Loading…
Tilbage

oiosaml.java 9352


NOTICE!: There has been released a newer version of OIOSAML.JAVA: OIOSAML.JAVA 9914

------------

This release contains a security fix for a vulnerability found in the XML Encryption standard.

Version 9352 of OIOSAML.Java attempts to prevent this attack by hiding the details of errors to the end-user. The full error details are still accessible from the logfiles.

For debugging/testing purposes, it is possible to show all error messages in the browser as normal, by enabling this with the following new setting.

oiosaml-sp.showerror=[true|false]


Upgrade Instructions

This version of OIOSAML.Java can be installed on top of the previous version of OIOSAML.Java, so upgrading is as simple as replacing the JAR fil.

Filer og referencer

Titel Type
oiosaml.java-9352.zip application/octet-stream
Profilbillede

New version 9918 has just been released

Brian Nielsen

Profilbillede

thinktecture identity server integration

Antonello Parente

Hi all,
OIOSaml.java client framework supports SAML 2.0. 

Identity Server supports SAML 2.0. (http://identityserver.codeplex.com/)
Has anyone tried to integrate the two, would be very interesting to have a java web application  federated  with identity Server IdP.

Unfortunately I have not found documentation on the net on how to proceed.
Some of you have tried? With what results?

thanks

Hi Antonello

The short version: yes, I expect them to play together nicely, no I have not tried it :-)

The main point with using (OIO)SAML v2.0 is interoprability and OIOSAML is in compliance with that. That said she specific profiling like in OIOSAML might not be 'tickbox supported' but being a codeplex project it should be possible to get there. I would be very interested in hearing anyone trying it out.

As a note the current OIOSAML-based IdP's we have in government "Nem Log-In" and "Virk.dk BRS-login" are both Java based, whereas the next version that'll consolidate these will be .NET based - but probably not based on the codeplex project.

Best regards
Brian 

Hello Brian,


I installed thinktecture IdentityServer and I federated my .Net web applications without problems. 
I tried to federate the demo of OIOSAML SP (oiosaml.java-demo).

Using configuration wizard

1) I configured the application by entering IdP's file metadata.xml

2) I imported IdP certificate in my truststore.

3) I created my selfsigned certificate

4) I added OIO SP as IdentiServer reliyng party


login but returns this error:

"Request failed

The request failed. The reason is:

Unable to validate SAML message!"

Stacktrace:

2012-02-16 17:45:06,073 [ERROR] OIOSAML_AUDIT_LOGGER - Dispatch:login <-- null null '' '' 'null'
java.lang.NullPointerException
at dk.itst.oiosaml.sp.service.LoginHandler.handleGet(LoginHandler.java:67)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:317)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:204)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

[2012-02-16 17:45:06.078] [ERROR] ["http-bio-8080"-exec-7] [dk.itst.oiosaml.sp.service.DispatcherServlet] Unable to validate Response
java.lang.NullPointerException
at dk.itst.oiosaml.sp.service.LoginHandler.handleGet(LoginHandler.java:67)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:317)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:204)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

What is going wrong?

Best Regards

Antonello

Hi Antonello

Hard to tell, can I see the metadata files? The best information you can provide are the actual HTTP requests (presumed):

* HTTP Redirect for AuthnRequest to IdP
* HTTP POST for Response to SP

catpture it with ex. tamperdata or fiddler. Have you cranked up loggin to 'debug'?

Also check these configuration options

oiosaml-sp.encryption.force : false
oiosaml-sp.assurancelevel: 0

Best regards
Brian 

Hi Brian,
I am not redirected to IdP, when I click on login link i have the error messages that you can read in the previous post.

I inserted configurations that you suggested, but still does not work.

The file metadata.xml is the default for IdentityServer.
I think the problem is in this file.

Regards

Antonello

Hi Antonello

From reading the metadata file it's obviously very WS-federation based though written in an SAML Metadata file. OIOSAML only supports SAML and for such information is missing, you can se in the example IdP-metadata file, for start a SingleSignOnService like in:

embedded in a IDPSSODescriptor section

Don't know if the identityserver supports generating this or you have to do it handheld presuming that it does in fact support the protocol/bindings and not just the tokens (Assertions) as such.

Brgds Brian

ændret af Brian Nielsen (17.02.2012)