DEVHIDE
Login Or Sign up

PicketLink at Service Provider Responding 302 in EAP 7.1 with SAML

393 Views Asked by At

Runtime: JBOSS EAP 7.1, EAP in-build picketLink and Chrome.
JAR: <resource-root path="/jboss/eap/7.1/jboss-eap/modules/system/layers/base/org/picketlink/federation/main/picketlink-federation-2.5.5.SP8-redhat-1.jar"/>

We enabled SP Initiated Web SSO with IDP and we are able to get the SAML response from IDP. IDP posting the saml response in Base64 Encoded format. While Chrome posting the SAML Response to Service Provider, Service provider not able to read the SAML response.

Picketlink at Service provider end responding 302 HTTP status to browser while posting SAML response to Service Provider. Due to 302, Service provider HTTP redirect to the page, which is mentioned in the Location header. Due to redirect via GET, SAML response getting lost.

Chrome Browser Log while Posting to Server Provider::

Request:

Request URL: https://serviceProvider.com:8583/SECUI/jaxrs/Authentication
Request Method: POST
Status Code: 302 Found
Remote Address: 10.10.10.10:8583
Referrer Policy: no-referrer-when-downgrade

Response Header:

Access-Control-Allow-Origin: https://IdentyProvider.com
Cache-Control: max-age=0
Connection: Keep-Alive
Content-Length: 0
Date: Wed, 25 Mar 2020 05:49:06 GMT
Expires: 0
Keep-Alive: timeout=15, max=1500
Location: https://serviceProvider.com:8583/SECUI/UI/index.htm
Pragma: no-cache
Server: JBCS httpd
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Request Header:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 6627
Content-Type: application/x-www-form-urlencoded
Cookie: secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*
DNT: 1
Host: serviceProvider.com:8583
Origin: https://IdentyProvider.com:8443
Referer: https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

SAMLResponse:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
cHJvdG9jb2wiIElEPSJzMmIyYmZiOGZjOWEyMzI3MGU4OTgwMGExNTZhOTQ3ZWIxMGNkZTU2Zjgi
IEluUmVzcG9uc2VUbz0iSURfMDNmZTEzMWUtYjIwZS00OTU1LTg2MjYtZGYyMWFkZmI0ZGZhIiBW
ZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0wMy0yNVQwNTo0OTowNFoiIERlc3RpbmF0
aW9uPSJodHRwczovL2hrbHZhdWFwcDE3NS5oay5zdGFuZGFyZGNoYXJ0ZXJlZC5jb206ODU4My9T
RUNVSS9qYXhycy9BdXRoZW50aWNhdGlvbiI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpv
YXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlNTTy1JRFA8L3NhbWw6SXNzdWVyPjxz
Y

JBOSS LOG:

13:49:05,653 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /SECUI for path /SECUI/jaxrs/Authentication
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Security constraints for request /SECUI/jaxrs/Authentication are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Authenticating required for request HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Setting authentication required for exchange HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Attempting to authenticate HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}, authentication required: true
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@1cb334c2 for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:06,381 DEBUG [org.jboss.modcluster] (UndertowEventHandlerAdapter - 1) MODCLUSTER000009: Sending STATUS for default-server
13:49:06,382 DEBUG [io.undertow.request] (default I/O-2) Received CPING, sending CPONG
13:49:06,700 DEBUG [io.undertow.request.security] (default task-70) Authenticated as 1575777, roles []
13:49:06,701 DEBUG [io.undertow.request.security] (default task-70) Authentication outcome was AUTHENTICATED with method org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism@b6af5cf for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN], Location=[https://serviceProvider.com:8583/SECUI/UI/index.htm], Date=[Wed, 25 Mar 2020 05:49:06 GMT], X-Content-Type-Options=[nosniff], Content-Length=[0]}}
13:49:06,701 DEBUG [io.undertow.request.security] (default task-70) Authentication result was AUTHENTICATED for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN], Location=[https://serviceProvider.com:8583/SECUI/UI/index.htm], Date=[Wed, 25 Mar 2020 05:49:06 GMT], X-Content-Type-Options=[nosniff], Content-Length=[0]}}
13:49:07,014 DEBUG [io.undertow.request] (default I/O-12) Received CPING, sending CPONG
13:49:07,014 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /SECUI for path /SECUI/UI/index.htm
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Security constraints for request /SECUI/UI/index.htm are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authenticating required for request HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Setting authentication required for exchange HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Attempting to authenticate HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}, authentication required: true
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@1cb334c2 for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authenticated as 1575777, roles []
13:49:07,016 DEBUG [io.undertow.request.security] (default task-71) Authentication outcome was AUTHENTICATED with method org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism@b6af5cf for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,016 DEBUG [io.undertow.request.security] (default task-71) Authentication result was AUTHENTICATED for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,223 DEBUG [io.undertow.request] (default I/O-12) Received CPING, sending CPONG

HTTP Log:

10.128.117.63 - - [25/Mar/2020:13:58:40 +0800] "POST /SECUI/jaxrs/Authentication HTTP/1.1" 302 -

==> ssl_request_log.2020-03-25 <==
[25/Mar/2020:13:58:40 +0800] 10.128.117.63 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /SECUI/jaxrs/Authentication HTTP/1.1" -

==> ssl_access_log.2020-03-25 <==
10.128.117.63 - - [25/Mar/2020:13:58:40 +0800] "GET /SECUI/UI/index.htm HTTP/1.1" 200 7342

==> ssl_request_log.2020-03-25 <==
[25/Mar/2020:13:58:40 +0800] 10.128.117.63 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /SECUI/UI/index.htm HTTP/1.1" 7342

PiketLink.xml

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" LogOutPage="/customLogout.jsp" SupportsSignatures="true" BindingType="POST">
    <IdentityURL>https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4</IdentityURL>
    <!-- <ServiceURL>https://serviceProvider.com:8583/SECUI/UI/index.htm</ServiceURL> -->
<ServiceURL>https://serviceProvider.com:8583/SECUI/jaxrs/Authentication</ServiceURL>


            <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/jboss/eap/7.1/instances/CAT_ICM_HUB_SEC_01/MFA.jks" />
      <Auth Key="KeyStorePass" Value="changeit" />
      <Auth Key="SigningKeyPass" Value="changeit" />
      <Auth Key="SigningKeyAlias" Value="serviceProvider.com" />
      <ValidatingAlias Key="serviceProvider.com" Value="serviceProvider.com" />
              <ValidatingAlias Key="IdentyProvider.com" Value="IdentyProvider.com" />
    </KeyProvider>

  </PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
            <!-- <Handler class="org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse"/> -->
            <!-- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler "/> -->
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" >
            <!-- <Option Key="ASSERTION_CONSUMER_URL" Value="https://serviceProvider.com:8583/SECUI/UI/index.htm"/> -->
            </Handler>
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
            <!-- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> -->

  </Handlers>
</PicketLink>
picketlink
Original Q&A
0

There are 0 best solutions below

Related Questions in PICKETLINK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.