SSO without existing federation using NameIDPolicy "onetime"

Ruth del Campo

2005-05-27 07:16:08 UTC

Hi Peter,

The "one-time" identifier is not implemented in
SourceID software. I was trying to test that a couple
of months ago, and I came up to that conclusion after
looking in the software (right know I do not remember
where) but somewhere in the workflow was commented
something like "to do: one time identifier". So that's
why you run into that situation.

Best regards,
Ruth

Post by Peter Fennema
Hello
The SourceID demo (ID-FF 1.2 Java Toolkit 2.0.)
requires a federation
between SP and IDP. I want to modify the demo to the
situation that
the SP has no authentication infrastructure or user
database at all. It
simply relies on the assertions made by the IDP.
According to the Liberty spec the SP can specify
this in the
<NameIDPolicy> element in the authentication
request.
"If the <NameIDPolicy> element is "onetime", then
the
<saml:NameIdentifier> element in the <saml:Subject>
element MUST be a temporary, one-time-use identifier
for the Principal,
with a Format attribute of
urn:liberty:iff:nameid:one-time. "
I decided to implement this behaviour in the demo,
but the behaviour is
not as I expected. I wonder if there is anything
wrong with my assumptions and conclusions, or if I
run into a software
bug ?
Below is my modification and some sequential
fragments of the JBoss
logs.
Regards, Peter
-------------- Details ---------
In the login.jsp of the SP I found the hook to
specify the NameIDPolicy
<c_rt:param
name="<%=SSOInitiateServlet.PARAM_ACTION%>"

value="<%=SSOInitiateServlet.PARAM_ACTION_ONETIME_VALUE%>"

Post by Peter Fennema
/>
2005-05-26 09:46:27,142 DEBUG
[org.obe.engine.WorkflowEngineUtilities]
Putting requestDocument =
<AuthnRequest
IssueInstant="2005-05-26T07:46:27.064Z"
MinorVersion="2"
MajorVersion="1"
RequestID="iZZqaqdjJA5wsPLRNJJuOLu7W3Dk"
xmlns="urn:liberty:iff:2003-08">
<ProviderID>http://sourceid-idff-demo</ProviderID>
<NameIDPolicy>onetime</NameIDPolicy>
<IsPassive>false</IsPassive>

<ProtocolProfile>http://projectliberty.org/profiles/brws-post</ProtocolP

Post by Peter Fennema
rofile>
<RelayState>NQA=</RelayState>
</AuthnRequest>
into workflow data
My conclusion: The NameIDPolicy is correctly set to
"onetime".
2005-05-26 09:46:27,189 DEBUG
[org.obe.engine.WorkflowEngineUtilities]
Putting assertion =
<lib:Assertion
IssueInstant="2005-05-26T07:46:27.174Z"
AssertionID="i5G4yIiYBuJ4PuHhIABh41w9jHSU"
Issuer="http://sourceid-idff-demo"
InResponseTo="iZZqaqdjJA5wsPLRNJJuOLu7W3Dk"
MinorVersion="2"
MajorVersion="1" xmlns:lib="urn:liberty:iff:2003-08"
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

Post by Peter Fennema
<Conditions
NotOnOrAfter="2005-05-26T07:51:27.174Z"
NotBefore="2005-05-26T07:45:27.174Z">
<AudienceRestrictionCondition>
<Audience>http://sourceid-idff-demo</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement SessionIndex="01"
AuthenticationInstant="2005-05-26T07:46:27.174Z"

AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"

Post by Peter Fennema
xsi:type="lib:AuthenticationStatementType">
<Subject xsi:type="lib:SubjectType">
<SubjectConfirmation>

<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationM

Post by Peter Fennema
ethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</lib:Assertion>
into workflow data
My conclusion: An authentication statement was
created, but I think it
should include a one time identifier for the
principal, as mentionened in the spec quote.
Later an exception occurs
2005-05-26 09:46:27,205 DEBUG
[org.obe.engine.WorkflowRunner] Executing
activity 'createResponse' implementation for
instance 92
2005-05-26 09:46:27,205 DEBUG
[org.obe.spi.util.WorkflowUtilities]
Searching workflow 'idp-authn' for tool
'CreateAuthnResponseDocument'
2005-05-26 09:46:27,205 DEBUG
[org.obe.spi.util.WorkflowUtilities]
Searching package 'IDFF-1.2' for tool
'CreateAuthnResponseDocument'
2005-05-26 09:46:27,205 DEBUG
[org.obe.spi.util.WorkflowUtilities] Tool
'CreateAuthnResponseDocument found in package
'IDFF-1.2'
2005-05-26 09:46:27,205 DEBUG
[org.obe.engine.WorkflowRunner] Executing
tool 'CreateAuthnResponseDocument'
2005-05-26 09:46:27,205 DEBUG
[org.obe.engine.WorkflowRunner] Parameter
count: 4
2005-05-26 09:46:27,205 DEBUG
[org.obe.engine.WorkflowRunner] Invoking
tool 'CreateAuthnResponseDocument'
2005-05-26 09:46:27,220 ERROR

[org.sourceid.idff12.workunit.idp.CreateAuthnResponseDocument]

Post by Peter Fennema
Failure
in workflow: Setting response code to
"{urn:liberty:iff:2003-08}FederationDoesNotExist"
Federation does not
exist.
at

org.sourceid.idff12.workunit.idp.FederationFailure.<clinit>(FederationFa

Post by Peter Fennema
ilure.java:25)
at

org.sourceid.idff12.workunit.idp.ThrowFederationFailure.execute(ThrowFed

Post by Peter Fennema
erationFailure.java:39)
2005-05-26 09:46:27,220 DEBUG
[org.obe.engine.WorkflowEngineUtilities]
Putting responseDocument =
<lib:AuthnResponse MinorVersion="2" MajorVersion="1"
IssueInstant="2005-05-26T07:46:27.205Z"
Recipient="http://sourceid-idff-demo"
InResponseTo="iZZqaqdjJA5wsPLRNJJuOLu7W3Dk"
ResponseID="i2oUjOP42cgsOlFsg_hpaf6M3FsY"
xmlns:lib="urn:liberty:iff:2003-08"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<samlp:Status>
<samlp:StatusCode Value="samlp:Responder">
<samlp:StatusCode
Value="lib:FederationDoesNotExist"/>
</samlp:StatusCode>
<samlp:StatusMessage>Federation does not
exist.</samlp:StatusMessage>
</samlp:Status>

<lib:ProviderID>http://sourceid-idff-demo</lib:ProviderID>

Post by Peter Fennema
<lib:RelayState>NQA=</lib:RelayState>
</lib:AuthnResponse>
into workflow data
_______________________________________________
sso-users mailing list
http://lists.sourceid.org/mailman/listinfo/sso-users

______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es