I have set up a federation using spring-saml. SSO process is working fine, but I have an issue with single log out.
Problem #1 is that after I make a call from my SP to saml/logout it logs out from Idp, also from my SP, but it does not redirect to Idp login page.
Prolblem #2 is that when I have others SP involved in process with my SP, somehow my SP break chain and it it leads others SP to my SP logout page, and not Idp log out page.
This is my configuration:
@Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setTargetClass(Protocol.class);
methodInvokingFactoryBean.setTargetMethod("registerProtocol");
Object[] args = {"https", socketFactoryProtocol()};
methodInvokingFactoryBean.setArguments(args);
return methodInvokingFactoryBean;
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
return webSSOProfileOptions;
}
// Entry point to initialize authentication, default values taken from
// properties file
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(false);
extendedMetadata.setSignMetadata(true);
return extendedMetadata;
}
// IDP Discovery Service
@Bean
public SAMLDiscovery samlIDPDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
idpDiscovery.setIdpSelectionPath("/saml/idpSelection");
return idpDiscovery;
}
@Bean
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider()
throws MetadataProviderException {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource resource = loader.getResource("classpath:/saml/idp.xml");
FilesystemMetadataProvider fileSystemMetaDataProvider = null;
try {
fileSystemMetaDataProvider = new FilesystemMetadataProvider(resource.getFile());
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
fileSystemMetaDataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(fileSystemMetaDataProvider, extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
return extendedMetadataDelegate;
}
// IDP Metadata configuration - paths to metadata of IDPs in circle of trust
// is here
// Do no forget to call iniitalize method on providers
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(ssoCircleExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {
log.debug("Application Base URL: " + env.getProperty("applicationBaseURL"));
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setBindingsSLO(Arrays.asList("Redirect", "POST"));
metadataGenerator.setRequestSigned(false);
metadataGenerator.setEntityId(env.getProperty("applicationBaseURL"));
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
String url = env.getProperty("applicationBaseURL");
metadataGenerator.setEntityBaseURL(url);
return metadataGenerator;
}
// The filter is waiting for connections on URL suffixed with filterSuffix
// and presents SP metadata there
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
return new MetadataDisplayFilter();
}
// Handler deciding where to redirect user after successful login
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/#/login");
return successRedirectHandler;
}
// Handler deciding where to redirect user after failed login
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler failureHandler =
new SimpleUrlAuthenticationFailureHandler();
failureHandler.setUseForward(true);
failureHandler.setDefaultFailureUrl("/#/error");
return failureHandler;
}
@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOHoKProcessingFilter;
}
// Processing filter for WebSSO profile messages
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOProcessingFilter;
}
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
// Handler for successful logout
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
return successLogoutHandler;
}
// Logout handler terminating local session
@Bean
public SecurityContextLogoutHandler logoutHandler() {
SecurityContextLogoutHandler logoutHandler =
new SecurityContextLogoutHandler();
logoutHandler.setInvalidateHttpSession(true);
logoutHandler.setClearAuthentication(true);
return logoutHandler;
}
// Filter processing incoming logout messages
// First argument determines URL user will be redirected to after successful
// global logout
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
}
// Overrides default logout processing filter with the one processing SAML
// messages
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
return new SAMLLogoutFilter(successLogoutHandler(),
new LogoutHandler[] { logoutHandler() },
new LogoutHandler[] { logoutHandler() });
}
// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
final ArtifactResolutionProfileImpl artifactResolutionProfile =
new ArtifactResolutionProfileImpl(httpClient());
artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
return artifactResolutionProfile;
}
@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}
@Bean
public HTTPSOAP11Binding soapBinding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPostBinding httpPostBinding() {
return new HTTPPostBinding(parserPool(), velocityEngine());
}
@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
return new HTTPRedirectDeflateBinding(parserPool());
}
@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
return new HTTPPAOS11Binding(parserPool());
}
This are my logs:
22:08:45.062 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.064 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.065 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.066 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/13AsMgt'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/WaZf9B'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/1pbdJzG'
22:08:45.070 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://ift.tt/1EHe9Ho
22:08:45.070 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://ift.tt/1EHe9Ho
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
22:08:45.071 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Marshalling message
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Building URL to redirect client to
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://ift.tt/zf1Wx4' over query string 'SAMLRequest=nZLbbtswDIbv9xSGbgvH8iG2I8QuWgQFjHVblrQF2jtaphMBtpSZctfHr5wsQ3dAge1GEAjyI%2F%2BfXF6%2B9J33jAMpowsWzjjzUEvTKL0r2P3djZ%2Bzy%2FLDkqDvooO4NTsz2g1%2BG5Gst3KP0mCPpXtrDySCAKQ0o7bkN%2Fg8%2B461ND3h4DrM3E8kSRy0RCaoVuttZzbYqAGlDXq0cNUpoMCVBao5MK9aFQwWKYZJmiDupIQ4rVOeIs%2F2ebpo3KQV0YiVJgvaFizi4dznsc%2BjuygUPBfJfMaz8Il5D2d90aTPKdYkTooKNg5aGCBFQkOPJKwU26tPt8KlisNgrJGmY%2BXJAHFsOLwlvA8Actonf1g5%2BePs6YyEbm%2FIipznPFgGb8HnNp8dqFp5N2bowb7fYYqoxm%2BPqcIOoEmhtsybGF9H6FSrcPjX9TBvu%2F4L4M%2F52X95ET%2FWLWYXcv1xk0WL6%2Fsv%2Bb6zPYYXa5WeHTl5UJ4vb4s0rbDSDb6UFKVtDUku87iGOosQQpnEnMdNNk9CcOwsalE2PPxB%2B63%2BZ%2FSXey5fAQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
22:08:45.075 [DEBUG] o.o.x.s.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
22:08:45.103 [DEBUG] o.o.x.s.SigningUtil - Computed signature: 2b169f61974c194392a165a727652977da7847dd011e46acf69f57372ee3e680953fa12a27b0611b658f020104dfa5a4e6edec36cbb02a4eaa68f490b5cc40a940d36792fea9c96e4e334e0d1ce4a7d41dcdf8590b8557805cd752aebd01e59d5575f6b55ab804e381a71c46523ff5cd72a3e783a31c008cc4a350a8348aaec161928344c286c96b3dffbec05d2652db602d4501c086cdc21896ee67125da4774795507ecd8e1e0fbdd76febefd5313d15d784f832b083ceed40b45e452daedeb732e81911e7e3319aa2af9a0c22fa4bfcf21c92ac35cb204f3a478d7ef5e8d52fc0bfe2ca21877c66f7cf3240b896eef3155ca3972a78fefd20341ee0db6f41
22:08:45.103 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) KxafYZdMGUOSoWWnJ2Upd9p4R90BHkas9p9XNy7j5oCVP6EqJ7BhG2WPAgEE36Wk5u3sNsuwKk6qaPSQtcxAqUDTZ5L+qcluTjNODRzkp9QdzfhZC4VXgFzXUq69AeWdVXX2tVq4BOOBpxxGUj/1zXKj54OjHACMxKNQqDSKrsFhkoNEwobJaz3/vsBdJlLbYC1FAcCGzcIYlu5nEl2kd0eVUH7Njh4Pvddv6+/VMT0V14T4MrCDzu1AtF5FLa7etzLoGRHn4zGaoq+aDCL6S/zyHJKsNcsgTzpHjX716NUvwL/iyiGHfGb3zzJAuJbu8xVco5cqeP79IDQe4NtvQQ==
22:08:45.105 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
Destination="http://ift.tt/1B3Gjta"
ID="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45.071Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/</saml2:Issuer>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http://ift.tt/1EHe9Ho"
SPNameQualifier="http://localhost:8080/" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">3Ybfe7+cPKR729BUO8hltme1+Pi6</saml2:NameID>
<saml2p:SessionIndex>s26fba48c83bab72ea1c43003d7541afe772fecd01</saml2p:SessionIndex>
</saml2p:LogoutRequest>
22:08:45.105 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Successfully encoded message.
22:08:46.345 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.347 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.348 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.349 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/13AsMgt'
22:08:46.351 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/WaZf9B'
22:08:46.352 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://ift.tt/1pbdJzG'
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded RelayState: null
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Base64 decoding and inflating SAML message
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Parsing message stream into DOM document
22:08:46.355 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Unmarshalling message DOM
22:08:46.356 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Message succesfully unmarshalled
22:08:46.357 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded SAML message
22:08:46.357 [DEBUG] o.o.s.b.d.BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
22:08:46.358 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse
Destination="http://localhost:8080//saml/SingleLogout"
ID="s8ce9d2c8fd0758d2755ed7256479469b8c686665"
InResponseTo="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://ift.tt/1EHe9XG;
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
22:08:46.358 [INFO] o.o.c.b.s.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - SAML protocol message was not signed, skipping XML signature processing
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Successfully decoded message.
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Intended message destination endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Actual message receiver endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
22:08:48.145 [DEBUG] c.c.c.s.Http401UnauthorizedEntryPoint - Pre-authenticated entry point called. Rejecting access
Can somebody help me set my configuration
Thanks
Aucun commentaire:
Enregistrer un commentaire