Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1068

Delegation Liberty SSOS flow completely broken on Subject C14N

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.0
    • Component/s: SAML2, Spring Web Flow
    • Labels:
      None
    • Operating System:
      Multiple

      Description

      Some apparent changes to the way the c14n flows work has broken the Liberty SSOS flow.

      In idwsf-ssos-flow.xml, we were doing SAML Subject c14n by calling a subflow like so:

          <subflow-state id="CallSAMLSubjectCanonicalization" subflow="c14n/saml">
              <input name="calledAsSubflow" value="true" />
              <transition on="proceed" to="FinalizeSAMLTokenProcessing" />
          </subflow-state>
      

      Apparently the flow that was named c14n/saml has gone away. I see in the svn history that it was replaced by a more generic flow named c14n. But that doesn't work, failing with:

      2016-10-18 20:11:26,830 - ERROR [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - Profile Action SelectSubjectCanonicalizationFlow: No potential flows left to choose from, canonicalization will fail

      That's the only logging I currently get. I'm going to need some guidance, probably from Scott, about what to do here.

      If the current c14n is usable as-is, maybe we just need some more context data to be populated in the PRC? In the ProcessDelegatedAssertion action code which immediately precedes the subflow callout, I was setting up for subject c14n like so:

      // Set up Subject c14n context for call to c14n subflow.
      final Subject subject = new Subject();
      subject.getPrincipals().add(new NameIDPrincipal(nameID));
              
      final SubjectCanonicalizationContext c14n = new SubjectCanonicalizationContext();
      c14n.setSubject(subject);
      if (requesterLookupStrategy != null) {
          c14n.setRequesterId(requesterLookupStrategy.apply(profileRequestContext));
      }
      if (responderLookupStrategy != null) {
          c14n.setResponderId(responderLookupStrategy.apply(profileRequestContext));
      }
      profileRequestContext.addSubcontext(c14n, true);
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              putmanb@shibboleth.net Brent Putman
              Reporter:
              putmanb@shibboleth.net Brent Putman
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: