7 Replies Latest reply on Jul 30, 2012 9:21 AM by mksplg

SAML2AttributeHandler and Global logout

mksplg May 15, 2012 5:50 AM

Hi,

I am using the SAML2AttributeHandler to send the email, firstname and lastname from the IDP to a SP. When I try to logout by adding "?GLO=true" to the current URL, the SAML2AttributeHandler throws an exception Assertion not found in the handler request on the SP side.

11:41:56,801 ERROR [org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator] (http-localhost-127.0.0.1-8080-1) Server Exception:: java.lang.RuntimeException: PL00092: Null Value:Assertion not found in the handler request:{CONFIGURATION=org.picketlink.identity.federation.core.config.SPType@60b24245}

at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleIDPResponse(SAML2AttributeHandler.java:175) [picketlink-fed-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleStatusResponseType(SAML2AttributeHandler.java:146) [picketlink-fed-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:72) [picketlink-fed-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:174) [picketlink-fed-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.handleSAMLResponse(SPRedirectFormAuthenticator.java:264) [picketlink-bindings-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:170) [picketlink-bindings-2.0.3.Final.jar:2.0.3.Final]

at org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator.authenticate(SPRedirectFormAuthenticator.java:121) [picketlink-bindings-2.0.3.Final.jar:2.0.3.Final]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.10.Final.jar:]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]

at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_23]

Do you know what could cause this problem. Maybe this happens because the user got logged out by the SAML2LogoutHandler before the AttributeHandler was called.

Please let me know, if you need any other information.

Cheers,

Markus

1. Re: SAML2AttributeHandler and Global logout

mksplg May 25, 2012 4:59 AM (in response to mksplg)

Hi,

unfortunately I still have this problem. Maybe the configuration helps.

On the IDP site my picketlink-handlers.xml look like this:

{code:xml}
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
    <Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" /> 
    <Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />
          </Handler>
</Handlers>
{code}

picketlink-idfed.xml

{code:xml}
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0"
  AttributeManager="eu.myproject.idp.UserAttributeManager">
  <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
  <Trust>
  <Domains>localhost</Domains>
  </Trust>
</PicketLinkIDP>
{code}

On the SP side the picketlink-handlers.xml:

{code:xml}
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
    <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true" />
          </Handler>
</Handlers>
{code}

picketlink-idfed.xml

{code:xml}
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
 <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
 <ServiceURL>${kbrowser.url::http://localhost:8080/kbrowser/}</ServiceURL>
</PicketLinkSP>
{code}

Any hits would be very helpful.

Cheers,

Markus

2. Re: SAML2AttributeHandler and Global logout

mksplg May 22, 2012 2:27 PM (in response to mksplg)

Hi,

I just tried with Picketlink 2.1.1 but still the same issue. Login and Logout works fine but as soon as I enable the SAML2AttributeHandler on the SP side I get the exception:

{code}20:23:52,742 ERROR [org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator] (http-localhost-127.0.0.1-8080-6) Server Exception:: java.lang.RuntimeException: PL00092: Null Value:Assertion not found in the handler request:{CONFIGURATION=org.picketlink.identity.federation.core.config.SPType@81b087d}
          at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleIDPResponse(SAML2AttributeHandler.java:162) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler.handleStatusResponseType(SAML2AttributeHandler.java:139) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:64) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:136) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:106) [picketlink-core-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:322) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:205) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
          at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:160) [picketlink-jbas7-2.1.1.Final.jar:2.1.1.Final]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_23]{code}

Does anyone have a working configuration with SAML2AttributeHandler and Logout working?

Cheers,

Markus

3. Re: SAML2AttributeHandler and Global logout

melloware Jul 3, 2012 12:17 PM (in response to mksplg)

We are having the exact same issue.
Actions
4. Re: SAML2AttributeHandler and Global logout

pcraveiro Jul 6, 2012 8:12 PM (in response to melloware)
HI,

   Can you try to use the AttributeManager attribute in the PicketLinkIDP element ?

   I realized that you are using the old configuration model. Now, you need only a single configuration file in WEB-INF/picketlink.xml.

   You can check the documentation/threads bellow for more information about the AttributeManager attribute and the consolidated configuration file.

   https://docs.jboss.org/author/display/PLINK/Identity+Provider+Configuration
   https://community.jboss.org/message/724681#724681
Actions
5. Re: SAML2AttributeHandler and Global logout

melloware Jul 7, 2012 8:18 AM (in response to pcraveiro)

We upgraded to the latest PicketLink and we now have a different issue with AttributeHandler which we found an open Bug Ticket about which has not been fixed.

I have submitted tickets to Red Hat Support about the issue and provided a reproducible test case.
Actions
6. Re: SAML2AttributeHandler and Global logout

pcraveiro Jul 10, 2012 7:45 PM (in response to melloware)

Hi,

    Can you checkout the latest version (2.1.4-SNAPSHOT) and try it out ?

        JIRA: https://issues.jboss.org/browse/PLFED-324
         PR: https://github.com/picketlink/federation/pull/133

Regards.
Pedro Igor
Actions
7. Re: SAML2AttributeHandler and Global logout

mksplg Jul 30, 2012 9:21 AM (in response to pcraveiro)

Hi,

sorry for the late answer.

I tried with the current (todays) version from github and the global logout works. Thanks a lot for fixing this.

Unfortunately I now have the problem that I have to create a file index.jsp in the IDP and logout.jsp in the client. Also some files in /hosted are hardcoded. This is a minor issue but it would be nice if this is at least configurable.

Cheers,
Markus
Actions

Go to original post