wso2 is 5.1.0 federated saml idp - redirect bug?

0
votes

We have WSO2 IS 5.1.0 setup as IDP with SAML authentication. Most of the SP use IWA, basic or advanced (a step with multiple options) authentication.

For a particular SP we would like to delegate (federate) the authentication to another (external) SAML IdP. That happens to be WSO2 IS as well, but - not important atm.

Sounds easy - we have configured an IdP and then set the local authentication of the SP to that IDP. However - after the SAML request ( https://A/samlsso?SAMLRequest=.... ) the authenticator keeps redirecting to the same location (Location header is "").

the DEBUG log level can be found here

If we create an advanced (step) authenticator and the user can choose between multiple options (e.g. federated and basic authenticator), then everything works. However if we use only a federated authenticator (directly or inside the step based authentication), the users end up cycling on redirects. For this SP we'd like to have the direct federated IdP.

Any ideas? (for me it seems like a bug, but - can we go around?) Or that needs to be fixed? Searching did not provide much answers so far.

Edit (2016-05-03):

  • the HTTP 302 Location is empty not present. The effect is the same if we use SAML request or IdP initiated SSO

  • WSO2 IS 5.1.0 patch up to 92

  • Fed IDP CONFIG

IDP CONFIG

  • SP config

SP configuration

  • user response user response
1
samlwso2is
Let me try to understand your scenario. You have a SP, and in its Local and Outbound Authentication configuration, you have mentioned a federated authenticator, which is another IS which you have defined in a IDP, am I missing anything? IF this is your use case, this works fine in IS 5.1.0, I have tried it. Can you put images of your SP and IDP configurations of IS1 and SP configuration of IS2? Most probably you may missing something thereChamila Wijayarathna
@Chamila: Is it possible to see your IdP / SP configurtion working? It behaves the same with or without patches and fixes as well :(gusto2
update: In the step (advanced) authenticator I see the SAMLRequest is written into the CoyoteWriter (tomcat), when we use only a single federated IdP, the CommonAuthResponseWrapper is used and the output is not written to the browser. I strongly believe the fed. authentication should be one of the primary functions and the problem is in the configuration or environment.gusto2
Now I see the problem / workaround. The Federated SAML IdP must be configured to the Redirect binding and then it works. Seems the CommonAuthResponseWrapper simply assumes the authenticator use the redirect when the user is not yet authenticated.. :(gusto2

1 Answers

0
votes

Just to close the question: The Federated SAML IdP must be configured to the Redirect binding and then it works. Seems the CommonAuthResponseWrapper simply assumes the authenticator use the redirect when the user is not yet authenticated.. :(