-
Bug
-
Resolution: Done
-
Minor
-
None
-
None
What is your JBoss Version?
7.1.3
Have you tried the latest and greatest?
This is in progress
What version of Java are you using?
1.7.0
Have you tried the latest JVM or a different vendor?
We are using latest OpenJDK 7
What Operating System are you using?
CentOS 5.8
What database/thirdparty jars are you using?
BouncyCastle: bcprov-jdk15on-148.jar
Using PicketLink as a module
Have you asked the thirdparty for help?
We've had multiple sets of eyes on this one
What configuration changes did you make to JBoss?
Using the following subsystem:
<profile name="ACustomersPicketlinkTest"> <subsystem xmlns="urn:jboss:picketlink:1.0"> <federation alias="QA_acustomer"> <identity-provider url="https://dc1.acustomer.com/adfs/ls/" alias="QA_acustomer-external-idp" security-domain="acustomer" external="true" encrypt="false" supportsSignatures="true" strict-post-binding="true"> <trust> <trust-domain name="dc1.acustomer.com"/> </trust> </identity-provider> <service-providers> <service-provider alias="acustomer.war" security-domain="acustomer" url="https://openlogic.acustomer.com/path/page.jsp" post-binding="true" supportsSignatures="false" strict-post-binding="true"> <handlers> <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/> <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/> <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"> <handler-parameter value="NAMEID_FORMAT" name="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/> </handler> <handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/> </handlers> </service-provider> </service-providers> <key-store url="/a/valid/path/jbosskeystore.jks" passwd="acustomerspassword" sign-key-alias="jboss" sign-key-passwd="acustomerspassword"/> </federation> </subsystem> … </profile>
Does it work if you don't make those changes?
Yes. We always get a transient ID on the POST. We'd like to use entity, as specified.
Why did you make that change?
To use the username in plaintext, versus the transient or persistent hash
Where did you get the information about that change?
https://docs.jboss.org/author/display/PLINK/SAML2AttributeHandler
What is your problem?
We expect to have an entity ID passed in the POST to the SAML IdP. We always see a transient.
What error message do you see?
Invalid NameID
Post the full stacktrace
12:22,559 ERROR [org.picketlink.identity.federation] (ajp-localhost/127.0.0.1:8009-3) PLFED000263: Service Provider could not handle the request.: java.lang.IllegalArgumentException: PLFED000132: No assertions in reply from IDP
at org.picketlink.identity.federation.PicketLinkLoggerImpl.samlHandlerNoAssertionFromIDP(PicketLinkLoggerImpl.java:969) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler$SPAuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:403) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler.handleStatusResponseType(SAML2AuthenticationHandler.java:134) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.web.process.SAMLHandlerChainProcessor.callHandlerChain(SAMLHandlerChainProcessor.java:64) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.processHandlersChain(ServiceProviderSAMLResponseProcessor.java:105) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.web.process.ServiceProviderSAMLResponseProcessor.process(ServiceProviderSAMLResponseProcessor.java:86) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.handleSAMLResponse(AbstractSPFormAuthenticator.java:422) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:298) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]
at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:253) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:165) [jboss-as-web-7.1.3.Final.jar:7.1.3.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505) [jbossweb-7.0.17.Final.jar:]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:453) [jbossweb-7.0.17.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]
What did you expect to happen?
I expected that entity would be specified, instead of transient
Why did you expect that behaviour?
Because I specified it as a handler parameter.
If you are reporting a "bug", how do you know it is a bug?
Could be a documentation defect, but the current documentation says "do it this way" as far as I can tell.
Do you have a simple test that reproduces the "bug"?
Using SAML Tracer in Firefox shows that transient is sent regardless of the type of NameID specified in the handler-parameter.
Did you search to see whether the "bug" is already fixed?
I did my best 
