Hi Jiandong, Thanks for the update. It's good to hear that you could find the issue in the SAML assertion. I added the AudienceRestrictionCondition to the Saml token, so this is how the message looks like now,
<t:RequestSecurityTokenResponse Context="s2aed6253fb0ec01e4e54f7f46c8b3a37aed2076d3" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> <t:RequestedSecurityToken> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_32f70e12-f451-4b1f-8099-e3a27e77a307" Issuer="PassiveSTS" IssueInstant="2009-12-08T18:32:45.983Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2009-12-08T18:02:45.983Z" NotOnOrAfter="2009-12-08T23:32:45.983Z"> <saml:AudienceRestrictionCondition> <saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="role" AttributeNamespace="http://microsoft";> <saml:AttributeValue>staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AuthenticationStatement AuthenticationMethod="http://microsoft/geneva"; AuthenticationInstant="2009-12-08T18:32:45.969Z"> <saml:Subject> <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> <ds:Reference URI="#_32f70e12-f451-4b1f-8099-e3a27e77a307"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; /> <ds:DigestValue>+HcC1JjPJ4JBAT5xZ7CQWYEEsSynitnDp0hLw2ldxlA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>WmOfRG0J8onl7VqBsLvKY5ccNGWVKwNOOoKNy0KcC9965njHsbq3JfQyPUYFmAOoaaXvZ0J90gdRCGvWpd6/Ry7F6FDvyrdotli7Tuto5rn+DmY+TzREGZo3L5kuXDBy3YwSn+PguTDRF5ixIvVwdpY+rT3fFmPdVLanfOJk1RM=</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <X509Data> <X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> </saml:Assertion> </t:RequestedSecurityToken> </t:RequestSecurityTokenResponse> There is a problem with WCF/Geneva (WIF), the audience condition must be a complete Uri, so "Fedsp" is not considered valid. For that reason, I tried to update my fedsp.xml and fedspx.xml files with the OpenSSO configuration to use that alias. This is what I got, Fedsp.xml, <Federation FederationID="https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp"; xmlns="http://schemas.xmlsoap.org/ws/2006/12/federation";> <TokenIssuerName>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</TokenIssuerName> <TokenIssuerEndpoint> <ns1:Address xmlns:ns1="http://www.w3.org/2005/08/addressing";>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</ns1:Address> </TokenIssuerEndpoint> </Federation> Fedspx.xml, <FederationConfig FederationID="https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp"; hosted="true" xmlns="urn:sun:fm:wsfederation:1.0:federationconfig"> <SPSSOConfig metaAlias="/Fedsp"> <Attribute name="displayName"> <Value>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</Value> </Attribute> <Attribute name="AccountRealmSelection"> <Value>cookie</Value> </Attribute> <Attribute name="AccountRealmCookieName"> <Value>amWSFederationAccountRealm</Value> </Attribute> <Attribute name="HomeRealmDiscoveryService"> <Value>https://sp.stonehenge.com:8180/opensso/RealmSelection/metaAlias/Fedsp</Value> </Attribute> <Attribute name="signingCertAlias"> <Value>bsl</Value> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>6000</Value> </Attribute> <Attribute name="spAccountMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultADFSPartnerAccountMapper</Value> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper</Value> </Attribute> <Attribute name="spAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value> </Attribute> <Attribute name="spAuthncontextClassrefMapping"> <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default</Value> </Attribute> <Attribute name="spAuthncontextComparisonType"> <Value>exact</Value> </Attribute> <Attribute name="saml2AuthModuleName"> <Value/> </Attribute> <Attribute name="defaultRelayState"> <Value>https://sp.stonehenge.com:8180/opensso</Value> </Attribute> <Attribute name="assertionTimeSkew"> <Value>6000</Value> </Attribute> <Attribute name="wantAssertionSigned"> <Value>true</Value> </Attribute> <Attribute name="cotlist"/> </SPSSOConfig> </FederationConfig> The only attribute I could not change was the metaAlias. Is that attribute the one that OpenSSO uses to map the SamlRestrictionCondition with an Uri ?. I am still having the same issue with these new OpenSSO files, and the WS-Trust message I showed you before. The only error I get from OpenSSO is, "Http 403, Access Denied". Do you think I should able to find more information about the error in any OpenSSO trace file ? Thanks Pablo. -----Original Message----- From: jiandong....@sun.com [mailto:jiandong....@sun.com] Sent: Tuesday, December 08, 2009 2:59 PM To: stonehenge-dev@incubator.apache.org Subject: Re: Fifth interop test between Metro and .NET Hi Pablo, Sorry for the long delay. We have been working to address the issues for "Third interop test between Metro and .NET". The SAML assertion from the OpenSSO PassiveSTS was not meant for reusable, i.e. only for the SP to validate it for the RP. Once it is in the session, it is already changed. So it relies on the SP to validate it and certify it for the Active STS. We have exposed some API to obtained the original SAML assertion in case the other party (ActiveSTS) needs to validate things like the signature. The change is ready in a recent OpenSSO build. I am testing it now. After that, I will let you know how you can work with it with Metro stonehenge implementation. See inline ... Pablo Cibraro wrote: > Hi Jiandong, > > I removed almost all the elements in the RSTR message to have something close > to what OpenSSO generates. This is final message that our implementation is > generating, > > <t:RequestSecurityTokenResponse > Context="s21a382559d033337807359a1c786d343acb5e664d" > xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> > <t:Lifetime> > <wsu:Created > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-12-07T21:29:02.912Z</wsu:Created> > <wsu:Expires > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-12-07T22:29:02.912Z</wsu:Expires> > </t:Lifetime> > <t:RequestedSecurityToken> > <saml:Assertion MajorVersion="1" MinorVersion="1" > AssertionID="_2d1c3a8d-4b59-4e75-9dcf-e6a5aedc88cd" Issuer="PassiveSTS" > IssueInstant="2009-12-07T21:29:02.912Z" > xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> > <saml:Conditions NotBefore="2009-12-07T21:29:02.912Z" > NotOnOrAfter="2009-12-07T22:29:02.912Z" /> > <saml:AttributeStatement> > <saml:Subject> > <saml:NameIdentifier > Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> > </saml:SubjectConfirmation> > </saml:Subject> > <saml:Attribute AttributeName="role" > AttributeNamespace="http://microsoft";> > <saml:AttributeValue>staff</saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > <saml:AuthenticationStatement > AuthenticationMethod="http://microsoft/geneva"; > AuthenticationInstant="2009-12-07T21:29:02.912Z"> > <saml:Subject> > <saml:NameIdentifier > Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> > <saml:SubjectConfirmation> > > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> > </saml:SubjectConfirmation> > </saml:Subject> > </saml:AuthenticationStatement> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> > <ds:Reference URI="#_2d1c3a8d-4b59-4e75-9dcf-e6a5aedc88cd"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"; /> > > <ds:DigestValue>BpI6b9ENe2F+FNaCGqk7n1FY0Qtawsw4vgHiimSOcn0=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>llFnZtOAd9ulRIZQ9TIlpVb53uFT8OX3ymfvO2B+gohHMvOWHFfGFkF8frLDqursuP/mqUfyo60oSlhkp6XDLrB89VaATZoQTBaO2NRlIKKAQYhapN+VD0ZW0pi7RQeblKeNZWKgW+tJZlFnya25XGILBnH4BvZQzgqAywyQgAs=</ds:SignatureValue> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509Data> > > <X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate> > </X509Data> > </KeyInfo> > </ds:Signature> > </saml:Assertion> > </t:RequestedSecurityToken> > </t:RequestSecurityTokenResponse> > > This message does not work either, and I am still getting the same error in > OpenSSO. What exactly the exception you get? The same NPE wrt to AppliesTo? We fixed the namesapce issue for AppliesTo with the latest OpenSSO. > Could it be an issue with the SAML token itself ?. I haven't found detailed > information in the OpenSSO log about what could be wrong, so at this point I > am pretty lost. At first glance, do you see something wrong in the message > above ? (Note, I also tried removing the Lifetime element, but that gave the > same results). > I guess OpenSSO need to check if the SAML asertion is targeted for the specific RP, i.e. it needs an AudienceRestrictionCondition in the SAML assertion. Thanks! Jiandong > Could the confirmation method be the issue?, OpenSSO is not including any > confirmation method in the SAML token. > > <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> > > Thanks > Pablo. > > > -----Original Message----- > From: jiandong....@sun.com [mailto:jiandong....@sun.com] > Sent: Wednesday, November 11, 2009 8:13 PM > To: stonehenge-dev@incubator.apache.org > Subject: Re: Fifth interop test between Metro and .NET > > Ok. Looks like a mistake in OpenSSO. It uses ws-addressing namespace for > AppliesTo. > > I will check with them to see if we can have a patch. In the mean time, > you may get this > particular test going by removing the AppliesTo in RSPR. According to > the spec, if the scope of the the issued token > is the same as the one specified in the AppliesTo in the RST, then you > don't need to put AppliesTo in the RSTR. > > Thanks! > > Jiandong > > Pablo Cibraro wrote: > >> You always know the answer :). Ok, I've changed the WS-TRUST version that >> Geneva was using in the Passive STS, so it is now generating this message. >> >> <t:RequestSecurityTokenResponse >> Context="s2cd9f16167cabfa87c3aaa22457820ed00240cfd4" >> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> >> <t:Lifetime> >> <wsu:Created >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-11-11T18:01:43.192Z</wsu:Created> >> <wsu:Expires >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-11-12T04:01:43.192Z</wsu:Expires> >> </t:Lifetime> >> <z:ReplyTo >> xmlns:z="http://schemas.microsoft.com/ws/2008/06/identity";>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</z:ReplyTo> >> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing";> >> >> <Address>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</Address> >> </EndpointReference> >> </wsp:AppliesTo> >> <t:RequestedSecurityToken> >> <saml:Assertion MajorVersion="1" MinorVersion="1" >> AssertionID="_488ad180-6478-416e-8a61-c879f8a75a4d" Issuer="PassiveSTS" >> IssueInstant="2009-11-11T18:01:43.195Z" >> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> >> <saml:Conditions NotBefore="2009-11-11T18:01:43.192Z" >> NotOnOrAfter="2009-11-12T04:01:43.192Z"> >> <saml:AudienceRestrictionCondition> >> >> <saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience> >> </saml:AudienceRestrictionCondition> >> </saml:Conditions> >> <saml:AttributeStatement> >> <saml:Subject> >> <saml:NameIdentifier >> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> <saml:Attribute AttributeName="role" >> AttributeNamespace="http://microsoft";> >> <saml:AttributeValue>staff</saml:AttributeValue> >> </saml:Attribute> >> </saml:AttributeStatement> >> <saml:AuthenticationStatement >> AuthenticationMethod="http://microsoft/geneva"; >> AuthenticationInstant="2009-11-11T18:01:43.195Z"> >> <saml:Subject> >> <saml:NameIdentifier >> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >> <saml:SubjectConfirmation> >> >> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >> </saml:SubjectConfirmation> >> </saml:Subject> >> </saml:AuthenticationStatement> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> <ds:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >> <ds:Reference URI="#_488ad180-6478-416e-8a61-c879f8a75a4d"> >> <ds:Transforms> >> <ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >> <ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> </ds:Transforms> >> <ds:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >> <ds:DigestValue>u2bSngQA1SOIyYglfZs8bXMZ19c=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >> <ds:SignatureValue>JT55FJhCtjnisHzF75UY6JwA01Y7lkZM5qxFJGLZi7s7/B7PBKGyjleF7sa3M5RkhNODjbg4PfjWMVZEG5xITciFk95P86BS8CqxJJCjOz4YkjqPTX6kRROe2RNgI6WaWnFDuCPuS+Wuc/mkWqtLrss0lXY311BfrI/saX7n7t4=</ds:SignatureValue> >> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >> <X509Data> >> >> <X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate> >> </X509Data> >> </KeyInfo> >> </ds:Signature> >> </saml:Assertion> >> </t:RequestedSecurityToken> >> <t:RequestedAttachedReference> >> <o:SecurityTokenReference >> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >> <o:KeyIdentifier >> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_488ad180-6478-416e-8a61-c879f8a75a4d</o:KeyIdentifier> >> </o:SecurityTokenReference> >> </t:RequestedAttachedReference> >> <t:RequestedUnattachedReference> >> <o:SecurityTokenReference >> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >> <o:KeyIdentifier >> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_488ad180-6478-416e-8a61-c879f8a75a4d</o:KeyIdentifier> >> </o:SecurityTokenReference> >> </t:RequestedUnattachedReference> >> <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType> >> >> <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType> >> >> <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType> >> </t:RequestSecurityTokenResponse> >> >> I am now getting the following exception in OpenSSO, >> >> #|2009-11-11T14:01:46.422-0400|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8180-0;_RequestID=8395b912-1787-4a81-8b2d-80ee5efa0a75;| >> java.lang.NullPointerException >> at >> com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse.<init>(RequestSecurityTokenResponse.java:126) >> at >> com.sun.identity.wsfederation.profile.RequestSecurityTokenResponse.parseXML(RequestSecurityTokenResponse.java:159) >> at >> com.sun.identity.wsfederation.servlet.RPSigninResponse.process(RPSigninResponse.java:101) >> at >> com.sun.identity.wsfederation.servlet.WSFederationServlet.doPost(WSFederationServlet.java:107) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:738) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) >> at >> org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:411) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:317) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198) >> at >> com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:198) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288) >> at >> org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202) >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632) >> > > >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577) >> at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206) >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632) >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577) >> at >> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571) >> at >> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150) >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632) >> at >> org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577) >> at >> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571) >> at >> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080) >> at >> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272) >> at >> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637) >> at >> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568) >> at >> com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813) >> at >> com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341) >> at >> com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440) >> at >> com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228) >> at >> com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265) >> at >> com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106) >> |#] >> >> It looks like Geneva is generating something that OpenSSO does not know how >> to parse or something like that. I initially thought that the addressing >> version in the AppliesTo element could be the issue as OpenSSO is using an >> older versio, so I changed that, but it did not work. >> >> Any clue about what could be wrong in the message ? >> >> Thanks >> Pablo. >> >> >> -----Original Message----- >> From: jiandong....@sun.com [mailto:jiandong....@sun.com] >> Sent: Tuesday, November 10, 2009 8:52 PM >> To: stonehenge-dev@incubator.apache.org >> Subject: Re: Fifth interop test between Metro and .NET >> >> The version of ws-federation passive profile supported in OpenSSO is >> before 1.1. So no >> >> RequestSecurityTokenResponseCollection with >> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; ;-) . >> >> Is it possible to configure .Net Passive STS to create >> <wst:RequestSecurityTokenResponse >> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";> >> >> Thanks! >> >> Jiandong >> >> >> Pablo Cibraro wrote: >> >> Pablo Cibraro wrote: >> >> >>> Mmm, no. The only info about errors I could find was in this folder >>> opensso\log\WSFederation.error. This file contains a single line with the >>> WS-Trust message that the .NET passive STS is generating, >>> >>> These are the redirections I am getting, >>> >>> 1. Trader client makes an Http GET to >>> https://sp.stonehenge.com:8080/WSFederationServlet/metaAlias/Fedsp?goto=http://apps.stonehenge.com:1316/trader_client >>> 2. OpenSSO makes an Http GET to http://localhost/trade_identity ? All the >>> WSTrust parameters (This is the .NET passive STS) >>> 3. The .NET passive STS generates a form with action = >>> "https://sp.stonehenge.com:8080/WSFederationServlet/metaAlias/Fedsp"; >>> >>> This is the WS-TRUST message >>> >>> <trust:RequestSecurityTokenResponseCollection >>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> >>> <trust:RequestSecurityTokenResponse >>> Context="s2ceec7ad41fed61267f0f72c9557b77046c98ef7c"> >>> <trust:Lifetime> >>> <wsu:Created >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-11-10T22:59:28.543Z</wsu:Created> >>> <wsu:Expires >>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-11-11T08:59:28.543Z</wsu:Expires> >>> </trust:Lifetime> >>> <z:ReplyTo >>> xmlns:z="http://schemas.microsoft.com/ws/2008/06/identity";>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</z:ReplyTo> >>> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> >>> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing";> >>> >>> <Address>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</Address> >>> </EndpointReference> >>> </wsp:AppliesTo> >>> <trust:RequestedSecurityToken> >>> <saml:Assertion MajorVersion="1" MinorVersion="1" >>> AssertionID="_560fe2f7-f0c9-418b-8e74-4145f5c37b7b" Issuer="PassiveSTS" >>> IssueInstant="2009-11-10T22:59:28.544Z" >>> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> >>> <saml:Conditions NotBefore="2009-11-10T22:59:28.543Z" >>> NotOnOrAfter="2009-11-11T08:59:28.543Z"> >>> <saml:AudienceRestrictionCondition> >>> >>> <saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience> >>> </saml:AudienceRestrictionCondition> >>> </saml:Conditions> >>> <saml:AttributeStatement> >>> <saml:Subject> >>> <saml:NameIdentifier >>> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >>> <saml:SubjectConfirmation> >>> >>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>> </saml:SubjectConfirmation> >>> </saml:Subject> >>> <saml:Attribute AttributeName="role" >>> AttributeNamespace="http://microsoft";> >>> <saml:AttributeValue>staff</saml:AttributeValue> >>> </saml:Attribute> >>> </saml:AttributeStatement> >>> <saml:AuthenticationStatement >>> AuthenticationMethod="http://microsoft/geneva"; >>> AuthenticationInstant="2009-11-10T22:59:28.543Z"> >>> <saml:Subject> >>> <saml:NameIdentifier >>> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >>> <saml:SubjectConfirmation> >>> >>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>> </saml:SubjectConfirmation> >>> </saml:Subject> >>> </saml:AuthenticationStatement> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>> <ds:Reference URI="#_560fe2f7-f0c9-418b-8e74-4145f5c37b7b"> >>> <ds:Transforms> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>> <ds:Transform >>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> </ds:Transforms> >>> <ds:DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >>> <ds:DigestValue>Bt97jrvwGHD7YYHGIrzseAERLz0=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> >>> <ds:SignatureValue>DUWVbsicStAEAAjKECn6txzxY3R/Xqac69haLQnhiE7nzvDD40rQ9yME25+8f4mbyOSlQqM6t8gI+CD6wOOUIZHuCOGZw7FA/KLbhIVFhJfPbzeGqEXcrcplhhbHCiUDC0V5Dt8tRFJZEOIrb3Ytha9j+yOwwB9UJdZl63E2lMA=</ds:SignatureValue> >>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> <X509Data> >>> >>> <X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate> >>> </X509Data> >>> </KeyInfo> >>> </ds:Signature> >>> </saml:Assertion> >>> </trust:RequestedSecurityToken> >>> <trust:RequestedAttachedReference> >>> <o:SecurityTokenReference >>> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >>> <o:KeyIdentifier >>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_560fe2f7-f0c9-418b-8e74-4145f5c37b7b</o:KeyIdentifier> >>> </o:SecurityTokenReference> >>> </trust:RequestedAttachedReference> >>> <trust:RequestedUnattachedReference> >>> <o:SecurityTokenReference >>> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> >>> <o:KeyIdentifier >>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_560fe2f7-f0c9-418b-8e74-4145f5c37b7b</o:KeyIdentifier> >>> </o:SecurityTokenReference> >>> </trust:RequestedUnattachedReference> >>> <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType> >>> >>> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType> >>> >>> <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType> >>> </trust:RequestSecurityTokenResponse> >>> </trust:RequestSecurityTokenResponseCollection> >>> >>> The only error I am getting in OpenSSO is HTTP Status 403 (Access Denied to >>> the specified resource) after the form with the WS-TRUST message is posted. >>> >>> Do you see something strange in the WS-TRUST message ? >>> >>> Thanks >>> Pablo. >>> >>> >>> -----Original Message----- >>> From: jiandong....@sun.com [mailto:jiandong....@sun.com] >>> Sent: Tuesday, November 10, 2009 6:13 PM >>> To: stonehenge-dev@incubator.apache.org >>> Subject: Re: Fifth interop test between Metro and .NET >>> >>> Pablo Cibraro wrote: >>> >>> >>> >>>> Thanks. The metro client is now calling the .NET passive STS, and this one >>>> is returning a SAML token to the OpenSSO sp. >>>> >>>> >>>> >>> Great! >>> >>> >>> >>>> The OpenSSO sp is throwing an with the following details, >>>> >>>> >>>> >>>> >>> The following exceptions should not be relevant. >>> >>> Do you see any other information in the server log for sp? >>> Or check the opensso debug files in the config directory, e.g. >>> C:\Documents and Settings\manveen\opensso\sp\opensso\debug. >>> >>> Thanks! >>> >>> Jiandong >>> >>> >>> >>>> [#|2009-11-10T14:00:44.647-0400|SEVERE|sun-appserver9.1|com.sun.xml.ws.wspolicy.PolicyWSDLParserExtension|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|WSP1007: >>>> Policy exception occured when finishing WSDL parsing. >>>> com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy assertion >>>> creators try to register for namespace >>>> 'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class: >>>> 'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s >>>> class: 'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'. >>>> at >>>> com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85) >>>> at >>>> com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955) >>>> at >>>> com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187) >>>> at >>>> com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334) >>>> at >>>> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174) >>>> at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) >>>> at >>>> com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107) >>>> at >>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523) >>>> at >>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:5184) >>>> at com.sun.enterprise.web.WebModule.start(WebModule.java:326) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:955) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533) >>>> at org.apache.catalina.startup.Embedded.start(Embedded.java:936) >>>> at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873) >>>> at >>>> com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790) >>>> at >>>> com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84) >>>> at >>>> com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442) >>>> at >>>> com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120) >>>> at com.sun.enterprise.server.PEMain.run(PEMain.java:411) >>>> at com.sun.enterprise.server.PEMain.main(PEMain.java:338) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412) >>>> |#] >>>> >>>> [#|2009-11-10T14:00:44.649-0400|SEVERE|sun-appserver9.1|com.sun.xml.ws.server.http|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|WSSERVLET11: >>>> failed to parse runtime descriptor: javax.xml.ws.WebServiceException: >>>> WSP1007: Policy exception occured when finishing WSDL parsing. >>>> javax.xml.ws.WebServiceException: WSP1007: Policy exception occured when >>>> finishing WSDL parsing. >>>> at >>>> com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:959) >>>> at >>>> com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187) >>>> at >>>> com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334) >>>> at >>>> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174) >>>> at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) >>>> at >>>> com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107) >>>> at >>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523) >>>> at >>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:5184) >>>> at com.sun.enterprise.web.WebModule.start(WebModule.java:326) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:955) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533) >>>> at org.apache.catalina.startup.Embedded.start(Embedded.java:936) >>>> at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873) >>>> at >>>> com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790) >>>> at >>>> com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84) >>>> at >>>> com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442) >>>> at >>>> com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120) >>>> at com.sun.enterprise.server.PEMain.run(PEMain.java:411) >>>> at com.sun.enterprise.server.PEMain.main(PEMain.java:338) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412) >>>> Caused by: com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy >>>> assertion creators try to register for namespace >>>> 'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class: >>>> 'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s >>>> class: 'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'. >>>> at >>>> com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85) >>>> at >>>> com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955) >>>> ... 44 more >>>> |#] >>>> >>>> [#|2009-11-10T14:00:44.655-0400|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=570cda77-1918-4cbe-b3c6-13f1b82a2033;|java.lang.reflect.InvocationTargetException >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> com.sun.identity.wss.sts.STSContextListener.contextInitialized(STSContextListener.java:107) >>>> at >>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4523) >>>> at >>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:5184) >>>> at com.sun.enterprise.web.WebModule.start(WebModule.java:326) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.VirtualServer.startChildren(VirtualServer.java:1672) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:955) >>>> at >>>> com.sun.enterprise.web.LifecycleStarter.doRun(LifecycleStarter.java:58) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.runSync(RunnableBase.java:304) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase._submit(RunnableBase.java:176) >>>> at >>>> com.sun.appserv.management.util.misc.RunnableBase.submit(RunnableBase.java:192) >>>> at >>>> com.sun.enterprise.web.EmbeddedWebContainer$WebEngine.startChildren(EmbeddedWebContainer.java:453) >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1231) >>>> at >>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:533) >>>> at org.apache.catalina.startup.Embedded.start(Embedded.java:936) >>>> at com.sun.enterprise.web.WebContainer.start(WebContainer.java:873) >>>> at >>>> com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:790) >>>> at >>>> com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:84) >>>> at >>>> com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:442) >>>> at >>>> com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:120) >>>> at com.sun.enterprise.server.PEMain.run(PEMain.java:411) >>>> at com.sun.enterprise.server.PEMain.main(PEMain.java:338) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412) >>>> Caused by: com.sun.xml.ws.transport.http.servlet.WSServletException: >>>> WSSERVLET11: failed to parse runtime descriptor: >>>> javax.xml.ws.WebServiceException: WSP1007: Policy exception occured when >>>> finishing WSDL parsing. >>>> at >>>> com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:139) >>>> ... 35 more >>>> Caused by: javax.xml.ws.WebServiceException: WSP1007: Policy exception >>>> occured when finishing WSDL parsing. >>>> at >>>> com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:959) >>>> at >>>> com.sun.xml.ws.wsdl.parser.DelegatingParserExtension.postFinished(DelegatingParserExtension.java:187) >>>> at >>>> com.sun.xml.ws.wsdl.parser.WSDLParserExtensionFacade.postFinished(WSDLParserExtensionFacade.java:334) >>>> at >>>> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:262) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.getWSDLPort(EndpointFactory.java:531) >>>> at >>>> com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:174) >>>> at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:505) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) >>>> at >>>> com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) >>>> at >>>> com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:124) >>>> ... 35 more >>>> Caused by: com.sun.xml.ws.policy.PolicyException: WSP0071: Multiple policy >>>> assertion creators try to register for namespace >>>> 'http://schemas.xmlsoap.org/ws/2005/02/rm/policy'. Old creator`s class: >>>> 'com.sun.xml.ws.rx.policy.spi_impl.RxAssertionCreator', new creator`s >>>> class: 'com.sun.xml.ws.rm.policy.spi_impl.RmAssertionCreator'. >>>> at >>>> com.sun.xml.ws.policy.sourcemodel.PolicyModelTranslator.<init>(PolicyModelTranslator.java:184) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<init>(ModelTranslator.java:81) >>>> at >>>> com.sun.xml.ws.api.policy.ModelTranslator.<clinit>(ModelTranslator.java:70) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicies(BuilderHandler.java:97) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.getPolicySubjects(BuilderHandler.java:105) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandlerEndpointScope.doPopulate(BuilderHandlerEndpointScope.java:67) >>>> at >>>> com.sun.xml.ws.policy.BuilderHandler.populate(BuilderHandler.java:77) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getNewPolicyMap(PolicyMapBuilder.java:103) >>>> at >>>> com.sun.xml.ws.policy.PolicyMapBuilder.getPolicyMap(PolicyMapBuilder.java:85) >>>> at >>>> com.sun.xml.ws.policy.PolicyWSDLParserExtension.postFinished(PolicyWSDLParserExtension.java:955) >>>> ... 44 more >>>> |#] >>>> >>>> This is the SAML token the passive STS is generating, >>>> >>>> <saml:Assertion MajorVersion="1" MinorVersion="1" >>>> AssertionID="_fa555580-fcac-4baa-9d10-e5b2dd64679c" Issuer="PassiveSTS" >>>> IssueInstant="2009-11-10T17:24:58.844Z" >>>> xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> >>>> <saml:Conditions NotBefore="2009-11-10T17:24:58.342Z" >>>> NotOnOrAfter="2009-11-11T03:24:58.342Z"> >>>> <saml:AudienceRestrictionCondition> >>>> >>>> <saml:Audience>https://sp.stonehenge.com:8180/opensso/WSFederationServlet/metaAlias/Fedsp</saml:Audience> >>>> </saml:AudienceRestrictionCondition> >>>> </saml:Conditions> >>>> <saml:AttributeStatement> >>>> <saml:Subject> >>>> <saml:NameIdentifier >>>> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >>>> <saml:SubjectConfirmation> >>>> >>>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>>> </saml:SubjectConfirmation> >>>> </saml:Subject> >>>> <saml:Attribute AttributeName="role" >>>> AttributeNamespace="http://microsoft";> >>>> <saml:AttributeValue>staff</saml:AttributeValue> >>>> </saml:Attribute> >>>> </saml:AttributeStatement> >>>> <saml:AuthenticationStatement >>>> AuthenticationMethod="http://microsoft/geneva"; >>>> AuthenticationInstant="2009-11-10T17:24:58.844Z"> >>>> <saml:Subject> >>>> <saml:NameIdentifier >>>> Format="http://schemas.xmlsoap.org/claims/UPN";>uid:0...@stonehenge.com</saml:NameIdentifier> >>>> <saml:SubjectConfirmation> >>>> >>>> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> >>>> </saml:SubjectConfirmation> >>>> </saml:Subject> >>>> </saml:AuthenticationStatement> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> <ds:SignatureMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>> <ds:Reference URI="#_fa555580-fcac-4baa-9d10-e5b2dd64679c"> >>>> <ds:Transforms> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>> <ds:Transform >>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> </ds:Transforms> >>>> <ds:DigestMethod >>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>> <ds:DigestValue>cHUIIGuyRrYhtBJP3euTVomdwZc=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> >>>> <ds:SignatureValue>FevVLUpP6BHExpoxwbENlBCJZflNNY6Av6R2y2Lm9kD0MKJn+WXx82sZdWWg/7VihoKrZomU4q/S6MJWplP3yXB4CM++/vcJns/yvjQPJZdtzfFHanzgStCQr7+ULK3TZYqJhcAHL34bHBo/Xnza58Yb7lU/iAKr1Q6OcBcM4Gk=</ds:SignatureValue> >>>> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >>>> <X509Data> >>>> >>>> <X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate> >>>> </X509Data> >>>> </KeyInfo> >>>> </ds:Signature> >>>> </saml:Assertion> >>>> >>>> Do you know what could be the issue in opensso ?. >>>> >>>> Thanks in advance >>>> Pablo. >>>> >>>> -----Original Message----- >>>> From: jiandong....@sun.com [mailto:jiandong....@sun.com] >>>> Sent: Tuesday, November 10, 2009 5:55 AM >>>> To: stonehenge-dev@incubator.apache.org >>>> Subject: Re: Fifth interop test between Metro and .NET >>>> >>>> Hi Pablo, >>>> >>>> See inline ... >>>> >>>> Pablo Cibraro wrote: >>>> >>>> >>>> >>>> >>>>> Hi Jiandong, >>>>> >>>>> I need some of your help if it is possible to configure this scenario, >>>>> >>>>> Config Service -> Metro >>>>> Business Service - Metro >>>>> Passive STS -> .NET >>>>> Active STS -> Metro >>>>> Trader Client -> Metro >>>>> I have two questions for you, >>>>> >>>>> >>>>> 1. Is this the correct procedure to configure an external idp in >>>>> OpenSSO ? >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Yes, the basic reference is >>>> https://opensso.dev.java.net/public/use/docs/opensso/pdf/WSFedHowTo.pdf. >>>> section 5 is about configure OpenSSO as SP with outside idp. >>>> >>>> >>>> >>>> >>>>> 2. How can I change the realm parameter to be an absolute URL (I >>>>> could not find a way to change this in the .xml files) >>>>> >>>>> >>>>> >>>>> >>>>> >>>> The TokenIssuerName in fedsp.xml according to the document above. >>>> >>>> Thanks! >>>> >>>> Jiandong >>>> >>>> >>>> >>>> >>>>> Thanks >>>>> Pablo. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> > >
