Spring til login

Digitaliser.dk

Sektioner

Aktuel side

Gruppens profilbillede

OIOSAML

298 medlemmer | Medlemsskab via fri tilmelding (Bliv medlem - kræver login )

oiosaml.java 9352

Ansvarlig: Brian Graversen
Version: 9352 - Publiceret: 01.12.2011 14:53
Type: Software

OBS! Der findes en nyere version af den valgte ressource. Klik her for at se den nyeste version.

NOTICE!: There has been released a newer version of OIOSAML.JAVA: OIOSAML.JAVA 9914

------------

This release contains a security fix for a vulnerability found in the XML Encryption standard.

Version 9352 of OIOSAML.Java attempts to prevent this attack by hiding the details of errors to the end-user. The full error details are still accessible from the logfiles.

For debugging/testing purposes, it is possible to show all error messages in the browser as normal, by enabling this with the following new setting.

oiosaml-sp.showerror=[true|false]


Upgrade Instructions

This version of OIOSAML.Java can be installed on top of the previous version of OIOSAML.Java, so upgrading is as simple as replacing the JAR fil.

Flere oplysninger

Udvid boks
Licens
  • Mozilla Public License version 1.1
Operativsystem
  • Alle platforme
Programmeringssprog
  • Java
Producent(er)
  • Digitaliseringsstyrelsen
  • Trifork A/S
Unikt id:
558455

Artefakter

Filer og referencer
Titel Type
oiosaml.java-9352.zip application/octet-stream Download Vis supplerende information ...

Klassifikationer

Indlæg til ressource

Profilens billede

New version 9918 has just been released

Brian Nielsen - 25.04.2012 16:11
Profilens billede

thinktecture identity server integration

Antonello Parente - 16.02.2012 14:27

Hi all,
OIOSaml.java client framework supports SAML 2.0. 

Identity Server supports SAML 2.0. (http://identityserver.codeplex.com/)
Has anyone tried to integrate the two, would be very interesting to have a java web application  federated  with identity Server IdP.

Unfortunately I have not found documentation on the net on how to proceed.
Some of you have tried? With what results?

thanks

Kommentarer (5)

Profilens billede 1
Brian Nielsen - 16.02.2012 14:48

Hi Antonello

The short version: yes, I expect them to play together nicely, no I have not tried it :-)

The main point with using (OIO)SAML v2.0 is interoprability and OIOSAML is in compliance with that. That said she specific profiling like in OIOSAML might not be 'tickbox supported' but being a codeplex project it should be possible to get there. I would be very interested in hearing anyone trying it out.

As a note the current OIOSAML-based IdP's we have in government "Nem Log-In" and "Virk.dk BRS-login" are both Java based, whereas the next version that'll consolidate these will be .NET based - but probably not based on the codeplex project.

Best regards
Brian 

Sæt/fjern bogmærke
+1
Profilens billede 2
Antonello Parente - 16.02.2012 17:55

Hello Brian,


I installed thinktecture IdentityServer and I federated my .Net web applications without problems. 
I tried to federate the demo of OIOSAML SP (oiosaml.java-demo).

Using configuration wizard

1) I configured the application by entering IdP's file metadata.xml

2) I imported IdP certificate in my truststore.

3) I created my selfsigned certificate

4) I added OIO SP as IdentiServer reliyng party


login but returns this error:

"Request failed

The request failed. The reason is:

Unable to validate SAML message!"

Stacktrace:

2012-02-16 17:45:06,073 [ERROR] OIOSAML_AUDIT_LOGGER - Dispatch:login <-- null null '' '' 'null'
java.lang.NullPointerException
at dk.itst.oiosaml.sp.service.LoginHandler.handleGet(LoginHandler.java:67)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:317)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:204)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

[2012-02-16 17:45:06.078] [ERROR] ["http-bio-8080"-exec-7] [dk.itst.oiosaml.sp.service.DispatcherServlet] Unable to validate Response
java.lang.NullPointerException
at dk.itst.oiosaml.sp.service.LoginHandler.handleGet(LoginHandler.java:67)
at dk.itst.oiosaml.sp.service.DispatcherServlet.doGet(DispatcherServlet.java:143)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:317)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:204)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

What is going wrong?

Best Regards

Antonello

Profilens billede 3
Brian Nielsen - 16.02.2012 19:02

Hi Antonello

Hard to tell, can I see the metadata files? The best information you can provide are the actual HTTP requests (presumed):

* HTTP Redirect for AuthnRequest to IdP
* HTTP POST for Response to SP

catpture it with ex. tamperdata or fiddler. Have you cranked up loggin to 'debug'?

Also check these configuration options

oiosaml-sp.encryption.force : false
oiosaml-sp.assurancelevel: 0

Best regards
Brian 

Profilens billede 4
Antonello Parente - 17.02.2012 09:28

Hi Brian,
I am not redirected to IdP, when I click on login link i have the error messages that you can read in the previous post.

I inserted configurations that you suggested, but still does not work.

The file metadata.xml is the default for IdentityServer.
I think the problem is in this file.

Regards

Antonello

Vedhæftede filer
Profilens billede 5
Brian Nielsen - 17.02.2012 10:40

Hi Antonello

From reading the metadata file it's obviously very WS-federation based though written in an SAML Metadata file. OIOSAML only supports SAML and for such information is missing, you can se in the example IdP-metadata file, for start a SingleSignOnService like in:

<md:SingleSignOnService Location="https://saml-idp.trifork.com:9031/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

embedded in a IDPSSODescriptor section

<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Don't know if the identityserver supports generating this or you have to do it handheld presuming that it does in fact support the protocol/bindings and not just the tokens (Assertions) as such.

Brgds Brian

Ønsker du at skrive indlæg eller blot kommentere indlæg,
skal du være oprettet som bruger og logget ind.

Opret dig som Ny bruger    eller Log ind    

Tilføj fil(er)

En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.

Tags

Tilføj dine egne tags

- (kræver login)

Andre brugeres tags til ressourcen

Der er ikke tilknyttet tags fra andre brugere

Minimér boks
Versioner
Version Dato
9918 25.04.2012 11:28 Vis supplerende information ...
9914 11.04.2012 14:10 Vis supplerende information ...
9352 (valgte) 01.12.2011 14:53 Vis supplerende information ...
8501 16.08.2011 13:25 Vis supplerende information ...
8330 03.08.2011 09:44 Vis supplerende information ...
5922 25.11.2010 09:43 Vis supplerende information ...
5681 14.09.2010 13:56 Vis supplerende information ...
5645 06.09.2010 10:40 Vis supplerende information ...
5546 03.09.2010 13:25 Vis supplerende information ...
5354 03.09.2010 13:22 Vis supplerende information ...
5272 03.09.2010 13:20 Vis supplerende information ...
5076 03.09.2010 13:10 Vis supplerende information ...
4544 03.09.2010 13:06 Vis supplerende information ...
4540 03.09.2010 13:03 Vis supplerende information ...
4340 03.09.2010 12:59 Vis supplerende information ...
4249 03.09.2010 12:56 Vis supplerende information ...
4195 03.09.2010 11:28 Vis supplerende information ...
4141 03.09.2010 11:26 Vis supplerende information ...
4126 03.09.2010 11:23 Vis supplerende information ...
3988 03.09.2010 11:18 Vis supplerende information ...
3862 03.09.2010 11:15 Vis supplerende information ...
3747 03.09.2010 11:13 Vis supplerende information ...
3196 03.09.2010 10:57 Vis supplerende information ...
11442 10.02.2014 10:55 Vis supplerende information ...
11330 21.10.2013 09:58 Vis supplerende information ...
11220 06.09.2013 09:21 Vis supplerende information ...
11147 18.07.2013 15:55 Vis supplerende information ...

Digitaliseringsstyrelsen