[wsf-dev] ECP plugin build/execute feedback

Peter Williams pwilliams at rapattoni.com
Thu May 1 16:34:31 PDT 2008 

I'm a little behind my schedule, but I am making progress, inch by inch.


 

Last week, I got Shib2 to deliver an (unsigned) AuthnRequest with an ECP
header, wrapped in SOAP1.1. Scott showed how to ensure Shib2 generates a
list of IDPs in the AuthnRequest, which your proxy code will presumably
present to Firefox users - for their selection.

 

This week I finally (by sheer luck) got PingFederate 5.01 to issue a
signed message (SAML Error) with an ECP header. A second trial, with a
well formed AuthnRequest, does more properly cause PingFederate to now
hit a backend AuthenticationAuthority. One I plug my own
AuthticationAuthority class into PingFederate, its reasonably to now
assume that once IDP processing is complete as IDP PingFedarate WILL
then generate a positive AuthnResponse, with ECP header, all signed and
then wrapped as a SOAP Response. 

 

Sound like the scenario is coming together, using a good variety of
sources for the various components. We seem to have the beginnings of
the http SP endpoint producing PAOS ECP messages, the SOAP-bound IDP
producing an AuthnResponse with the required ECP header block, and your
proxy.

 

Of course, this has all been done in conformance testing by  others ...
but the systems' setup data for those tests is not available to me, and
the product/Shib2 documentation say little or nothing on the topic of
ECP and PAOS. I'm having to figure it out, mostly relying on code
reading, protocol run observations and then trial and error. I do
believe tho - despite the hurdles - that I'm pretty to having your proxy
now intermediate both sides of the ECP handoff.

 

Peter.

 

 

 

POST /idp/SSO.saml2  HTTP/1.1

Content-Type: text/xml

SOAPAction: 

User-Agent: Jakarta Commons-HttpClient/2.0.2

Host: win8pw.rapattoni.local:9030

Cookie: $Version=0; PF=I6teR8rkVrSA990YVihTU5; $Path=/

Content-Length: 567

 

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Body>

  <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
ForceAuthn="true" IssueInstant="2008-05-01T21:55:38.417Z" ID="ReuN6

kcKciIz6QoYqVrDCkKABT" Version="2.0">

    <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PF-DEMO</saml:Issuer>

 

    <samlp:NameIDPolicy SPNameQualifier="petersp" AllowCreate="true"/>

  </samlp:AuthnRequest>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

 

 

 

HTTP/1.1 200 OK

Date: Thu, 01 May 2008 23:09:15 GMT

Server: Jetty/5.1.12 (Windows Server 2008/6.0 x86 java/1.6.0_06

Cache-Control: no-cache, no-store

Pragma: no-cache

max-age: Thu, 01 Jan 1970 00:00:00 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/xml

Content-Length: 1983

 

<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Hea
der><ecp:Response SOAP-ENV:mustUnderstand="1"
AssertionConsumerServiceURL="http://win8pw.rapattoni.local:9030/sp/ACS.s
aml2" SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/></SOAP-ENV:Hea
der><SOAP-ENV:Body><samlp:Response InResponseTo="ReuN6
kcKciIz6QoYqVrDCkKABT" IssueInstant="2008-05-01T23:09:15.828Z"
ID="iEEDq1CCUIH3WU-cbqCYqkWTul6" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PF-DEMO</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#iEEDq1CCUIH3WU-cbqCYqkWTul6">

<ds:Transforms>

<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>0UbOJJJ78DbKHNNT2v/6waGfm4Q=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

NbpJhmzXdyHaIlinoEibXge1Y8hk74+9+h9n28bk1Df6pZYuWLeexbb9Rs6W79jRZfw3nxkI
CypL

uvCUG7ahFX5m0iTkLy44B0ppt0/MADKalZTft2/u6ENxaOmlWgsxjiLSrk+BkNR+N2G9nyMy
DS2P

Px+/2PTwfpDnizZ2IC0=

</ds:SignatureValue>

</ds:Signature><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/><samlp:StatusMessa
ge>Request was invalid
XML</samlp:StatusMessage><samlp:StatusDetail><Cause>com.pingidentity.com
mon.util.xml.InvalidXmlException: Invalid XML - errors: [error: String:
'ReuN6 kcKciIz6QoYqVrDCkKABT' does not match pattern for
xs:ID]</Cause></samlp:StatusDetail></samlp:Status></samlp:Response></SOA
P-ENV:Body></SOAP-ENV:Envelope>

 

From: Peter Pritchard [mailto:peter.openliberty at zenn.net] 
Sent: Monday, April 28, 2008 11:20 AM
To: wsf-dev at lists.openliberty.org
Cc: Peter Williams
Subject: Re: [wsf-dev] ECP plugin build/execute feedback

 

Sorry about the docs ...

 

I will update them soon ...

 

So I built the final .xpi file, so we no longer have to use eclipse to
launch the extension

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080501/186ed187/attachment-0001.html

More information about the Wsf-dev mailing list