[
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arnaud MERGEY updated FEDIZ-217:
--------------------------------
Description:
On a tomcat hosting a SP application trying to authenticate against a SAML IDP
(OKTA)
authentication fails with this log:
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.processor.SAMLProcessorImpl
processRelayState
SEVERE: Missing Request State
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler
handleRequest
SEVERE: Federation processing failed: The request was invalid or malformed
I checked in the code and it fails because request state in
org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with
SAML protocol
org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
is never called, so I am wondering how it can be different from null and I
suspect a bug
I manage to patch fediz to have it working, I could propose a Pull request for
this if required
Additionally to OKTA I also tried with samling for a simple test setup, same
error
{code:java}
<FedizConfig>
<contextConfig name="/myApp">
<audienceUris>
<audienceItem>http://localhost:8080/myApp/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="/opt/tomcat/.keystore" password="changeit"
type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="samlProtocolType" version="2.0">
<disableDeflateEncoding>true</disableDeflateEncoding>
<doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer>
<issuer>https://capriza.github.io/samling/samling.html</issuer>
<roleURI>groups</roleURI>
</protocol>
</contextConfig>
</FedizConfig>
{code}
was:
On a tomcat hosting a RP application trying to authenticate against a SAML IDP
(OKTA)
authentication fails with this log:
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.processor.SAMLProcessorImpl
processRelayState
SEVERE: Missing Request State
May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler
handleRequest
SEVERE: Federation processing failed: The request was invalid or malformed
I checked in the code and it fails because request state in
org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with
SAML protocol
org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
is never called, so I am wondering how it can be different from null and I
suspect a bug
I manage to patch fediz to have it working, I could propose a Pull request for
this if required
Additionally to OKTA I also tried with samling for a simple test setup, same
error
{code:java}
<FedizConfig>
<contextConfig name="/myApp">
<audienceUris>
<audienceItem>http://localhost:8080/myApp/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="/opt/tomcat/.keystore" password="changeit"
type="JKS" />
</trustManager>
</certificateStores>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="samlProtocolType" version="2.0">
<disableDeflateEncoding>true</disableDeflateEncoding>
<doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer>
<issuer>https://capriza.github.io/samling/samling.html</issuer>
<roleURI>groups</roleURI>
</protocol>
</contextConfig>
</FedizConfig>
{code}
> SAML authentication fails in plugin
> -----------------------------------
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.4.3
> Reporter: Arnaud MERGEY
> Priority: Major
>
> On a tomcat hosting a SP application trying to authenticate against a SAML
> IDP (OKTA)
> authentication fails with this log:
> May 11, 2018 11:22:14 AM
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState
> SEVERE: Missing Request State
> May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler
> handleRequest
> SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with
> SAML protocol
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
> is never called, so I am wondering how it can be different from null and I
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same
> error
>
> {code:java}
> <FedizConfig>
> <contextConfig name="/myApp">
> <audienceUris>
> <audienceItem>http://localhost:8080/myApp/</audienceItem>
> </audienceUris>
> <certificateStores>
> <trustManager>
> <keyStore file="/opt/tomcat/.keystore" password="changeit"
> type="JKS" />
> </trustManager>
> </certificateStores>
> <trustedIssuers>
> <issuer certificateValidation="PeerTrust" />
> </trustedIssuers>
> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="samlProtocolType" version="2.0">
> <disableDeflateEncoding>true</disableDeflateEncoding>
> <doNotEnforceKnownIssuer>true</doNotEnforceKnownIssuer>
> <issuer>https://capriza.github.io/samling/samling.html</issuer>
> <roleURI>groups</roleURI>
> </protocol>
> </contextConfig>
> </FedizConfig>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
