Security Software

Hello,

I have setup an OIF infrastructure consisting of an IDP and a SP on the same physical box.

IDP: http://<hostname:7777>/fed/idp
SP: http://<hostname:7778>/fed/sp

1] When I run an IDP initiated SSO, I am taken to the IDP login page. The URL in the address bar does not change at this time. I login with orcladmin and I land on the "Federation SSO Operation Result" page showing "Authentication Sucessful" and other assertion attributes. The returnurl is listed in the 'Relay State' parameter.

So the URL trace is as follows:

http://<hostname:7777>/fed/idp/initiatesso?providerid=http://<hostname:7778>/fed/sp&returnurl=http://hostname:8083
http://<hostname:7777>/fed/user/authnldapproc
http://<hostname:7778>/fed/sp/art20?SAMLart=AAQAAQyoGcHsLP4IurT1b4sRVh2dIDw1DtfvKf0V7nj%2Bcimd2T3H6KlXvCI%3D&RelayState=http%3A%2F%2F<hostname>%3A8083

2] However, when I run a SP initiated SSO, I am taken to the IDP login page. I login with orcladmin and I see an "Internal Server Error". The URL trace is
as follows:

http://<hostname:7778>/fed/sp/initiatesso?providerid=http://<hostname:7777>/fed/idp&returnurl=http://<hostname:8083>
http://<hostname:7777>/fed/idp/samlv20?SAMLRequest=jZJLb8IwEIT%2FSuR7nhVQrQhSgFYgFRS19KHe3GQplhw7eDcF%2BusbQg%2B0B1of7dmdb0Yekqx0DVnDG3OP2waJvX2lDUH3kI
rGGbCSFIGRFRJwAQ%2FZ4g6SIILaWbaF1cKbtnPKSFbWpGLDXEMYomLykbBonOJDP3BWswwKW8GgPeEay1CVdXj0%2BUgi4c2nqVClP97W%2BiZffqJ9mSWTfLx9XqjdmB%2F3A%2FJbEVGDc0MsDaciieLYj%2Fp%2BkqziBK560Ou%2FCi2F%2FxhorUyrzfjnD20lEMFutcj9zrNayYOE9oaMuTSsSo%2BGREjpzd9bP5dWSCN2xEuHdWldJviw%2F3rT5150U0HDbmhj9p8zrrkyqh%2BEZ5om5hmW7dj7NrVbFwcu0truJQ8mYCnYN%2Fo0WB%2FFvtEoqnZWlQyIRjk6uP%2F%2FQ6As%3D&RelayState=id-SyvNbnqkmywyRsqQPD3bvFtYtQM-&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=rvtCiF2R%2FenSVXlAHoRI4ZbDNraIsvxG9vhNTs%2BB8IdWtPgGNcrKCpdHVQQShbHlWuy3n6qKr4ZqYtMe%2BLnlO60IcRDaV0eGJbeHF4dBVSvhxyEOeGsrW6MF%2FG4MnQjhj3nUvJ5veRaosNnWOpFKOlu4EYvhRPjQFxmOXaN4zW0%3D
http://<hostname:7777>/fed/user/authnldapproc
http://<hostname:7778>/fed/sp/art20?SAMLart=AAQAAQyoGcHsLP4IurT1b4sRVh2dIDw1EZavM%2BV%2BwgSU%2BFGeiFH%2FoWs9nWA%3D&RelayState=id-j23uqjA3s25-KMTQk3SrE3ilOEk-

Also the following error is seen in the logs:

<Jun 22, 2011 6:06:14 PM IST> <Error> <oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor> <FED-15011> <Cannot find the authentication request associated with the assertion.>
<Jun 22, 2011 6:06:14 PM IST> <Error> <oracle.security.fed.controller.ActionStateMachine> <FED-12064> <Exception: {0}
oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.checkSubjectConfirmation(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.processAssertion(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.v20.ProcessResponseEventHandler.perform(Unknown Source)
at oracle.security.fed.controller.ActionStateMachine.processEvent(Unknown Source)
at oracle.security.fed.controller.EventControllerImpl.processEvent(Unknown Source)
at oracle.security.fed.controller.ApplicationController.publishEvent(Unknown Source)
at oracle.security.fed.controller.ApplicationController.publishEvent(Unknown Source)
at oracle.security.fed.controller.web.action.ResponseHandlerContext.publishEvent(Unknown Source)
at oracle.security.fed.http.flow.profiles.sp.SendSoapRequestSSOResponseHandler.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

3] When I run a testspsso I see the "Internal Server Error" again.

Test SP SSO parameters:

IDP ID: http://<hostname:7777>/fed/idp
Authn Request Binding: HTTP Redirect
Check "Allow Federation Creation"
SSO Response Binding: HTTP POST

The URL trace is:

http://<hostname:7778>/fed/user/testspsso
http://<hostname:7778>/fed/user/testspstartsso
http://<hostname:7777>/fed/idp/samlv20?SAMLRequest=jZJLT8MwEIT%2FSuR7noK2sppIoRFQCUqgKQhuJtm0lhzb9Trl8etJUqQWDgUf7dmdb0aeImuEpmlrN%2FIBti2gdd4bIZEODz
FpjaSKIUcqWQNIbUmX6e0NjbyAaqOsKpUgTtbNccksVzImG2s19X3gFl1AKFvD7cfIM0pY5pWqoePu%2BDVUPq%2B03%2FvsooA4l8qUMIDEpGYCgTjzLCa8cj9HxXPUpOn2fnmln2S5WkzYZjXLUly7nQhzhsh3cBhDbGEu0TJpYxIFYegGIzeKijCg0Tk9G78QJ%2F9mv%2BCy4nJ9OujrXoT0uihyN79bFsR5BIND3E5Akmkfgw7G5qjA02s7bDB9Z0P4htnT8v6ma6MepBSk7WolyX%2Fangxto576R5h7Zk0X3dp5livByw8nFUK9zQwwe6jzL7bQC3%2BxtRI1lLzmUBE%2F2bv%2B%2FGTJFw%3D%3D&RelayState=id-YBTOgrwuC9g2YISmB34W1a41vKU-&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=HyeP7IBfHvim8U9YtTUAVN1ztNA6GQdWL64%2FBD7S9Zm5tGEUjsSXxJT30clDA%2Fo%2Bn3OVvAm6sR1EqvQEqrYBzH9ZDcPX%2BbaJtmzdN1sGUPummkSJ006jqEozzSloG9MOfJbOJFZxsvdtVJk1LxDB6kfIgiiOtfdXWpy2kt576k0%3D
http://<hostname:7777>/fed/user/authnldapproc
http://<hostname:7778>/fed/sp/authnResponse20

The following errors are seen in the logs:

[2011-06-22T15:57:05.146+05:30] [wls_oif1] [ERROR] [FED-15011] [oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004d^dcvm8p1zWGMyyFg6G0005gC0001BC,0:1] [APP: OIF#11.1.1.2.0] [dcid: 9a4c2a36cb983fd2:27211f74:130b1d2bebc:-8000-000000000000276e] [URI: /fed/sp/authnResponse20] Cannot find the authentication request associated with the assertion.
[2011-06-22T15:57:05.147+05:30] [wls_oif1] [ERROR] [FED-12064] [oracle.security.fed.controller.ActionStateMachine] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004d^dcvm8p1zWGMyyFg6G0005gC0001BC,0:1] [APP: OIF#11.1.1.2.0] [dcid: 9a4c2a36cb983fd2:27211f74:130b1d2bebc:-8000-000000000000276e] [URI: /fed/sp/authnResponse20] Exception: {0}[[
oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.checkSubjectConfirmation(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.processAssertion(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.v20.ProcessResponseEventHandler.perform(Unknown Source)
at oracle.security.fed.controller.ActionStateMachine.processEvent(Unknown Source)
at oracle.security.fed.controller.EventControllerImpl.processEvent(Unknown Source)
at oracle.security.fed.controller.ApplicationController.publishEvent(Unknown Source)
at oracle.security.fed.controller.web.action.RequestHandlerContext.publishEvent(Unknown Source)
at oracle.security.fed.controller.web.action.RequestHandlerSupport.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

]]
[2011-06-22T15:57:05.148+05:30] [wls_oif1] [ERROR] [FED-12064] [oracle.security.fed.controller.ApplicationController] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004d^dcvm8p1zWGMyyFg6G0005gC0001BC,0:1] [APP: OIF#11.1.1.2.0] [dcid: 9a4c2a36cb983fd2:27211f74:130b1d2bebc:-8000-000000000000276e] [URI: /fed/sp/authnResponse20] Exception: {0}[[
oracle.security.fed.event.EventException: Could not find the AuthnRequest associated to the Assertion
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.checkSubjectConfirmation(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.assertion.Saml20AssertionProcessor.processAssertion(Unknown Source)
at oracle.security.fed.eventhandler.profiles.sp.sso.v20.ProcessResponseEventHandler.perform(Unknown Source)
at oracle.security.fed.controller.ActionStateMachine.processEvent(Unknown Source)
at oracle.security.fed.controller.EventControllerImpl.processEvent(Unknown Source)
at oracle.security.fed.controller.ApplicationController.publishEvent(Unknown Source)
at oracle.security.fed.controller.web.action.RequestHandlerContext.publishEvent(Unknown Source)
at oracle.security.fed.controller.web.action.RequestHandlerSupport.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Also, please note that for the OIF SP OID instance, after installation the federation data store directory structure cn=fed,dc=example,dc=com was not created. I had to create it manually. Not sure if that is an issue.

Could you please let me know the missing links here? Let me know if you need more info.

Thanks,

DK

Edited by: Amit Kumar on Jun 22, 2011 10:13 PM