Update our Saml authentication code to use IDP 3 flows
Closed this issue · 11 comments
In our IDP3 we uses old IDP2 filters to do Saml authentication. But IDP3 has flow specially developed for this. There are case when our old integration led to errors. Person in some circumstances not getting login form because we are not initialization flow properly.
saml-test-sp, Shib IDP v3.3 in gluu-sever v3.1.0:
2017-09-02 06:07:23,580 - INFO [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:193] - RemoteUserAuthServlet will process REMOTE_USER, along with attributes [] and headers []
2017-09-02 06:10:31,179 - INFO [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:82] - Profile Action FilterFlowsByForcedAuthn: No potential authentication flows remain after filtering
2017-09-02 06:10:31,182 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:271] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed
2017-09-02 06:10:31,376 - INFO [Shibboleth-Audit.SSO:241] - 20170902T061031Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|a5c9f425e80e553g38c293cc8f0be0j|https://ce.gluu.info:18443/saml-test-sp/saml/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ce.gluu.info/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_d95aa586b0f9f98dc51a23affb5640f8||||||
I've reproduced the problem in gluu-server v3.0.2 with default installation settings.
Error when trying to SSO with Google
https://IDP_GLUU/idp/Authn/RemoteUser?conversation=e1s1
HTTP ERROR 500
Problem accessing /idp/Authn/RemoteUser. Reason:
Server Error
Caused by:
java.lang.NoClassDefFoundError: edu/internet2/middleware/shibboleth/idp/util/HttpServletHelper
at org.gluu.oxauth.client.authentication.AuthenticationFilter.getOAuthRedirectUrl(AuthenticationFilter.java:162)
at org.gluu.oxauth.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:99)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
2017_09_05.stderrout.log
jetty-9.3/temp/jetty-localhost-8086-idp.war-_idp-any-2820633897798931430.dir/webapp/,AVAILABLE}{/idp.war}
2017-09-05 00:43:09.092:INFO:oejs.AbstractConnector:main: Started ServerConnector@5c156cfe{HTTP/1.1,[http/1.1]}{localhost:8086}
2017-09-05 00:43:09.092:INFO:oejs.Server:main: Started @10987ms
2017-09-05 02:36:24.697:WARN:oejs.ServletHandler:qtp274064559-18: Error for /idp/Authn/RemoteUser
java.lang.NoClassDefFoundError: edu/internet2/middleware/shibboleth/idp/util/HttpServletHelper
at org.gluu.oxauth.client.authentication.AuthenticationFilter.getOAuthRedirectUrl(AuthenticationFilter.java:162)
at org.gluu.oxauth.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:99)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
"No potential flows left to choose from, authentication failed" - Fixed.
"HTTP ERROR 500" - Fixed.
I found the problem. oxAuth should callback with CONVERSATION_KEY, GET parаmeter "conversation".
https://ce.gluu.info/idp/profile/SAML2/POST/SSO?execution=e1s1
https://ce.gluu.info/idp/Authn/RemoteUser?conversation=e1s1
IDP v.3.3.1 tracks flow with this key. Shib IDP does not add this CONVERSATION_KEY to session, by some reasons, just inserts to redirection URLs.
CONVERSATION_KEY - fixed.
Alex Samuseu: That error is gone, but it still fails, now resulting in Authn failed SAML response to SP all the time
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/> </saml2p:StatusCode>
AuthnFailed - fixed.
TODO:
1 - get right username from oxauth-client API
2 - check attribute releasing
attribute - OK
All OK.