ArtifactResolutionService

[aleale]

Hello.

i have this problem: the idp metadata has ArtifactResolutionService firewalled.
in metadata i see this xml:

Code:

 <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.xxxxx:10444/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>

                        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.xxxxx:10444/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>

They tell me i can still make it work disabling soap and using a client based approch.

Now i have (after a user log in) an error on my tomcat: connection refused and so on.

what should i do to avoid using ArtifactResolutionService ?

thanks

[aleale]

I decided to install one shiboleth on my pc to check the problem.
i have used this guide: https://wiki.shibboleth.net/confluen...IB2/IdPInstall
now i'm trying to use spring-security-saml2-sample with this idp.

but in the SP log i can read this: Message did not meet security requirements
in the idp log instead i read: Inbound message issuer was not authenticated

i have imported SP metadata in the idp .. what issuer authentication is this about ?

thanks for help !

Code:

Resorting to protocol version default close connection policy
- Should NOT close connection, using HTTP/1.1
- Releasing connection back to connection manager.
- Unmarshalling message DOM
- Message succesfully unmarshalled
- Decoded SOAP messaged which included SAML message of type {urn:oasis:names:tc:SAML:2.0:protocol}ArtifactResponse
- Extracting ID, issuer and issue instant from status response
- 
<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
   <soap11:Body>
      <saml2p:ArtifactResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_84ae56facdce7b19ba7c3f596419f07c" InResponseTo="a2h1a6i66j2122ga47d53ha0fcfbhjg" IssueInstant="2012-12-25T20:13:12.295Z" Version="2.0">
         <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idptest.azienda.it/idp/shibboleth</saml2:Issuer>
         <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
               <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
            </saml2p:StatusCode>
            <saml2p:StatusMessage>Message did not meet security requirements</saml2p:StatusMessage>
         </saml2p:Status>
      </saml2p:ArtifactResponse>
   </soap11:Body>
</soap11:Envelope>

in the idp log :

Code:

21:13:11.918 - INFO [Shibboleth-Access:74] - 20121225T201311Z|127.0.0.1|idptest.azienda.it:443|/profile/SAML2/POST/SSO|
21:13:12.028 - INFO [Shibboleth-Access:74] - 20121225T201312Z|127.0.0.1|idptest.azienda.it:443|/profile/SAML2/POST/SSO|
21:13:12.041 - INFO [Shibboleth-Audit:989] - 20121225T201312Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|a3agh7jjdci13d314dc10ga3fbb752a|http://sp.ditta.it:7087/saml2-sp/saml/metadata/alias/defaultAlias|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idptest.azienda.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact|_8d8f01377c694100e8c94dc7c09f9b99||||||
21:13:12.278 - INFO [Shibboleth-Access:74] - 20121225T201312Z|127.0.0.1|idptest.azienda.it:8443|/profile/SAML2/SOAP/ArtifactResolution|
21:13:12.287 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.
21:13:12.294 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.ArtifactResolution:198] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
	at org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule.evaluate(MandatoryAuthenticatedMessageRule.java:38) ~[openws-1.4.4.jar:na]
	at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) ~[openws-1.4.4.jar:na]
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132) ~[openws-1.4.4.jar:na]
	at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83) ~[openws-1.4.4.jar:na]
	at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.5.3.jar:na]
	at edu.internet2.middleware.shibboleth.idp.profile.saml2.ArtifactResolution.decodeRequest(ArtifactResolution.java:188) [shibboleth-identityprovider-2.3.8.jar:na]
	at edu.internet2.middleware.shibboleth.idp.profile.saml2.ArtifactResolution.processRequest(ArtifactResolution.java:97) [shibboleth-identityprovider-2.3.8.jar:na]
	at edu.internet2.middleware.shibboleth.idp.profile.saml2.ArtifactResolution.processRequest(ArtifactResolution.java:56) [shibboleth-identityprovider-2.3.8.jar:na]
	at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:84) [shibboleth-common-1.3.7.jar:na]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.36]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
	at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.8.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
	at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.8.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
	at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.7.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.36]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.36]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.36]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.36]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.36]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:6.0.36]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.36]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.36]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) [tomcat-coyote.jar:6.0.36]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) [tomcat-coyote.jar:6.0.36]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.36]
	at java.lang.Thread.run(Thread.java:662) [na:1.6.0_38]

[vsch]

You can do the following in order to disable usage of the Artifact binding:

Remove HTTP-Artifact binding from your metadata

Taking the artifact binding from metadata provided to your IDP should prevent it from attempts to use it.
You can generate metadata without this binding by modifying the following bean in your securityContext.xml:

Code:

<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <array>
            <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
        </array>
    </property>
</bean>

You can also use the metadata generation in the SAML Extension UI.

Define required binding during authentication request

Your application can specify which endpoint should IDP use to deliver the response. In your securityContext.xml modify bean samlEntryPoint by adding new property assertionConsumerIndex with value of the consumer service you want to use (probably 1, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, in this case).

You can find available assertion consumer indexes by opening metadata of you SP (e.g. at http://localhost:8080/spring-securit...s/defaultAlias), and looking for AssertionConsumerService entries:

Code:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO/alias/defaultAlias" index="0" isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO/alias/defaultAlias" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO/alias/defaultAlias" index="2"/>

The other issue has been solved in http://forum.springsource.org/showth...cation-problem

Vladimír Schäfer