Hi Malithi,
Thanks for the suggestion, I wrapped the relevant parameters which is
mentioned in the following endpoint [1] as per the off-line discussion and
directly invoke the Java API [2] instead of forward the wrapper object to
the common auth endpoint. Now I got an different error [3].
[1]
*/commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}*
[2]
https://github.com/Kanapriya/saml-sso-outbound/blob/master/components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java#L131
[3]
[2018-01-19 00:10:36,771] DEBUG
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- retrieving authentication request from cache..
[2018-01-19 00:10:36,772] ERROR
{org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework
org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException:
Invalid authentication request. Session data key :
23b80283629e8b46fff6978874f46cf34664c78abd168d9d47dff7031dffde7e
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:111)
at
org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:46)
at
org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:37)
at
org.wso2.carbon.identity.application.authenticator.samlsso.SAML2FederatedLogoutRequestHandler.initiateLogRequest(SAML2FederatedLogoutRequestHandler.java:139)
at
org.wso2.carbon.identity.application.authenticator.samlsso.SAML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogoutRequestHandler.java:82)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at
org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at
org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at
org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
at
org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at
org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at
org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at
org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at
org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at
org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at
org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Appreciate your input on this.
Thanks,
Kanapriya
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [email protected]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc.
lean . enterprise . middleware
On Thu, Jan 18, 2018 at 10:31 PM, Malithi Edirisinghe <[email protected]>
wrote:
> Hi Kanapriya,
>
> So seems you have dispatched back to the servlet transport. With this you
> won't be able to respond back to the federated IdP as the response is
> committed. Instead, follow the approach at [1]. There you wrap request and
> response and directly invoke the Java API, which will return the request
> and response handled by the servlet endpoint. Then you can verify and
> respond back to the federated IdP.
>
> [1] https://github.com/wso2-extensions/identity-inbound-
> auth-saml/blob/5.3.x/components/org.wso2.carbon.
> identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/
> SAMLSSOProviderServlet.java#L1219
>
> Thanks,
> Malithi.
>
> On Thu, Jan 18, 2018 at 7:29 PM, Kanapriya Kuleswararajan <
> [email protected]> wrote:
>
>> Please find the error log below :
>>
>> ERROR {org.apache.catalina.core.ApplicationDispatcher} -
>> Servlet.service() for servlet bridgeservlet threw exception
>> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
>> at java.lang.String.substring(String.java:1967)
>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi
>> ce(ProxyServlet.java:70)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service
>> (DelegationServlet.java:68)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:303)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>> r.java:52)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic
>> ationDispatcher.java:743)
>> at org.apache.catalina.core.ApplicationDispatcher.processReques
>> t(ApplicationDispatcher.java:485)
>> at org.apache.catalina.core.ApplicationDispatcher.doForward(App
>> licationDispatcher.java:410)
>> at org.apache.catalina.core.ApplicationDispatcher.forward(Appli
>> cationDispatcher.java:337)
>> at org.eclipse.equinox.http.servlet.internal.RequestDispatcherA
>> daptor.forward(RequestDispatcherAdaptor.java:30)
>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor$Re
>> questDispatcherAdaptor.forward(ContextPathServletAdaptor.java:362)
>> at org.wso2.carbon.identity.application.authenticator.samlsso.S
>> AML2FederatedLogoutRequestHandler.initiateLogRequest(SAML2Fe
>> deratedLogoutRequestHandler.java:136)
>> at org.wso2.carbon.identity.application.authenticator.samlsso.S
>> AML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogou
>> tRequestHandler.java:79)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se
>> rvice(ContextPathServletAdaptor.java:37)
>> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio
>> n.service(ServletRegistration.java:61)
>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.proce
>> ssAlias(ProxyServlet.java:128)
>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi
>> ce(ProxyServlet.java:60)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service
>> (DelegationServlet.java:68)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:303)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>> r.java:52)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter
>> .java:72)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilte
>> r(CharacterSetFilter.java:65)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
>> r(HttpHeaderSecurityFilter.java:124)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:241)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:208)
>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>> dWrapperValve.java:219)
>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>> dContextValve.java:110)
>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
>> uthenticatorBase.java:506)
>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>> stValve.java:169)
>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>> rtValve.java:103)
>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext
>> RewriteValve.invoke(TenantContextRewriteValve.java:80)
>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.
>> invoke(AuthorizationValve.java:91)
>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo
>> ke(AuthenticationValve.java:60)
>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv
>> ocation(CompositeValve.java:99)
>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke
>> (CarbonTomcatValve.java:47)
>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena
>> ntLazyLoaderValve.java:57)
>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok
>> eValves(TomcatValveContainer.java:47)
>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp
>> ositeValve.java:62)
>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection
>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159)
>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa
>> lve.java:962)
>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.
>> invoke(CarbonContextCreatorValve.java:57)
>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>> EngineValve.java:116)
>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>> apter.java:445)
>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>> tractHttp11Processor.java:1115)
>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>> .process(AbstractProtocol.java:637)
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>> (NioEndpoint.java:1775)
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(
>> NioEndpoint.java:1734)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>> run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Thanks,
>> Kanapriya
>>
>> Kanapriya Kuleswararajan
>> Software Engineer
>> Mobile : - 0774894438
>> Mail : - [email protected]
>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>> WSO2, Inc.
>> lean . enterprise . middleware
>>
>>
>> On Thu, Jan 18, 2018 at 7:27 PM, Kanapriya Kuleswararajan <
>> [email protected]> wrote:
>>
>>> Hi All,
>>>
>>>
>>>>> b) - At number 5 in the diagram, i.e. when the logout request is
>>>>> received, we wrap the request and response and send over to our
>>>>> common-auth servelet. Here before invoking the common-auth servelet, we
>>>>> will retrieve session Id from the map (using the SAML Session Index) and
>>>>> set it in the wrapper object.
>>>>>
>>>>
>>>> Request which forwards to the commonauth endpoint will have a format
>>>> similar to following,
>>>>
>>>> */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}*
>>>> NOTE: Need to verify whether relyingParty parameter is required or not.
>>>>
>>>> After logout from the framework, the saml-sso outbound component will
>>>> verify the response and will build a valid SAML2 logout response and send
>>>> back to the federated IdP.
>>>>
>>>
>>> I have created a Servlet endpoint [1] to access SAML logout request from
>>> FIDP and register this Servlet as service [2]. Here, I get the session id
>>> using the session index and set it inside wrapper object and forward that
>>> to the commonauth endpoint. When I sent a logout request from FIDP, FIDP is
>>> logged out but SP is is not getting logged out even we sent the sessionID
>>> to invalidate the session and observe the error [1] at the back end.
>>>
>>> Is there anything I need to do more than this?
>>>
>>> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>> omponents/org.wso2.carbon.identity.application.authenticator
>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>> authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java
>>>
>>> [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>> omponents/org.wso2.carbon.identity.application.authenticator
>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>> authenticator/samlsso/internal/SAMLSSOAuthenticatorS
>>> erviceComponent.java#L74
>>>
>>> Thanks,
>>> Kanapriya
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> @Thanuja and Malithi: Please add anything that I have missed. And also
>>>>> appreciate code snippets for above (a) and (b).
>>>>>
>>>>> After the POC implementation, we will have another review.
>>>>>
>>>>> thank you,
>>>>> Dimuthu
>>>>>
>>>>> --
>>>>> Dimuthu Leelarathne
>>>>> Director, Solutions Architecture
>>>>>
>>>>> WSO2, Inc. (http://wso2.com)
>>>>> email: [email protected]
>>>>> Mobile: +94773661935 <+94%2077%20366%201935>
>>>>> Blog: http://muthulee.blogspot.com
>>>>>
>>>>> Lean . Enterprise . Middleware
>>>>>
>>>>
>>>> [1] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>> tity.application.authentication.framework/src/main/java/org/
>>>> wso2/carbon/identity/application/authentication/framework/ut
>>>> il/FrameworkUtils.java#L1258
>>>>
>>>>
>>>> <https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java#L1258>[2]
>>>> - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>> tity.application.authentication.framework/src/main/java/org/
>>>> wso2/carbon/identity/application/authentication/framework/
>>>> AuthenticationDataPublisher.java
>>>>
>>>> [3] - https://github.com/wso2-extensions/identity-governance/blo
>>>> b/master/components/org.wso2.carbon.identity.captcha/src/mai
>>>> n/java/org/wso2/carbon/identity/captcha/validator/FailLoginA
>>>> ttemptValidator.java
>>>>
>>>> [4] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>> tity.application.authentication.framework/src/main/java/org/
>>>> wso2/carbon/identity/application/authentication/framework/
>>>> model/CommonAuthRequestWrapper.java
>>>>
>>>> [5] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>> tity.application.authentication.framework/src/main/java/org/
>>>> wso2/carbon/identity/application/authentication/framework/
>>>> model/CommonAuthResponseWrapper.java
>>>>
>>>>
>>>> Thanks,
>>>> Thanuja
>>>> --
>>>> *Thanuja Lakmal*
>>>> Associate Technical Lead
>>>> WSO2 Inc. http://wso2.com/
>>>> *lean.enterprise.middleware*
>>>> Mobile: +94715979891
>>>>
>>>
>>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> [email protected]
>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
