document them.

          • 2. Re: Handling erros during a SP-Initiated authentication
            pcraveiro

            I agree with you, this is an important subject to be discussed since this is a very common requirement in projects.

             

            I tested the proposed solution and it worked as expected. Now I'm trying to figure out the best way to handle the saml response on the SP side.

             

            When the SP valve receives a saml response with a urn:oasis:names:tc:SAML:2.0:status:AuthnFailed status code it throws a IOException and shows a blank page, rather than redirect the user to a custom page or something like that.

             

            I tried to use some configurations in the web.xml (eg: error-page), but a blank page is still displayed. I think this happens because these configurations in web.xml are not considered when an exception is throwed by the valve.

             

            What about having an attribute in the SP valve to define a custom error page and redirect to it in case of failure ?

            • 3. Re: Handling erros during a SP-Initiated authentication
              anil.saldhana

              When there is an exception, we need to do something like

               

              response.sendError(403);

               

              This is when the custom pages in web.xml kick in.

              • 4. Re: Handling erros during a SP-Initiated authentication
                pcraveiro

                I also tried this approach. But did not work. I'm sure this work when called inside a filter or a servlet, for example.

                • 5. Re: Handling erros during a SP-Initiated authentication
                  pcraveiro

                  I forgot to mencion that IMO this is not working because valves are processed *before* the webapp-related things

                  are, so things like error page directives are not invoked on the return value from a Valve.

                  • 6. Re: Handling erros during a SP-Initiated authentication
                    igoncalves

                    Hello!

                     

                    Sorry to post here, I'm not a developer but I'm a user and I'd like to discuss with you some approach.

                     

                    I realized whenever an exception occurs in the valves I can't get the exceptions in my app (for example web.xml approach). I think it happens because once you got an exception the process requisition stops in the valve and doesn't go below.

                     

                    When Pedro wrote that IDP would send us a SAML auth failed status I was planning to handle it in my custom login module that extends PL login module (SAML2LoginModule).

                     

                    Maybe it's possible to do something in SAML2LoginModule.

                     

                    Best Regards,

                     

                    Ismael Goncalves

                    • 7. Re: Handling erros during a SP-Initiated authentication
                      pcraveiro

                      Ismael,

                       

                          Your considerations are always welcome.

                       

                          I think that your proposal is not suitable because, like you said, the valve is executed before. Thus, the LoginModule will never be invoked.

                       

                          I think that a custom error page(proposed solution) and an audit framework (eg.: PicketBox Auditing) may help you handling this errors.

                       

                          Unfortunely, we do not have PicketBox Auditing integrated with PicketLink Federation. Maybe this can be a future feature.

                       

                      Regards.

                      Pedro Igor

                      • 8. Re: Handling erros during a SP-Initiated authentication
                        anil.saldhana

                        If you enable auditing on JBAS5/6/7,  you will get the audit trails for PL too in the audit logs.  Anyway,  enabling trace on org.picketlink gives you a lot of info in the server logs.

                        • 9. Re: Handling erros during a SP-Initiated authentication
                          igoncalves

                          Pedro.

                           

                          I was thinking in the scenario once the IDP sent back to SP a SAML AuthFailed, the SP through its LoginModule (SAML2LoginModule) will not log in the user occuring in a 403 HTTP Status Code.

                           

                          Once the error happens in SAM2LoginModule I think it would be possible to handle it in web.xml ("<error-page>").

                           

                          Best Regards.

                           

                          Ismael Goncalves

                           

                           

                          Pedro Igor wrote:

                           

                          Ismael,

                           

                              Your considerations are always welcome.

                           

                              I think that your proposal is not suitable because, like you said, the valve is executed before. Thus, the LoginModule will never be invoked.

                           

                              I think that a custom error page(proposed solution) and an audit framework (eg.: PicketBox Auditing) may help you handling this errors.

                           

                              Unfortunely, we do not have PicketBox Auditing integrated with PicketLink Federation. Maybe this can be a future feature.

                           

                          Regards.

                          Pedro Igor