[wsf-dev] ECP plugin build/execute feedback

Peter Pritchard peter.openliberty at zenn.net
Tue May 6 07:23:25 PDT 2008 

Anything I can do, I am all yours .. (sorry for the delay getting back  
to you) ... I'm glad you've been able to look around a bit.

If you run into something that needs to be addressed, I can make code  
changes quickly.

- Peter Pritchard
peter.openliberty at zenn.net

On May 1, 2008, at 8:39 PM, Asa Hardcastle wrote:

> This is excellent Peter W.!!  Peter P., can you make sure to give  
> Peter W. all of the support he needs?
>
> asa
>
> --
> Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
> Tel: +1.413.429.1044 Skype: subsystem7
>
>
> On May 1, 2008, at 7:34 PM, Peter Williams wrote:
>> I’m a little behind my schedule, but I am making progress, inch by  
>> inch.
>>
>> Last week, I got Shib2 to deliver an (unsigned) AuthnRequest with  
>> an ECP header, wrapped in SOAP1.1. Scott showed how to ensure Shib2  
>> generates a list of IDPs in the AuthnRequest, which your proxy code  
>> will presumably present to Firefox users – for their selection.
>>
>> This week I finally (by sheer luck) got PingFederate 5.01 to issue  
>> a signed message (SAML Error) with an ECP header. A second trial,  
>> with a well formed AuthnRequest, does more properly cause  
>> PingFederate to now hit a backend AuthenticationAuthority. One I  
>> plug my own AuthticationAuthority class into PingFederate, its  
>> reasonably to now assume that once IDP processing is complete as  
>> IDP PingFedarate WILL then generate a positive AuthnResponse, with  
>> ECP header, all signed and then wrapped as a SOAP Response.
>>
>> Sound like the scenario is coming together, using a good variety of  
>> sources for the various components. We seem to have the beginnings  
>> of the http SP endpoint producing PAOS ECP messages, the SOAP-bound  
>> IDP producing an AuthnResponse with the required ECP header block,  
>> and your proxy.
>>
>> Of course, this has all been done in conformance testing by  others  
>> … but the systems’ setup data for those tests is not available to  
>> me, and the product/Shib2 documentation say little or nothing on  
>> the topic of ECP and PAOS. I’m having to figure it out, mostly  
>> relying on code reading, protocol run observations and then trial  
>> and error. I do believe tho - despite the hurdles - that I’m pretty  
>> to having your proxy now intermediate both sides of the ECP handoff.
>>
>> Peter.
>>
>>
>>
>> POST /idp/SSO.saml2  HTTP/1.1
>> Content-Type: text/xml
>> SOAPAction:
>> User-Agent: Jakarta Commons-HttpClient/2.0.2
>> Host: win8pw.rapattoni.local:9030
>> Cookie: $Version=0; PF=I6teR8rkVrSA990YVihTU5; $Path=/
>> Content-Length: 567
>>
>> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/ 
>> ">
>> <SOAP-ENV:Body>
>>   <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol 
>> " ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"  
>> ForceAuthn="true" IssueInstant="2008-05-01T21:55:38.417Z" ID="ReuN6
>> kcKciIz6QoYqVrDCkKABT" Version="2.0">
>>     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML: 
>> 2.0:assertion">PF-DEMO</saml:Issuer>
>>
>>     <samlp:NameIDPolicy SPNameQualifier="petersp"  
>> AllowCreate="true"/>
>>   </samlp:AuthnRequest>
>> </SOAP-ENV:Body>
>> </SOAP-ENV:Envelope>
>>
>>
>>
>>
>> HTTP/1.1 200 OK
>> Date: Thu, 01 May 2008 23:09:15 GMT
>> Server: Jetty/5.1.12 (Windows Server 2008/6.0 x86 java/1.6.0_06
>> Cache-Control: no-cache, no-store
>> Pragma: no-cache
>> max-age: Thu, 01 Jan 1970 00:00:00 GMT
>> Expires: Thu, 01 Jan 1970 00:00:00 GMT
>> Content-Type: text/xml
>> Content-Length: 1983
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/ 
>> "><SOAP-ENV:Header><ecp:Response SOAP-ENV:mustUnderstand="1"  
>> AssertionConsumerServiceURL="http://win8pw.rapattoni.local:9030/sp/ACS.saml2 
>> " SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next"  
>> xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/></SOAP- 
>> ENV:Header><SOAP-ENV:Body><samlp:Response InResponseTo="ReuN6  
>> kcKciIz6QoYqVrDCkKABT" IssueInstant="2008-05-01T23:09:15.828Z"  
>> ID="iEEDq1CCUIH3WU-cbqCYqkWTul6" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol 
>> "><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML: 
>> 2.0:assertion">PF-DEMO</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# 
>> ">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# 
>> "/>
>> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 
>> "/>
>> <ds:Reference URI="#iEEDq1CCUIH3WU-cbqCYqkWTul6">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature 
>> "/>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>0UbOJJJ78DbKHNNT2v/6waGfm4Q=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>
>> NbpJhmzXdyHaIlinoEibXge1Y8hk74 
>> +9+h9n28bk1Df6pZYuWLeexbb9Rs6W79jRZfw3nxkICypL
>> uvCUG7ahFX5m0iTkLy44B0ppt0/MADKalZTft2/u6ENxaOmlWgsxjiLSrk+BkNR 
>> +N2G9nyMyDS2P
>> Px+/2PTwfpDnizZ2IC0=
>> </ds:SignatureValue>
>> </ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester 
>> "/><samlp:StatusMessage>Request was invalid XML</ 
>> samlp:StatusMessage 
>> > 
>> < 
>> samlp:StatusDetail 
>> ><Cause>com.pingidentity.common.util.xml.InvalidXmlException:  
>> Invalid XML - errors: [error: String: 'ReuN6 kcKciIz6QoYqVrDCkKABT'  
>> does not match pattern for xs:ID]</Cause></samlp:StatusDetail></ 
>> samlp:Status></samlp:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
>>
>> From: Peter Pritchard [mailto:peter.openliberty at zenn.net]
>> Sent: Monday, April 28, 2008 11:20 AM
>> To: wsf-dev at lists.openliberty.org
>> Cc: Peter Williams
>> Subject: Re: [wsf-dev] ECP plugin build/execute feedback
>>
>> Sorry about the docs ...
>>
>> I will update them soon ...
>>
>> So I built the final .xpi file, so we no longer have to use eclipse  
>> to launch the extension
>>
>> _______________________________________________
>> Wsf-dev mailing list
>> Wsf-dev at lists.openliberty.org
>> http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080506/dc00eb50/attachment-0001.html

More information about the Wsf-dev mailing list