Delegation Liberty SSOS flow completely broken on Subject C14N
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
Environment
None
Activity
Brent Putman
October 19, 2016 at 8:55 PM
Assigned fix version.
Brent Putman
October 19, 2016 at 12:59 AM
Fixed r8513.
Brent Putman
October 19, 2016 at 12:58 AM
Ok, thx. That seems to work. I'll close this unless I find another problem.
Scott Cantor
October 19, 2016 at 12:43 AM
(edited)
Missing step is probably PopulateSubjectCanonicalizationContext. Has to be told now which set of c14n flows are available to allow the same driver to run for both SAML and post-login cases, so I wired that into the parent flow.
Probably can just reuse the bean, just need to add that action ahead of the subflow call, probably like this:
<action-state id="ProcessSAMLToken">
<evaluate expression="PopulateLibertyContext" />
<evaluate expression="EvaluateDelegationPolicy" />
<evaluate expression="DecryptDelegatedAssertionNameID" />
<evaluate expression="ProcessDelegatedAssertion" />
<evaluate expression="PopulateSubjectCanonicalizationContext" />
<evaluate expression="'proceed'" />
<transition on="proceed" to="CallSAMLSubjectCanonicalization" />
</action-state>Scott Cantor
October 19, 2016 at 12:38 AM
Except yes, the name changed, I collapsed them into one master flow, and thought I changed all the callers. I must have thought this was using the abstract SAML flow's call to this subsystem, it's used during queries for one example.
Fixed
Details
Details
Assignee
Brent Putman
Brent PutmanReporter
Brent Putman
Brent PutmanComponents
Fix versions
Created October 19, 2016 at 12:26 AM
Updated October 19, 2016 at 8:55 PM
Resolved October 19, 2016 at 8:55 PM
Some apparent changes to the way the c14n flows work has broken the Liberty SSOS flow.
In idwsf-ssos-flow.xml, we were doing SAML Subject c14n by calling a subflow like so:
<subflow-state id="CallSAMLSubjectCanonicalization" subflow="c14n/saml"> <input name="calledAsSubflow" value="true" /> <transition on="proceed" to="FinalizeSAMLTokenProcessing" /> </subflow-state>Apparently the flow that was named
c14n/samlhas gone away. I see in the svn history that it was replaced by a more generic flow namedc14n. But that doesn't work, failing with:That's the only logging I currently get. I'm going to need some guidance, probably from Scott, about what to do here.
If the current
c14nis usable as-is, maybe we just need some more context data to be populated in the PRC? In theProcessDelegatedAssertionaction code which immediately precedes the subflow callout, I was setting up for subject c14n like so:// Set up Subject c14n context for call to c14n subflow. final Subject subject = new Subject(); subject.getPrincipals().add(new NameIDPrincipal(nameID)); final SubjectCanonicalizationContext c14n = new SubjectCanonicalizationContext(); c14n.setSubject(subject); if (requesterLookupStrategy != null) { c14n.setRequesterId(requesterLookupStrategy.apply(profileRequestContext)); } if (responderLookupStrategy != null) { c14n.setResponderId(responderLookupStrategy.apply(profileRequestContext)); } profileRequestContext.addSubcontext(c14n, true);