7 Replies Latest reply: Jul 30, 2012 9:21 AM by Markus Plangg RSS

SAML2AttributeHandler and Global logout

Markus Plangg Newbie

Hi,

 

I am using the SAML2AttributeHandler to send the email, firstname and lastname from the IDP to a SP. When I try to logout by adding "?GLO=true" to the current URL, the SAML2AttributeHandler throws an exception Assertion not found in the handler request on the SP side.

 

 

11:41:56,801 ERROR (http-localhost-127.0.0.1-8080-1) Server Exception:: java.lang.RuntimeException: PL00092: Null Value:Assertion not found in the handler request:{CONFIGURATION=org.picketlink.identity.federation.core.config.SPType@60b24245}

          at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleIDPResponse(SAML2AttributeHandler.java:175)

          at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleStatusResponseType(SAML2AttributeHandler.java:146)

          at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:72)

          at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:174)

          at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.handleSAMLResponse(SPRedirectFormAuthenticator.java:264)

          at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:170)

          at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:121)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)

          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)

          at java.lang.Thread.run(Thread.java:679)

 

 

Do you know what could cause this problem. Maybe this happens because the user got logged out by the SAML2LogoutHandler before the AttributeHandler was called.

 

Please let me know, if you need any other information.

 

Cheers,

Markus

  • 1. Re: SAML2AttributeHandler and Global logout
    Markus Plangg Newbie

    Hi,

     

    unfortunately I still have this problem. Maybe the configuration helps.

     

    On the IDP site my picketlink-handlers.xml look like this:

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
        <Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" /> 
        <Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />
              </Handler>
    </Handlers>
    

     

     

    picketlink-idfed.xml

    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0"
      AttributeManager="eu.myproject.idp.UserAttributeManager">
      <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
      <Trust>
      <Domains>localhost</Domains>
      </Trust>
    </PicketLinkIDP>
    

     


     

    On the SP side the picketlink-handlers.xml:

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
        <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true" />
              </Handler>
    </Handlers>
    

     

     

    picketlink-idfed.xml

    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
     <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
     <ServiceURL>${kbrowser.url::http://localhost:8080/kbrowser/}</ServiceURL>
    </PicketLinkSP>
    

     


    Any hits would be very helpful.

     

    Cheers,

    Markus

  • 2. Re: SAML2AttributeHandler and Global logout
    Markus Plangg Newbie

    Hi,

     

    I just tried with Picketlink 2.1.1 but still the same issue. Login and Logout works fine but as soon as I enable the SAML2AttributeHandler on the SP side I get the exception:

     

     

    20:23:52,742 ERROR [org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator] (http-localhost-127.0.0.1-8080-6) Server Exception:: java.lang.RuntimeException: PL00092: Null Value:Assertion not found in the handler request:{CONFIGURATION=org.picketlink.identity.federation.core.config.SPType@81b087d}
              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleIDPResponse(SAML2AttributeHandler.java:162) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleStatusResponseType(SAML2AttributeHandler.java:139) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:64) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:136) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:322) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:205) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:160) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
              at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_23]

     

     

    Does anyone have a working configuration with SAML2AttributeHandler and Logout working?

     

    Cheers,

    Markus

  • 3. Re: SAML2AttributeHandler and Global logout
    Melloware Inc Newbie

    We are having the exact same issue. 

  • 4. Re: SAML2AttributeHandler and Global logout
    Pedro Igor Apprentice

    HI,

     

       Can you try to use the AttributeManager attribute in the PicketLinkIDP element ?

     

       I realized that you are using the old configuration model. Now, you need only a single configuration file in WEB-INF/picketlink.xml.

     

       You can check the documentation/threads bellow for more information about the AttributeManager attribute and the consolidated configuration file.

     

  • 5. Re: SAML2AttributeHandler and Global logout
    Melloware Inc Newbie

    We upgraded to the latest PicketLink and we now have a different issue with AttributeHandler which we found an open Bug Ticket about which has not been fixed.

     

    I have submitted tickets to Red Hat Support about the issue and provided a reproducible test case.

  • 6. Re: SAML2AttributeHandler and Global logout
    Pedro Igor Apprentice

    Hi,

     

        Can you checkout the latest version (2.1.4-SNAPSHOT) and try it out ?

     

            JIRA: https://issues.jboss.org/browse/PLFED-324

             PR: https://github.com/picketlink/federation/pull/133

     

    Regards.

    Pedro Igor

  • 7. Re: SAML2AttributeHandler and Global logout
    Markus Plangg Newbie

    Hi,

     

    sorry for the late answer.

     

    I tried with the current (todays) version from github and the global logout works. Thanks a lot for fixing this.

     

    Unfortunately I now have the problem that I have to create a file index.jsp in the IDP and logout.jsp in the client. Also some files in /hosted are hardcoded. This is a minor issue but it would be nice if this is at least configurable.

     

    Cheers,

    Markus