9 Replies Latest reply: Mar 27, 2012 1:12 PM by Ismael Gonçalves RSS

Handling erros during a SP-Initiated authentication

Pedro Igor Apprentice

Background

 

     During a SP-Initiated authentication the IDP must reply to the SP a saml response with a status code urn:oasis:names:tc:SAML:2.0:status:AuthnFailed, in case of failure.

 

Problems

 

     When some problem occurs during the authentication the IDPWebBrowserSSOValve try to redirect the user back to the SP with the appropriate response but the destination URL used is wrong. The AssertionConsumerServiceURL element from the AuthnRequestType (since we are handling a authentication request) is not used and an URL like this one is defined as the destination:

 

          http://localhost:8080/idp/null

 

     The SP does not receive the response and a blank page is displayed to the user.

 

Solution Proposal

 

     One possible solution for this problem is change the IDPWebBrowserSSOValve to check when an AuthnRequestType is received and use its AssertionConsumerServiceURL element to get the destination URL.

  • 1. Re: Handling erros during a SP-Initiated authentication
    Anil Saldhana Master

    During initial development, I had come across this issue but it fell through the cracks.  I am glad that there is a discussion thread on this.

     

    We can choose any number of solutions. We just got to document them.

  • 2. Re: Handling erros during a SP-Initiated authentication
    Pedro Igor Apprentice

    I agree with you, this is an important subject to be discussed since this is a very common requirement in projects.

     

    I tested the proposed solution and it worked as expected. Now I'm trying to figure out the best way to handle the saml response on the SP side.

     

    When the SP valve receives a saml response with a urn:oasis:names:tc:SAML:2.0:status:AuthnFailed status code it throws a IOException and shows a blank page, rather than redirect the user to a custom page or something like that.

     

    I tried to use some configurations in the web.xml (eg: error-page), but a blank page is still displayed. I think this happens because these configurations in web.xml are not considered when an exception is throwed by the valve.

     

    What about having an attribute in the SP valve to define a custom error page and redirect to it in case of failure ?

  • 3. Re: Handling erros during a SP-Initiated authentication
    Anil Saldhana Master

    When there is an exception, we need to do something like

     

    response.sendError(403);

     

    This is when the custom pages in web.xml kick in.

  • 4. Re: Handling erros during a SP-Initiated authentication
    Pedro Igor Apprentice

    I also tried this approach. But did not work. I'm sure this work when called inside a filter or a servlet, for example.

  • 5. Re: Handling erros during a SP-Initiated authentication
    Pedro Igor Apprentice

    I forgot to mencion that IMO this is not working because valves are processed *before* the webapp-related things

    are, so things like error page directives are not invoked on the return value from a Valve.

  • 6. Re: Handling erros during a SP-Initiated authentication
    Ismael Gonçalves Newbie

    Hello!

     

    Sorry to post here, I'm not a developer but I'm a user and I'd like to discuss with you some approach.

     

    I realized whenever an exception occurs in the valves I can't get the exceptions in my app (for example web.xml approach). I think it happens because once you got an exception the process requisition stops in the valve and doesn't go below.

     

    When Pedro wrote that IDP would send us a SAML auth failed status I was planning to handle it in my custom login module that extends PL login module (SAML2LoginModule).

     

    Maybe it's possible to do something in SAML2LoginModule.

     

    Best Regards,

     

    Ismael Goncalves

  • 7. Re: Handling erros during a SP-Initiated authentication
    Pedro Igor Apprentice

    Ismael,

     

        Your considerations are always welcome.

     

        I think that your proposal is not suitable because, like you said, the valve is executed before. Thus, the LoginModule will never be invoked.

     

        I think that a custom error page(proposed solution) and an audit framework (eg.: PicketBox Auditing) may help you handling this errors.

     

        Unfortunely, we do not have PicketBox Auditing integrated with PicketLink Federation. Maybe this can be a future feature.

     

    Regards.

    Pedro Igor

  • 8. Re: Handling erros during a SP-Initiated authentication
    Anil Saldhana Master

    If you enable auditing on JBAS5/6/7,  you will get the audit trails for PL too in the audit logs.  Anyway,  enabling trace on org.picketlink gives you a lot of info in the server logs.

  • 9. Re: Handling erros during a SP-Initiated authentication
    Ismael Gonçalves Newbie

    Pedro.

     

    I was thinking in the scenario once the IDP sent back to SP a SAML AuthFailed, the SP through its LoginModule (SAML2LoginModule) will not log in the user occuring in a 403 HTTP Status Code.

     

    Once the error happens in SAM2LoginModule I think it would be possible to handle it in web.xml ("<error-page>").

     

    Best Regards.

     

    Ismael Goncalves

     

     

    Pedro Igor wrote:

     

    Ismael,

     

        Your considerations are always welcome.

     

        I think that your proposal is not suitable because, like you said, the valve is executed before. Thus, the LoginModule will never be invoked.

     

        I think that a custom error page(proposed solution) and an audit framework (eg.: PicketBox Auditing) may help you handling this errors.

     

        Unfortunely, we do not have PicketBox Auditing integrated with PicketLink Federation. Maybe this can be a future feature.

     

    Regards.

    Pedro Igor