[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-06-05 Thread Arnaud MERGEY (JIRA) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16501953#comment-16501953
 ] 

Arnaud MERGEY commented on FEDIZ-217:
-

Great ! thanks 

> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 1.4.4
>
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-06-05 Thread Colm O hEigeartaigh (JIRA) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16501941#comment-16501941
 ] 

Colm O hEigeartaigh commented on FEDIZ-217:
---

That's great! I can call a vote on Fediz 1.4.4 in around 3 weeks after the next 
CXF release goes out?

> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 1.4.4
>
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-06-01 Thread Arnaud MERGEY (JIRA) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16498229#comment-16498229
 ] 

Arnaud MERGEY commented on FEDIZ-217:
-

tested recently it works perfectly with OKTA and some other provider as well, 
thanks !

Any ideas when the 1.4.4 will be released ? 

> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 1.4.4
>
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-05-16 Thread Colm O hEigeartaigh (JIRA) 

[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477718#comment-16477718
 ] 

Colm O hEigeartaigh commented on FEDIZ-217:
---

Incidentally, an additional fix was required to the Tomcat authenticator to get 
it to work with SAML SSO (it was hard-coded to select the WS-Federation 
parameter 'wctx' instead of 'RelayState'). I've added a bunch of tests for the 
plugin now and it seems to be working OK. Please grab the latest source and 
test it to see if it works against Okta!

> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 1.4.4
>
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-05-16 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16477395#comment-16477395
 ] 

ASF GitHub Bot commented on FEDIZ-217:
--

coheigea closed pull request #27: [FEDIZ-217] Fix SAML authentication in Plugin
URL: https://github.com/apache/cxf-fediz/pull/27
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
index 6839ff50..88bd2730 100644
--- 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
+++ 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/FederationConstants.java
@@ -150,6 +150,12 @@
  * element.
  */
 public static final String PARAM_RESULT_PTR = "wresultptr";
+
+/**
+ * This OPTIONAL session attribute prefix append to request RelayState 
value specifies 
+ * initial RequestState created before redirecting to IDP
+ */
+public static final String SESSION_SAVED_REQUEST_STATE_PREFIX = 
"SAVED_REQUEST_STATE_";
 
 public static final Map AUTH_TYPE_MAP;
 static {
diff --git 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
index 31aefcd0..125e9fc9 100644
--- 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
+++ 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
@@ -23,8 +23,10 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.RequestState;
 import org.apache.cxf.fediz.core.SAMLSSOConstants;
 import org.apache.cxf.fediz.core.config.FederationProtocol;
 import org.apache.cxf.fediz.core.config.FedizContext;
@@ -101,13 +103,22 @@ public FedizResponse processSigninRequest(String 
responseToken, HttpServletReque
 FedizRequest federationRequest = new FedizRequest();
 
 String wa = req.getParameter(FederationConstants.PARAM_ACTION);
+
+String relayState = req.getParameter("RelayState");
 
 federationRequest.setAction(wa);
 federationRequest.setResponseToken(responseToken);
-federationRequest.setState(req.getParameter("RelayState"));
+federationRequest.setState(relayState);
 federationRequest.setRequest(req);
 
federationRequest.setCerts((X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate"));
 
+if (relayState != null) {
+HttpSession session = req.getSession();
+federationRequest.setRequestState((RequestState) 
+ 
session.getAttribute(FederationConstants.SESSION_SAVED_REQUEST_STATE_PREFIX + 
relayState));
+
session.removeAttribute(FederationConstants.SESSION_SAVED_REQUEST_STATE_PREFIX 
+ relayState);
+}
+
 FedizProcessor processor = 
FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol());
 return processor.processRequest(federationRequest, fedizContext);
 }
diff --git 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index fc227e16..6f8d167a 100644
--- 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -134,6 +134,7 @@ protected FedizResponse processSignInRequest(
 tokenStream = CompressionUtils.inflate(deflatedToken);
 }
 } catch (DataFormatException ex) {
+LOG.warn("Invalid data format", ex);
 throw new ProcessingException(TYPE.INVALID_REQUEST);
 }
 
@@ -144,7 +145,7 @@ protected FedizResponse processSignInRequest(
 el = doc.getDocumentElement();
 
 } catch (Exception e) {
-LOG.warn("Failed to parse token: " + e.getMessage());
+LOG.warn("Failed to parse token", e);
 throw new ProcessingException(TYPE.INVALID_REQUEST);
 }
 
diff --git 
a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
 
b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
index 1acd5514..ff92c695 100644
--- 
a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
+++

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-05-14 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16474398#comment-16474398
 ] 

ASF GitHub Bot commented on FEDIZ-217:
--

amergey opened a new pull request #27: [FEDIZ-217] Fix SAML authentication in 
Plugin
URL: https://github.com/apache/cxf-fediz/pull/27
 
 
   RequestState needs to be saved before redirecting to IDP in order to be
   retrieved when IDP post back authentication token.


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Priority: Major
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FEDIZ-217) SAML authentication fails in plugin

2018-05-14 Thread Colm O hEigeartaigh (JIRA) 

[ 
https://issues.apache.org/jira/browse/FEDIZ-217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16474161#comment-16474161
 ] 

Colm O hEigeartaigh commented on FEDIZ-217:
---

Sure, please submit a PR. SAML support in the Fediz plugins was never fully 
productized, and so it's not officially supported (yet) by Fediz.

> SAML authentication fails in plugin
> ---
>
> Key: FEDIZ-217
> URL: https://issues.apache.org/jira/browse/FEDIZ-217
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.4.3
>Reporter: Arnaud MERGEY
>Priority: Major
>
> On a tomcat hosting a SP application trying to authenticate against a SAML 
> IDP (OKTA)
>  authentication fails with this log:
> May 11, 2018 11:22:14 AM 
> org.apache.cxf.fediz.core.processor.SAMLProcessorImpl processRelayState 
>  SEVERE: Missing Request State 
>  May 11, 2018 11:22:14 AM org.apache.cxf.fediz.core.handler.SigninHandler 
> handleRequest 
>  SEVERE: Federation processing failed: The request was invalid or malformed
> I checked in the code and it fails because request state in 
> org.apache.cxf.fediz.core.processor.FedizRequest is null, but it seems with 
> SAML protocol 
> org.apache.cxf.fediz.core.processor.FedizRequest.setRequestState(RequestState)
>  is never called, so I am wondering how it can be different from null and I 
> suspect a bug
> I manage to patch fediz to have it working, I could propose a Pull request 
> for this if required
> Additionally to OKTA I also tried with samling for a simple test setup, same 
> error
>  
> {code:java}
>  
>      
>      
> http://localhost:8080/myApp/ 
>      
>     
>      
>      type="JKS" /> 
>      
>      
>      
>      
>      
>     http://www.w3.org/2001/XMLSchema-instance; 
> xsi:type="samlProtocolType" version="2.0"> 
> true
> true
> https://capriza.github.io/samling/samling.html 
>     groups 
>      
>      
> 
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)