Announcement Announcement Module
Collapse
No announcement yet.
Infinite loop when using Ping Federate IDP Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Infinite loop when using Ping Federate IDP

    Hello all,

    I am trying to integrate SAML extension in my test application that authenticates the user against our Ping Federate IDP. Unfortunately my application goes in an infinite loop after a successful login. My IDP is configured to redirect the user to <host>:<ip>/sso link. I am missing something, but can't figure out what. Can someone help me here? Thanks in advance for your help.
    Code:
        <!-- Unsecured pages -->
        <security:http security="none" pattern="/logout.jsp"/>
        <security:http security="none" pattern="/favicon.ico"/>
    
        <security:http entry-point-ref="samlEntryPoint">
            <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
            <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
            <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
        </security:http>
    
        <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
            <security:filter-chain-map request-matcher="ant">
                <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
                <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
                <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
                <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
                <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
                <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
                <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
            </security:filter-chain-map>
        </bean>
    
        <!-- Handler deciding where to redirect user after successful login -->
        <bean id="successRedirectHandler"
              class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
            <property name="defaultTargetUrl" value="/sso"    />
        </bean>
        <!--
        Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
        <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
           <property name="defaultTargetUrl" value="/" />
        </bean>
        -->
    
        <!-- Handler for successful logout -->
        <bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
            <property name="defaultTargetUrl" value="/logout"/>
        </bean>
    
        <!-- Register authentication manager with SAML provider -->
        <security:authentication-manager alias="authenticationManager">
            <security:authentication-provider ref="samlAuthenticationProvider"/>
        </security:authentication-manager>
    
        <!-- Logger for SAML messages and events -->
        <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
    
        <!-- Central storage of cryptographic keys -->
        <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
            <constructor-arg value="classpath:samlKeystore.jks"/>
            <constructor-arg type="java.lang.String" value="ngsrocks"/>
            <constructor-arg>
                <map>
                    <entry key="glacieroffload" value="ngsrocks"/>
                </map>
            </constructor-arg>
            <constructor-arg type="java.lang.String" value="glacieroffload"/>
        </bean>
    
        <!-- Entry point to initialize authentication, default values taken from properties file -->
        <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
            <property name="defaultProfileOptions">
                <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                    <property name="includeScoping" value="false"/>
                    <property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                </bean>
            </property>
        </bean>
    
        <!-- IDP Discovery Service -->
        <bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
            <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/>
        </bean>
    
        <!-- Filter automatically generates default SP metadata -->
        <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                    <property name="entityId" value="test-az:sp:glacieroffload" />
                    <property name="includeDiscovery" value="false" />
                    <property name="signMetadata" value="false" />
                </bean>
            </constructor-arg>
        </bean>
    
        <!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
        <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
    
        <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
        <!-- Do no forget to call iniitalize method on providers -->
        <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
            <constructor-arg>
                <list>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                        <constructor-arg>
                            <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                                <constructor-arg>
                                    <value type="java.io.File">classpath:saml_idp.xml</value>
                                </constructor-arg>
                                <property name="parserPool" ref="parserPool"/>
                            </bean>
                        </constructor-arg>
                        <constructor-arg>
                            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                                <property name="local" value="true"/>
                                <property name="alias" value="glacieroffload"/>
                                <property name="requireArtifactResolveSigned" value="false" />
                                <property name="requireLogoutRequestSigned" value="false" />
                                <property name="requireLogoutResponseSigned" value="false" />
                                <property name="idpDiscoveryEnabled" value="false" />
                            </bean>
                        </constructor-arg>
                    </bean>
                </list>
            </constructor-arg>
            <!-- OPTIONAL used when one of the metadata files contains information about this service provider -->
            <!-- <property name="hostedSPName" value=""/> -->
            <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
            <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> -->
        </bean>
    
        <bean id="azUserDetailsService" class="com.rd.proto.AzUserDetailsService"> </bean>
        <!-- SAML Authentication Provider responsible for validating of received SAML messages -->
        <bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
            <!-- OPTIONAL property: can be used to store/load user data after login -->
            <property name="userDetails" ref="azUserDetailsService" />
        </bean>
    
        <!-- Provider of default SAML Context -->
        <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
    
        <!-- Processing filter for WebSSO profile messages -->
        <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
            <property name="authenticationManager" ref="authenticationManager"/>
            <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
        </bean>
    
        <!-- Processing filter for WebSSO Holder-of-Key profile -->
        <bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
            <property name="authenticationManager" ref="authenticationManager"/>
            <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
        </bean>
    
        <!-- Logout handler terminating local session -->
        <bean id="logoutHandler"
              class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
            <property name="invalidateHttpSession" value="false"/>
        </bean>
    
        <!-- Override default logout processing filter with the one processing SAML messages -->
        <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
            <constructor-arg ref="successLogoutHandler"/>
            <constructor-arg ref="logoutHandler"/>
            <constructor-arg ref="logoutHandler"/>
        </bean>
    
        <!-- Filter processing incoming logout messages -->
        <!-- First argument determines URL user will be redirected to after successful global logout -->
        <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
            <constructor-arg ref="successLogoutHandler"/>
            <constructor-arg ref="logoutHandler"/>
        </bean>
    
        <!-- Class loading incoming SAML messages from httpRequest stream -->
        <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
            <constructor-arg>
                <list>
                    <ref bean="redirectBinding"/>
                    <ref bean="postBinding"/>
                    <ref bean="artifactBinding"/>
                    <ref bean="soapBinding"/>
                    <ref bean="paosBinding"/>
                </list>
            </constructor-arg>
        </bean>

  • #2
    You've configured your "successRedirectHandler" to go to back to the "/sso" resource by default, which is the same place you're processing sso requests. Change your "defaultTargetUrl" to a different resource. Also, if you would like your IdP to go to a specific resource, have them send a RelayState parameter with their authentication request.

    Comment


    • #3
      Originally posted by swestenzweig View Post
      You've configured your "successRedirectHandler" to go to back to the "/sso" resource by default, which is the same place you're processing sso requests. Change your "defaultTargetUrl" to a different resource. Also, if you would like your IdP to go to a specific resource, have them send a RelayState parameter with their authentication request.
      Thank you for your response.

      One of the problems I had was related to the protocol. Our Ping Federate SP didn't support HTTP-Artifact binding. Changing it to POST seem to have removed the infinite loop issue.

      Only problem is that I am getting the following error: Problem accessing /saml/SSO/alias/defaultAlias. Reason:

      Authentication Failed: Error determining metadata contracts I am trying to figure out what am I missing here. Regards, Rajan

      Comment


      • #4
        Please update to the latest Spring SAML revision and enable debugging as described in chapter 7 of the manual. The resulting data should point you in the right direction, feel free to post the results back here, so we can help you interpreting the result if it's unclear.

        Vladi

        Comment

        Working...
        X