Hi Pablo,
Sorry for the long delay. We have been working to address the issues for
"Third interop test between Metro and .NET".
The SAML assertion from the OpenSSO PassiveSTS was not meant for
reusable, i.e. only for the SP to validate it for the RP.
Once it is in the session, it is already changed. So it relies on the SP
to validate it and certify it
for the Active STS.
We have exposed some API to obtained the original SAML assertion in case
the other party (ActiveSTS) needs to validate things
like the signature. The change is ready in a recent OpenSSO build. I am
testing it now. After that, I will let you know how you can work with it
with Metro stonehenge implementation.
See inline ...
Pablo Cibraro wrote:
Hi Jiandong,
I removed almost all the elements in the RSTR message to have something close
to what OpenSSO generates. This is final message that our implementation is
generating,
<t:RequestSecurityTokenResponse Context="s21a382559d033337807359a1c786d343acb5e664d"
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-12-07T21:29:02.912Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-12-07T22:29:02.912Z</wsu:Expires>
</t:Lifetime>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_2d1c3a8d-4b59-4e75-9dcf-e6a5aedc88cd"
Issuer="PassiveSTS" IssueInstant="2009-12-07T21:29:02.912Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-12-07T21:29:02.912Z"
NotOnOrAfter="2009-12-07T22:29:02.912Z" />
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="role"
AttributeNamespace="http://microsoft">
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="http://microsoft/geneva"
AuthenticationInstant="2009-12-07T21:29:02.912Z">
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_2d1c3a8d-4b59-4e75-9dcf-e6a5aedc88cd">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
/>
<ds:DigestValue>BpI6b9ENe2F+FNaCGqk7n1FY0Qtawsw4vgHiimSOcn0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>llFnZtOAd9ulRIZQ9TIlpVb53uFT8OX3ymfvO2B+gohHMvOWHFfGFkF8frLDqursuP/mqUfyo60oSlhkp6XDLrB89VaATZoQTBaO2NRlIKKAQYhapN+VD0ZW0pi7RQeblKeNZWKgW+tJZlFnya25XGILBnH4BvZQzgqAywyQgAs=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
</t:RequestSecurityTokenResponse>
This message does not work either, and I am still getting the same error in OpenSSO.
What exactly the exception you get? The same NPE wrt to AppliesTo? We
fixed the namesapce issue for AppliesTo with the latest OpenSSO.
Could it be an issue with the SAML token itself ?. I haven't found detailed
information in the OpenSSO log about what could be wrong, so at this point I am
pretty lost. At first glance, do you see something wrong in the message above ?
(Note, I also tried removing the Lifetime element, but that gave the same
results).
I guess OpenSSO need to check if the SAML asertion is targeted for the
specific RP, i.e. it needs an AudienceRestrictionCondition in the SAML
assertion.
Thanks!
Jiandong
Could the confirmation method be the issue?, OpenSSO is not including any
confirmation method in the SAML token.
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
Thanks
Pablo.
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Wednesday, November 11, 2009 8:13 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fifth interop test between Metro and .NET
Ok. Looks like a mistake in OpenSSO. It uses ws-addressing namespace for
AppliesTo.
I will check with them to see if we can have a patch. In the mean time,
you may get this
particular test going by removing the AppliesTo in RSPR. According to
the spec, if the scope of the the issued token
is the same as the one specified in the AppliesTo in the RST, then you
don't need to put AppliesTo in the RSTR.
Thanks!
Jiandong
Pablo Cibraro wrote:
You always know the answer :). Ok, I've changed the WS-TRUST version that
Geneva was using in the Passive STS, so it is now generating this message.
<t:RequestSecurityTokenResponse Context="s2cd9f16167cabfa87c3aaa22457820ed00240cfd4"
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-11-11T18:01:43.192Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-11-12T04:01:43.192Z</wsu:Expires>
</t:Lifetime>
<z:ReplyTo
xmlns:z="http://schemas.microsoft.com/ws/2008/06/identity">https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</z:ReplyTo>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</Address>
</EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_488ad180-6478-416e-8a61-c879f8a75a4d"
Issuer="PassiveSTS" IssueInstant="2009-11-11T18:01:43.195Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-11-11T18:01:43.192Z"
NotOnOrAfter="2009-11-12T04:01:43.192Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="role"
AttributeNamespace="http://microsoft">
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="http://microsoft/geneva"
AuthenticationInstant="2009-11-11T18:01:43.195Z">
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_488ad180-6478-416e-8a61-c879f8a75a4d">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue>u2bSngQA1SOIyYglfZs8bXMZ19c=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JT55FJhCtjnisHzF75UY6JwA01Y7lkZM5qxFJGLZi7s7/B7PBKGyjleF7sa3M5RkhNODjbg4PfjWMVZEG5xITciFk95P86BS8CqxJJCjOz4YkjqPTX6kRROe2RNgI6WaWnFDuCPuS+Wuc/mkWqtLrss0lXY311BfrI/saX7n7t4=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_488ad180-6478-416e-8a61-c879f8a75a4d</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_488ad180-6478-416e-8a61-c879f8a75a4d</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
I am now getting the following exception in OpenSSO,
#|2009-11-11T14:01:46.422-0400|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8180-0;_RequestID=8395b912-1787-4a81-8b2d-80ee5efa0a75;|
java.lang.NullPointerException
at
com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse.<init>(RequestSecurityTokenResponse.java:126)
at
com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse.parseXML(RequestSecurityTokenResponse.java:159)
at
com.sun.identity.wsfederation.servlet.RPSigninResponse.process(RPSigninResponse.java:101)
at
com.sun.identity.wsfederation.servlet.WSFederationServlet.doPost(WSFederationServlet.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at
org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
at
com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
|#]
It looks like Geneva is generating something that OpenSSO does not know how to
parse or something like that. I initially thought that the addressing version
in the AppliesTo element could be the issue as OpenSSO is using an older
versio, so I changed that, but it did not work.
Any clue about what could be wrong in the message ?
Thanks
Pablo.
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Tuesday, November 10, 2009 8:52 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fifth interop test between Metro and .NET
The version of ws-federation passive profile supported in OpenSSO is
before 1.1. So no
RequestSecurityTokenResponseCollection with
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" ;-) .
Is it possible to configure .Net Passive STS to create
<wst:RequestSecurityTokenResponse
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
Thanks!
Jiandong
Pablo Cibraro wrote:
Pablo Cibraro wrote:
Mmm, no. The only info about errors I could find was in this folder
opensso\log\WSFederation.error. This file contains a single line with the
WS-Trust message that the .NET passive STS is generating,
These are the redirections I am getting,
1. Trader client makes an Http GET to
https://sp.stonehenge.com:8080/WSFederationServlet/metaAlias/Fedsp?goto=http://apps.stonehenge.com:1316/trader_client
2. OpenSSO makes an Http GET to http://localhost/trade_identity ? All the
WSTrust parameters (This is the .NET passive STS)
3. The .NET passive STS generates a form with action =
"https://sp.stonehenge.com:8080/WSFederationServlet/metaAlias/Fedsp"
This is the WS-TRUST message
<trust:RequestSecurityTokenResponseCollection
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse
Context="s2ceec7ad41fed61267f0f72c9557b77046c98ef7c">
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-11-10T22:59:28.543Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-11-11T08:59:28.543Z</wsu:Expires>
</trust:Lifetime>
<z:ReplyTo
xmlns:z="http://schemas.microsoft.com/ws/2008/06/identity">https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</z:ReplyTo>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</Address>
</EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_560fe2f7-f0c9-418b-8e74-4145f5c37b7b"
Issuer="PassiveSTS" IssueInstant="2009-11-10T22:59:28.544Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-11-10T22:59:28.543Z"
NotOnOrAfter="2009-11-11T08:59:28.543Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="role"
AttributeNamespace="http://microsoft">
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="http://microsoft/geneva"
AuthenticationInstant="2009-11-10T22:59:28.543Z">
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_560fe2f7-f0c9-418b-8e74-4145f5c37b7b">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/>
<ds:DigestValue>Bt97jrvwGHD7YYHGIrzseAERLz0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DUWVbsicStAEAAjKECn6txzxY3R/Xqac69haLQnhiE7nzvDD40rQ9yME25+8f4mbyOSlQqM6t8gI+CD6wOOUIZHuCOGZw7FA/KLbhIVFhJfPbzeGqEXcrcplhhbHCiUDC0V5Dt8tRFJZEOIrb3Ytha9j+yOwwB9UJdZl63E2lMA=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_560fe2f7-f0c9-418b-8e74-4145f5c37b7b</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_560fe2f7-f0c9-418b-8e74-4145f5c37b7b</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
The only error I am getting in OpenSSO is HTTP Status 403 (Access Denied to the
specified resource) after the form with the WS-TRUST message is posted.
Do you see something strange in the WS-TRUST message ?
Thanks
Pablo.
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Tuesday, November 10, 2009 6:13 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fifth interop test between Metro and .NET
Pablo Cibraro wrote:
Thanks. The metro client is now calling the .NET passive STS, and this one is
returning a SAML token to the OpenSSO sp.
Great!
The OpenSSO sp is throwing an with the following details,
The following exceptions should not be relevant.
Do you see any other information in the server log for sp?
Or check the opensso debug files in the config directory, e.g.
C:\Documents and Settings\manveen\opensso\sp\opensso\debug.
Thanks!
Jiandong
[#|2009-11-10T14:00:44.647-0400|SEVERE|sun-appserver9.1|com.sun.xml.ws.wspolicy.PolicyWSDLParserExtension|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|WSP1007:
Policy exception occured when finishing WSDL parsing.
com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy assertion
creators try to register for namespace
'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class:
'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s class:
'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'.
at
com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184)
at
com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81)
at
com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105)
at
com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67)
at com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85)
at
com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955)
at
com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187)
at
com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334)
at
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262)
at
com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531)
at
com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174)
at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147)
at
com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:5184)
at com.sun.enterprise.web.WebModule.start(WebModule.java:326)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:955)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533)
at org.apache.catalina.startup.Embedded.start(Embedded.java:936)
at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873)
at
com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790)
at
com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84)
at
com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442)
at
com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120)
at com.sun.enterprise.server.PEMain.run(PEMain.java:411)
at com.sun.enterprise.server.PEMain.main(PEMain.java:338)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412)
|#]
[#|2009-11-10T14:00:44.649-0400|SEVERE|sun-appserver9.1|com.sun.xml.ws.server.http|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|WSSERVLET11:
failed to parse runtime descriptor: javax.xml.ws.WebServiceException: WSP1007:
Policy exception occured when finishing WSDL parsing.
javax.xml.ws.WebServiceException: WSP1007: Policy exception occured when
finishing WSDL parsing.
at
com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:959)
at
com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187)
at
com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334)
at
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262)
at
com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531)
at
com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174)
at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147)
at
com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:5184)
at com.sun.enterprise.web.WebModule.start(WebModule.java:326)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:955)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533)
at org.apache.catalina.startup.Embedded.start(Embedded.java:936)
at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873)
at
com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790)
at
com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84)
at
com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442)
at
com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120)
at com.sun.enterprise.server.PEMain.run(PEMain.java:411)
at com.sun.enterprise.server.PEMain.main(PEMain.java:338)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412)
Caused by: com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy
assertion creators try to register for namespace
'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class:
'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s class:
'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'.
at
com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184)
at
com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81)
at
com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105)
at
com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67)
at com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85)
at
com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955)
... 44 more
|#]
[#|2009-11-10T14:00:44.655-0400|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:5184)
at com.sun.enterprise.web.WebModule.start(WebModule.java:326)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:955)
at
com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58)
at
com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304)
at
com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176)
at
com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192)
at
com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533)
at org.apache.catalina.startup.Embedded.start(Embedded.java:936)
at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873)
at
com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790)
at
com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84)
at
com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442)
at
com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120)
at com.sun.enterprise.server.PEMain.run(PEMain.java:411)
at com.sun.enterprise.server.PEMain.main(PEMain.java:338)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412)
Caused by: com.sun.xml.ws.transport.http.servlet.WSServletException:
WSSERVLET11: failed to parse runtime descriptor:
javax.xml.ws.WebServiceException: WSP1007: Policy exception occured when
finishing WSDL parsing.
at
com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:139)
... 35 more
Caused by: javax.xml.ws.WebServiceException: WSP1007: Policy exception occured
when finishing WSDL parsing.
at
com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:959)
at
com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187)
at
com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334)
at
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262)
at
com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531)
at
com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174)
at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253)
at
com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147)
at
com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124)
... 35 more
Caused by: com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy
assertion creators try to register for namespace
'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class:
'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s class:
'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'.
at
com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184)
at
com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81)
at
com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97)
at
com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105)
at
com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67)
at com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103)
at
com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85)
at
com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955)
... 44 more
|#]
This is the SAML token the passive STS is generating,
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_fa555580-fcac-4baa-9d10-e5b2dd64679c"
Issuer="PassiveSTS" IssueInstant="2009-11-10T17:24:58.844Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-11-10T17:24:58.342Z"
NotOnOrAfter="2009-11-11T03:24:58.342Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="role" AttributeNamespace="http://microsoft">
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="http://microsoft/geneva"
AuthenticationInstant="2009-11-10T17:24:58.844Z">
<saml:Subject>
<saml:NameIdentifier
Format="http://schemas.xmlsoap.org/claims/UPN">uid:0...@stonehenge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<ds:Reference URI="#_fa555580-fcac-4baa-9d10-e5b2dd64679c">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>cHUIIGuyRrYhtBJP3euTVomdwZc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>FevVLUpP6BHExpoxwbENlBCJZflNNY6Av6R2y2Lm9kD0MKJn+WXx82sZdWWg/7VihoKrZomU4q/S6MJWplP3yXB4CM++/vcJns/yvjQPJZdtzfFHanzgStCQr7+ULK3TZYqJhcAHL34bHBo/Xnza58Yb7lU/iAKr1Q6OcBcM4Gk=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
Do you know what could be the issue in opensso ?.
Thanks in advance
Pablo.
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Tuesday, November 10, 2009 5:55 AM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fifth interop test between Metro and .NET
Hi Pablo,
See inline ...
Pablo Cibraro wrote:
Hi Jiandong,
I need some of your help if it is possible to configure this scenario,
Config Service -> Metro
Business Service - Metro
Passive STS -> .NET
Active STS -> Metro
Trader Client -> Metro
I have two questions for you,
1. Is this the correct procedure to configure an external idp in OpenSSO ?
Yes, the basic reference is
https://opensso.dev.java.net/public/use/docs/opensso/pdf/WSFedHowTo.pdf.
section 5 is about configure OpenSSO as SP with outside idp.
2. How can I change the realm parameter to be an absolute URL (I could
not find a way to change this in the .xml files)
The TokenIssuerName in fedsp.xml according to the document above.
Thanks!
Jiandong
Thanks
Pablo.