[wsf-dev] ECP plugin build/execute feedback
Asa Hardcastle
asa.openliberty at zenn.net
Thu May 1 17:39:36 PDT 2008
This is excellent Peter W.!! Peter P., can you make sure to give
Peter W. all of the support he needs?
asa
--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7
On May 1, 2008, at 7:34 PM, Peter Williams wrote:
> I’m a little behind my schedule, but I am making progress, inch by
> inch.
>
> Last week, I got Shib2 to deliver an (unsigned) AuthnRequest with an
> ECP header, wrapped in SOAP1.1. Scott showed how to ensure Shib2
> generates a list of IDPs in the AuthnRequest, which your proxy code
> will presumably present to Firefox users – for their selection.
>
> This week I finally (by sheer luck) got PingFederate 5.01 to issue a
> signed message (SAML Error) with an ECP header. A second trial, with
> a well formed AuthnRequest, does more properly cause PingFederate to
> now hit a backend AuthenticationAuthority. One I plug my own
> AuthticationAuthority class into PingFederate, its reasonably to now
> assume that once IDP processing is complete as IDP PingFedarate WILL
> then generate a positive AuthnResponse, with ECP header, all signed
> and then wrapped as a SOAP Response.
>
> Sound like the scenario is coming together, using a good variety of
> sources for the various components. We seem to have the beginnings
> of the http SP endpoint producing PAOS ECP messages, the SOAP-bound
> IDP producing an AuthnResponse with the required ECP header block,
> and your proxy.
>
> Of course, this has all been done in conformance testing by others
> … but the systems’ setup data for those tests is not available to
> me, and the product/Shib2 documentation say little or nothing on the
> topic of ECP and PAOS. I’m having to figure it out, mostly relying
> on code reading, protocol run observations and then trial and error.
> I do believe tho - despite the hurdles - that I’m pretty to having
> your proxy now intermediate both sides of the ECP handoff.
>
> Peter.
>
>
>
> POST /idp/SSO.saml2 HTTP/1.1
> Content-Type: text/xml
> SOAPAction:
> User-Agent: Jakarta Commons-HttpClient/2.0.2
> Host: win8pw.rapattoni.local:9030
> Cookie: $Version=0; PF=I6teR8rkVrSA990YVihTU5; $Path=/
> Content-Length: 567
>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/
> ">
> <SOAP-ENV:Body>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol
> " ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
> ForceAuthn="true" IssueInstant="2008-05-01T21:55:38.417Z" ID="ReuN6
> kcKciIz6QoYqVrDCkKABT" Version="2.0">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
> 2.0:assertion">PF-DEMO</saml:Issuer>
>
> <samlp:NameIDPolicy SPNameQualifier="petersp" AllowCreate="true"/>
> </samlp:AuthnRequest>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
>
>
>
>
> HTTP/1.1 200 OK
> Date: Thu, 01 May 2008 23:09:15 GMT
> Server: Jetty/5.1.12 (Windows Server 2008/6.0 x86 java/1.6.0_06
> Cache-Control: no-cache, no-store
> Pragma: no-cache
> max-age: Thu, 01 Jan 1970 00:00:00 GMT
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Content-Type: text/xml
> Content-Length: 1983
>
> <?xml version="1.0" encoding="UTF-8"?>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/
> "><SOAP-ENV:Header><ecp:Response SOAP-ENV:mustUnderstand="1"
> AssertionConsumerServiceURL="http://win8pw.rapattoni.local:9030/sp/ACS.saml2
> " SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next"
> xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/></SOAP-
> ENV:Header><SOAP-ENV:Body><samlp:Response InResponseTo="ReuN6
> kcKciIz6QoYqVrDCkKABT" IssueInstant="2008-05-01T23:09:15.828Z"
> ID="iEEDq1CCUIH3WU-cbqCYqkWTul6" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol
> "><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PF-
> DEMO</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "/>
> <ds:Reference URI="#iEEDq1CCUIH3WU-cbqCYqkWTul6">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
> "/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>0UbOJJJ78DbKHNNT2v/6waGfm4Q=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> NbpJhmzXdyHaIlinoEibXge1Y8hk74
> +9+h9n28bk1Df6pZYuWLeexbb9Rs6W79jRZfw3nxkICypL
> uvCUG7ahFX5m0iTkLy44B0ppt0/MADKalZTft2/u6ENxaOmlWgsxjiLSrk+BkNR
> +N2G9nyMyDS2P
> Px+/2PTwfpDnizZ2IC0=
> </ds:SignatureValue>
> </ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester
> "/><samlp:StatusMessage>Request was invalid XML</
> samlp:StatusMessage
> >
> <
> samlp:StatusDetail
> ><Cause>com.pingidentity.common.util.xml.InvalidXmlException:
> Invalid XML - errors: [error: String: 'ReuN6 kcKciIz6QoYqVrDCkKABT'
> does not match pattern for xs:ID]</Cause></samlp:StatusDetail></
> samlp:Status></samlp:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
>
> From: Peter Pritchard [mailto:peter.openliberty at zenn.net]
> Sent: Monday, April 28, 2008 11:20 AM
> To: wsf-dev at lists.openliberty.org
> Cc: Peter Williams
> Subject: Re: [wsf-dev] ECP plugin build/execute feedback
>
> Sorry about the docs ...
>
> I will update them soon ...
>
> So I built the final .xpi file, so we no longer have to use eclipse
> to launch the extension
>
> _______________________________________________
> Wsf-dev mailing list
> Wsf-dev at lists.openliberty.org
> http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080501/41b17cba/attachment-0001.html
More information about the Wsf-dev
mailing list