Hi Kanapriya, So seems you have dispatched back to the servlet transport. With this you won't be able to respond back to the federated IdP as the response is committed. Instead, follow the approach at [1]. There you wrap request and response and directly invoke the Java API, which will return the request and response handled by the servlet endpoint. Then you can verify and respond back to the federated IdP.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/5.3.x/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java#L1219 Thanks, Malithi. On Thu, Jan 18, 2018 at 7:29 PM, Kanapriya Kuleswararajan < [email protected]> wrote: > Please find the error log below : > > ERROR {org.apache.catalina.core.ApplicationDispatcher} - > Servlet.service() for servlet bridgeservlet threw exception > java.lang.StringIndexOutOfBoundsException: String index out of range: -1 > at java.lang.String.substring(String.java:1967) > at org.eclipse.equinox.http.servlet.internal.ProxyServlet. > service(ProxyServlet.java:70) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet. > service(DelegationServlet.java:68) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:303) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.tomcat.websocket.server.WsFilter.doFilter( > WsFilter.java:52) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.catalina.core.ApplicationDispatcher.invoke( > ApplicationDispatcher.java:743) > at org.apache.catalina.core.ApplicationDispatcher.processRequest( > ApplicationDispatcher.java:485) > at org.apache.catalina.core.ApplicationDispatcher.doForward( > ApplicationDispatcher.java:410) > at org.apache.catalina.core.ApplicationDispatcher.forward( > ApplicationDispatcher.java:337) > at org.eclipse.equinox.http.servlet.internal.RequestDispatcherAdaptor. > forward(RequestDispatcherAdaptor.java:30) > at org.eclipse.equinox.http.helper.ContextPathServletAdaptor$ > RequestDispatcherAdaptor.forward(ContextPathServletAdaptor.java:362) > at org.wso2.carbon.identity.application.authenticator.samlsso. > SAML2FederatedLogoutRequestHandler.initiateLogRequest( > SAML2FederatedLogoutRequestHandler.java:136) > at org.wso2.carbon.identity.application.authenticator.samlsso. > SAML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogoutRequestHan > dler.java:79) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service( > ContextPathServletAdaptor.java:37) > at org.eclipse.equinox.http.servlet.internal. > ServletRegistration.service(ServletRegistration.java:61) > at org.eclipse.equinox.http.servlet.internal.ProxyServlet. > processAlias(ProxyServlet.java:128) > at org.eclipse.equinox.http.servlet.internal.ProxyServlet. > service(ProxyServlet.java:60) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet. > service(DelegationServlet.java:68) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:303) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.tomcat.websocket.server.WsFilter.doFilter( > WsFilter.java:52) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.owasp.csrfguard.CsrfGuardFilter.doFilter( > CsrfGuardFilter.java:72) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter. > doFilter(CharacterSetFilter.java:65) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter( > HttpHeaderSecurityFilter.java:124) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:219) > at org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:110) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke( > AuthenticatorBase.java:506) > at org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:169) > at org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:103) > at org.wso2.carbon.identity.context.rewrite.valve. > TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80) > at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke( > AuthorizationValve.java:91) > at org.wso2.carbon.identity.auth.valve.AuthenticationValve. > invoke(AuthenticationValve.java:60) > at org.wso2.carbon.tomcat.ext.valves.CompositeValve. > continueInvocation(CompositeValve.java:99) > at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1. > invoke(CarbonTomcatValve.java:47) > at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke( > TenantLazyLoaderValve.java:57) > at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer. > invokeValves(TomcatValveContainer.java:47) > at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke( > CompositeValve.java:62) > at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValv > e.invoke(CarbonStuckThreadDetectionValve.java:159) > at org.apache.catalina.valves.AccessLogValve.invoke( > AccessLogValve.java:962) > at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke( > CarbonContextCreatorValve.java:57) > at org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:445) > at org.apache.coyote.http11.AbstractHttp11Processor.process( > AbstractHttp11Processor.java:1115) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. > process(AbstractProtocol.java:637) > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1775) > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > run(NioEndpoint.java:1734) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > Thanks, > Kanapriya > > Kanapriya Kuleswararajan > Software Engineer > Mobile : - 0774894438 > Mail : - [email protected] > LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ > WSO2, Inc. > lean . enterprise . middleware > > > On Thu, Jan 18, 2018 at 7:27 PM, Kanapriya Kuleswararajan < > [email protected]> wrote: > >> Hi All, >> >> >>>> b) - At number 5 in the diagram, i.e. when the logout request is >>>> received, we wrap the request and response and send over to our >>>> common-auth servelet. Here before invoking the common-auth servelet, we >>>> will retrieve session Id from the map (using the SAML Session Index) and >>>> set it in the wrapper object. >>>> >>> >>> Request which forwards to the commonauth endpoint will have a format >>> similar to following, >>> >>> */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}* >>> NOTE: Need to verify whether relyingParty parameter is required or not. >>> >>> After logout from the framework, the saml-sso outbound component will >>> verify the response and will build a valid SAML2 logout response and send >>> back to the federated IdP. >>> >> >> I have created a Servlet endpoint [1] to access SAML logout request from >> FIDP and register this Servlet as service [2]. Here, I get the session id >> using the session index and set it inside wrapper object and forward that >> to the commonauth endpoint. When I sent a logout request from FIDP, FIDP is >> logged out but SP is is not getting logged out even we sent the sessionID >> to invalidate the session and observe the error [1] at the back end. >> >> Is there anything I need to do more than this? >> >> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c >> omponents/org.wso2.carbon.identity.application.authenticator >> .samlsso/src/main/java/org/wso2/carbon/identity/ >> application/authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java >> >> [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c >> omponents/org.wso2.carbon.identity.application.authenticator >> .samlsso/src/main/java/org/wso2/carbon/identity/ >> application/authenticator/samlsso/internal/SAMLSSOAuthen >> ticatorServiceComponent.java#L74 >> >> Thanks, >> Kanapriya >> >> >>> >>> >>>> >>>> @Thanuja and Malithi: Please add anything that I have missed. And also >>>> appreciate code snippets for above (a) and (b). >>>> >>>> After the POC implementation, we will have another review. >>>> >>>> thank you, >>>> Dimuthu >>>> >>>> -- >>>> Dimuthu Leelarathne >>>> Director, Solutions Architecture >>>> >>>> WSO2, Inc. (http://wso2.com) >>>> email: [email protected] >>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>> Blog: http://muthulee.blogspot.com >>>> >>>> Lean . Enterprise . Middleware >>>> >>> >>> [1] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>> tity.application.authentication.framework/src/main/java/org/ >>> wso2/carbon/identity/application/authentication/framework/ >>> util/FrameworkUtils.java#L1258 >>> >>> >>> <https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java#L1258>[2] >>> - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>> tity.application.authentication.framework/src/main/java/org/ >>> wso2/carbon/identity/application/authentication/ >>> framework/AuthenticationDataPublisher.java >>> >>> [3] - https://github.com/wso2-extensions/identity-governance/blo >>> b/master/components/org.wso2.carbon.identity.captcha/src/ >>> main/java/org/wso2/carbon/identity/captcha/validator/FailLog >>> inAttemptValidator.java >>> >>> [4] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>> tity.application.authentication.framework/src/main/java/org/ >>> wso2/carbon/identity/application/authentication/framework/model/ >>> CommonAuthRequestWrapper.java >>> >>> [5] - https://github.com/wso2/carbon-identity-framework/blob/5.1 >>> 1.x/components/authentication-framework/org.wso2.carbon.iden >>> tity.application.authentication.framework/src/main/java/org/ >>> wso2/carbon/identity/application/authentication/framework/model/ >>> CommonAuthResponseWrapper.java >>> >>> >>> Thanks, >>> Thanuja >>> -- >>> *Thanuja Lakmal* >>> Associate Technical Lead >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 >>> >> >> > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
