gabbydotCMS
commented
6 years ago Testing against ADFS:
- Error reported on dotcms-saml.log:
[30/05/18 14:59:14:984 PDT] ERROR rest.DotSamlRestService: Error getting posting idp
java.lang.IndexOutOfBoundsException: Index: 0
at java.util.Collections$EmptyList.get(Collections.java:4454) ~[?:1.8.0_131]
at net.shibboleth.utilities.java.support.collection.LazyList.get(LazyList.java:90) ~[java-support-7.3.0.jar:?]
at org.opensaml.core.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:320) ~[opensaml-core-3.3.1.jar:?]
at org.opensaml.core.xml.util.ListView.get(IndexedXMLObjectChildrenList.java:237) ~[opensaml-core-3.3.1.jar:?]
at com.dotcms.plugin.saml.v3.util.SamlUtils.getAssertion(SamlUtils.java:477) ~[SamlUtils.class:?]
at com.dotcms.plugin.saml.v3.handler.HttpPostAssertionResolverHandlerImpl.resolveAssertion(HttpPostAssertionResolverHandlerImpl.java:97) ~[HttpPostAssertionResolverHandlerImpl.class:?]
at com.dotcms.plugin.saml.v3.service.OpenSamlAuthenticationServiceImpl.resolveAssertion(OpenSamlAuthenticationServiceImpl.java:596) ~[OpenSamlAuthenticationServiceImpl.class:?]
at com.dotcms.plugin.saml.v3.rest.DotSamlRestService.login(DotSamlRestService.java:87) [DotSamlRestService.class:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_131]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_131]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_131]
at com.dotcms.repackage.org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$VoidOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:143) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.internal.Errors.process(Errors.java:315) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.internal.Errors.process(Errors.java:297) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.internal.Errors.process(Errors.java:267) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [dot.jersey-common-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [dot.jersey-server-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:471) [dot.jersey-container-servlet-core-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:425) [dot.jersey-container-servlet-core-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:383) [dot.jersey-container-servlet-core-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:336) [dot.jersey-container-servlet-core-2.22.1_1.jar:?]
at com.dotcms.repackage.org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:223) [dot.jersey-container-servlet-core-2.22.1_1.jar:?]
at com.dotcms.rest.servlet.ReloadableServletContainer.service(ReloadableServletContainer.java:105) [dotcms_4.3.2_ae725e9.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:721) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318) [catalina.jar:8.0.18]
at com.dotcms.repackage.org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:213) [dot.urlrewritefilter-4.0.3_2.jar:4.0.3]
at com.dotcms.repackage.org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:171) [dot.urlrewritefilter-4.0.3_2.jar:4.0.3]
at com.dotcms.repackage.org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) [dot.urlrewritefilter-4.0.3_2.jar:4.0.3]
at com.dotcms.repackage.org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) [dot.urlrewritefilter-4.0.3_2.jar:4.0.3]
at com.dotcms.repackage.org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) [dot.urlrewritefilter-4.0.3_2.jar:4.0.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at com.dotmarketing.filters.TimeMachineFilter.doFilter(TimeMachineFilter.java:132) [dotcms_4.3.2_ae725e9.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at com.dotmarketing.filters.ThreadNameFilter.doFilter(ThreadNameFilter.java:90) [dotcms_4.3.2_ae725e9.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at com.dotmarketing.filters.CookiesFilter.doFilter(CookiesFilter.java:38) [dotcms_4.3.2_ae725e9.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at com.dotmarketing.filters.CharsetEncodingFilter.doFilter(CharsetEncodingFilter.java:108) [dotcms_4.3.2_ae725e9.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at com.dotcms.plugin.saml.v3.filter.SamlAccessFilter.doFilter(SamlAccessFilter.java:176) [SamlAccessFilter.class:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.18]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:8.0.18]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.18]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) [catalina.jar:8.0.18]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [catalina.jar:8.0.18]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.18]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) [catalina.jar:8.0.18]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.18]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) [catalina.jar:8.0.18]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) [tomcat-coyote.jar:8.0.18]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) [tomcat-coyote.jar:8.0.18]
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) [tomcat-coyote.jar:8.0.18]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) [tomcat-coyote.jar:8.0.18]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) [tomcat-coyote.jar:8.0.18]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.18]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]- IdP Response:
<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://test-adfs.greenlake.io/dotsaml/login/73db2ce2-6528-44ac-8213-7a6c079b733d" ID="_b911be0c-d6ab-4851-bc38-13a3d58ce6b3" InResponseTo="_f76c8565bbe1eeef4ced49c6e05cace4" IssueInstant="2018-05-30T21:59:13.925Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.test.dotcms.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_4c8dffd3-232d-48eb-b404-bbe8bb8305fa" IssueInstant="2018-05-30T21:59:13.924Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://adfs.test.dotcms.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_4c8dffd3-232d-48eb-b404-bbe8bb8305fa">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5yaSfbt4czI8/zvB6e54Vjrdge0SUysLt9OJhjTEf4U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TDtCHvYbiMqcYjoSfGEhk4NbyBFT6MLh8P2rpRCjAwGoewn83QZ7AdnNll3m8QfIgvloVyMCn5Oi4W0hf2GQ7OJ9FQxct4xhs9Xe5JblNhNBH4KL6vXCbKQLhobuP+TiZUxrEI2SS4EjQxk/FsuLHEGPHpJsSq/9DNC++GYtXPzV01RRwRoU9gQa7Q7LdXBkLBiXX0bQsxnae3pWhpzKPxPcpBEX+04zLrdkIo2YAjCO/nJhcCY2E0GVZYGaZ2yxWOUakNhlR1c1z4elYopjxnTObXGzu1HifXyDf90rJC8Iy6OXkSYyFOuE7iXE/pgWrJBZPpdX5CQeoXfbocd0eQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC5DCCAcygAwIBAgIQQckVl7T+yqVIIUzTTBsjJjANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLnRlc3QuZG90Y21zLmNvbTAeFw0xODA1MzAyMDU2MDlaFw0xOTA1MzAyMDU2MDlaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMudGVzdC5kb3RjbXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoogPC567zBjgI1/EpODs8fSzEsA8csNfMeEWZ5D0gx3U0aBXf+azKcfguff8xCuBozr/5aqlhvYqu4MqHx2GY89Tp0F9fhqIUkjmwJE66upsulaWB3gC12K03eUMpc2dU1RaNxB2FLUHOaoYfgm8H7IoZbqBb/16OK54J8nK8Yw2HXAZ1dJ/1jP9U5UBCh3HCBd2jZhD1QwNO3soGhuGRmVq4qHL2X6NuYLEzMzaq77l4p6bWgCc6X0JG469DeTR/eTPOKoyp4kTtTS9l2KIYvlj8J6J/EZEF8rdoAVbaMb7KW7LNoLCQ8KVN2o/FmaUlpTb2qHHAZlTw0fNReeCYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCAZywQZyo/MoIfJjpgtNN4DbHtSxFWvUhg5fbvmY4AFW4DlD5nfM0t6LoZU6XDtguQj2ZElZjRdzFqKM8OpW+FO6blVQEGKbjQKVDaA/sXfa8MfC6XgX3Cu2zl0r/ca8s+iUSq0IvjbTvCkxOyOU4uCNzLEsy4qfAdQ/VhdUrZpK058o6cFQ8x6BG+P+IYMZ6j9116Dt87mOM2bhoKd4U5QqXAWfu1jdl892yfwpSrc9wiE3tW4vL5MhbFfUilP8xh3hljqeBE9njKW4VjMRBnvu+2v6AO70zK7r9gDN6l6a/WSvFe1aRPBhDd8s+DLkxhD7gxG1wx2Zauoq4rt4FH</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">testuser</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_f76c8565bbe1eeef4ced49c6e05cace4" NotOnOrAfter="2018-05-30T22:04:13.925Z" Recipient="https://test-adfs.greenlake.io/dotsaml/login/73db2ce2-6528-44ac-8213-7a6c079b733d"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-05-30T21:59:13.923Z" NotOnOrAfter="2018-05-30T22:59:13.923Z">
<AudienceRestriction>
<Audience>https://test-adfs.greenlake.io</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="sn">
<AttributeValue>User</AttributeValue>
</Attribute>
<Attribute Name="givenName">
<AttributeValue>Test</AttributeValue>
</Attribute>
<Attribute Name="mail">
<AttributeValue>testuser@test.dotcms.com</AttributeValue>
</Attribute>
<Attribute Name="sAMAccountName">
<AttributeValue>testuser</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2018-05-30T21:58:53.769Z" SessionIndex="_4c8dffd3-232d-48eb-b404-bbe8bb8305fa">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>- SAML Config:
{
"defaultSamlConfig": "",
"disabledSamlSites": {},
"samlConfigs": [
{
"73db2ce2-6528-44ac-8213-7a6c079b733d": {
"privateKey": "/Users/chris/dotcms/dist/saml-4.3.2/dotserver/tomcat-8.0.18/webapps/ROOT/assets/saml/certs/73db2ce2-6528-44ac-8213-7a6c079b733d.key",
"publicCert": "/Users/chris/dotcms/dist/saml-4.3.2/dotserver/tomcat-8.0.18/webapps/ROOT/assets/saml/certs/73db2ce2-6528-44ac-8213-7a6c079b733d.crt",
"idpName": "My ADFS",
"signatureValidationType": "responseandassertion",
"sPEndpointHostname": "https://test-adfs.greenlake.io",
"optionalProperties": {
"protocol.binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"sites": {
"9ea8ffa5-b6e0-4b3e-9dc7-291660955041": "test-adfs.greenlake.io"
},
"id": "73db2ce2-6528-44ac-8213-7a6c079b733d",
"sPIssuerURL": "https://test-adfs.greenlake.io",
"enabled": true,
"idPMetadataFile": "/Users/chris/dotcms/dist/saml-4.3.2/dotserver/tomcat-8.0.18/webapps/ROOT/assets/saml/metadata/73db2ce2-6528-44ac-8213-7a6c079b733d.xml"
}
}
]
}
We've been able to reproduce this behavior against both ADFS and Shibboleth IdPs.