Okay good to hear! Let me know if you have any more trouble. BTW can we somewhere see your project where you use Higgins components?
Markus On Fri, Feb 27, 2009 at 5:36 PM, Wenceslas Wolfersperger < [email protected]> wrote: > Hi, > > Thanks Markus for your help. > > 1. I updated from SVN which solved the NullPointerException, thanks. > > 2. 3. Finally the problem came from the eclipse integrated browser. It's > working fine with firefox :/ > > Thanks a lot > Regards > Wen > > > > > ____________________ > Wenceslas Wolfersperger > > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge, > Dublin 4 > > > |------------> > | From: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |Markus Sabadello <[email protected]> > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |"Higgins (Trust Framework) Project developer discussions" < > [email protected]> > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Cc: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |Smriti Talwar/Ireland/i...@ibmie, He Yuan Huang <[email protected]> > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |26/02/2009 01:23 > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [higgins-dev] SAML2 IdP Deployment Problems > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > Hi, > > Thanks for the detailed input. > > 1. Regarding your NullPointerException during Init, I just checked in a fix > for this. The idea is that for creating SAML 2.0 tokens, you can configure > the SAML2 IdP to either use the Higgins STS for doing that, or use > internal, simpler code instead. The latter requires much less configuration > work. Please update from SVN and see if it works now. > > 2. Not sure what you mean with "The SAML2Request is not redirected to the > IdP". > Try make sure that "saml2-idp-endpoint" and "saml2-sp-endpoint" are > configured correctly in the conf/application.properties file of the > saml2idp.test project (i.e. the Test SP). > > 3. The way the SAMLRequest is sent from the SP to the IdP is the SAML HTTP > Binding (see > http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf.). > It involves compression and Base64 encoding. Not sure why it doesn't work > when you manually do that? Do you have any more information? > > 4. There used to be a helper project called > org.eclipse.higgins.saml2idp.saml2, which was used both by the SP and IdP. > It has been renamed to org.eclipse.higgins.util.saml because other project > started to use it too. > > Hope that helps > Markus > > On Wed, Feb 25, 2009 at 6:01 PM, Wenceslas Wolfersperger < > [email protected]> wrote: > Hi all, > > Following instructions from here: > http://wiki.eclipse.org/SAML2_IdP_Overview_1.1 > http://wiki.eclipse.org/SAML2_IdP_Deployment_1.1 > http://wiki.eclipse.org/SAML2_IdP_Development_1.1 > > I got few problems during the deployment of the SAML2 IdP solution. > > 2 NullPointerException in the Init class from the package > org.eclipse.higgins.saml2idp.server: > > (Embedded image moved to file: pic02582.gif) > > It corresponds to the line 337, (i got the same on the line 343): > > (Embedded image moved to file: pic20898.gif) > > Finally i commented those 2 lines which "solved" the problem > > > The SAML2Request is not redirected to the IdP. Once the > samlAuthnRequest > is formed in the redirectAuthnRequest from the SAMLUtil class which is > called in the Login class from the SP. I'm not sure that my > explanations > are really clear, it's quite hard to explain in a mail and maybe even > more to understand :/. The fact is that we never reach the server > SAMLendpoint. > > It gives me this trace: > 18186 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Login > - doPost() > 18186 [http-8080-Processor24] INFO > org.eclipse.higgins.saml2idp.test.Login > - Sending SAML2 AuthnRequest to IdP. > 18587 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getSAML2SPEndpoint() > 18587 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getMinimal() > 18587 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getSAML2IdPEndpoint() > 18587 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getSAML2ProviderName() > 18587 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getSAML2Issuer() > 19348 [http-8080-Processor24] DEBUG > org.eclipse.higgins.saml2idp.test.Init > - getSAML2IdPEndpoint()) > > instead of the trace shown in the wiki: > DEBUG org.eclipse.higgins.saml2idp.test.Login - doPost() > INFO org.eclipse.higgins.saml2idp.test.Login - Sending SAML2 > AuthnRequest > to IdP. > DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2IdPEndpoint() > DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2ProviderName() > DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2Issuer() > DEBUG org.eclipse.higgins.saml2idp.test.Init - getSAML2SPEndpoint() > DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - doGet() > DEBUG org.eclipse.higgins.saml2idp.server.SAMLEndpoint - processRequest > () > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - The SAML2 > AuthnRequest's signature has a KeyInfo element. We try to use this to > verify the signature. > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2 > AuthnRequest XML Signature successfully verified with KeyInfo element. > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2 > AuthnRequest contains a signature. Checking if we have a matching RP > certificate. > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - SAML2 > AuthnRequest XML Signature successfully verified with certificate from > CN=Markus Sabadello, O=Parity, L=Needham, ST=Massachusetts, C=US > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - Accepting the > SAML2 AuthnRequest. > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getExtractUsernameParameterName() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getExtractUsernameHeaderName() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getExtractUsernameCookieName() > DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextType() > INFO org.eclipse.higgins.saml2idp.server.SAMLEndpoint - User is not > logged in. Displaying credentials form for context type $context+ldap. > DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost() > DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getHigginsContextFactory > () > WARN org.eclipse.higgins.saml2idp.server.LDAPLogin - Cannot login user: > javax.naming.AuthenticationException: [LDAP: error code 32 - No Such > Object], Username=badguy (fail #1). > DEBUG org.eclipse.higgins.saml2idp.server.LDAPLogin - doPost() > DEBUG org.eclipse.higgins.saml2idp.server.Init - getHigginsContextId() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getHigginsContextFactory > () > INFO org.eclipse.higgins.saml2idp.server.LDAPLogin - User saba logged > in. > Sending SAML2 Response to SP. > INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil - Creating SAML > Response for destination > http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint with > relaystate Test relay state!! > DEBUG org.eclipse.higgins.saml2idp.server.Init - getSAML2Issuer() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getSAML2AssertionValidityMillis() > DEBUG org.eclipse.higgins.saml2idp.server.Init - > getSAML2AssertionValidityMillis() > INFO org.eclipse.higgins.saml2idp.server.util.SAMLUtil - > http://localhost/org.eclipse.higgins.saml2idp.test/SAMLEndpoint > DEBUG org.eclipse.higgins.saml2idp.test.SAMLEndpoint - doPost() > INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response > XML > Signature verified with certificate from > [email protected], CN=Markus Sabadello, OU=Higgins, > O=Parity Communications, L=Vienna, ST=Some-State, C=AT > INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response > StatusCode: urn:oasis:names:tc:SAML:2.0:status:Success > INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - SAML2 Response > NameID: saba > INFO org.eclipse.higgins.saml2idp.test.SAMLEndpoint - User successfully > logged in. > > Then the third thing which i'm currently working on is that the > SAMLRequest in the URL sent by the SP to the IdP SAMLEndpoint (which > i'm > sending manually as the redirection is not working, because of the > problem above^^) is not parsed. So far this is what i've found: > On the SP side, the SAMLRequest parameter is an xml that is > compressed with the deflater class and then encoded in base64. > On the IdP side, the SAMLRequest is received via the getParameter > method and then decoded with the base64 and decompressed with the > inflater class. > The problem is that the SAMLRequest is not full after the decoding > or > the decompression. As the xml is not complete, a parsing error > occurs. > > > I have a last little thing about the Base64, it seems that the > org.eclipse.higgins.sts.spi.IBase64Extension class was removed from sts > to use instead the common Base64 class (sources: > http://www.nabble.com/SAML-utility-code-td17788915.html#a17874867 and > http://graceland.parityinc.net/pub/higginsirc/log_2008-06-16.txt.) In > the > different higgins components i used, the org.eclipse.higgins.idp.saml2 > was still using this IBase64Extension class, so i just changed it to > Base64. I don't know if it was an oversight or if the > org.eclipse.higgins.idp.saml2 has been replaced by another one as in > the > wiki (http://wiki.eclipse.org/SAML2_IdP_Development_1.1) they are > talking about a org.eclipse.higgins.saml2idp component that wasn't in > the repository :/. > > > That's pretty it, hoping it wasn't to bad explained. > > Thanks a lot > Regards > Wen > > > ____________________ > Wenceslas Wolfersperger > > IBM Ireland Product Distribution Limited registered in Ireland with > number > 92815. Registered office: Oldbrook House, 24-32 Pembroke Road, > Ballsbridge, > Dublin 4 > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
