Displaying #apache-syncope/2017-03-14.log:

Tue Mar 14 07:13:06 2017  ilgrosso:Joined the channel
Tue Mar 14 08:00:47 2017  _massi_:Joined the channel
Tue Mar 14 08:01:56 2017  andreapatricelli:Joined the channel
Tue Mar 14 08:14:45 2017  svizzero81:Joined the channel
Tue Mar 14 08:42:52 2017  svizzero81:Joined the channel
Tue Mar 14 09:35:19 2017  coheigea:Joined the channel
Tue Mar 14 09:57:09 2017  sberyozkin:Joined the channel
Tue Mar 14 14:15:44 2017  ilgrosso:coheigea: ping
Tue Mar 14 14:15:52 2017  coheigea:ilgrosso: pong
Tue Mar 14 14:16:05 2017  ilgrosso:Hi Colm how are you? It's been quite some time!
Tue Mar 14 14:16:27 2017  coheigea:ilgrosso: Good thanks :-) Yes, I've been busy...
Tue Mar 14 14:16:43 2017  ilgrosso:I am working on the SAML SP SSO for Syncope, and using cxf-rt-rs-security-sso-saml as per yours (and Sergey's) suggestion
Tue Mar 14 14:17:16 2017  ilgrosso:things are proceeding quite nice: I am now having some troubles in initializing wss4j's OpenSAMLUtil
Tue Mar 14 14:17:46 2017  ilgrosso:I used to use my own variant of OpenSAMLUtil, but now I am switching back to the original one because the CXF code makes use of it
Tue Mar 14 14:18:02 2017  coheigea:ok what problems are you having?
Tue Mar 14 14:18:19 2017  ilgrosso:The problem seems to lie in OpenSAMLBootstrap.bootstrap
Tue Mar 14 14:18:41 2017  ilgrosso:it goes through all XML configs: evetything goes fine until the last one, saml2-xacml2-profile.xml
Tue Mar 14 14:19:01 2017  ilgrosso:here's the stacktrace
Tue Mar 14 14:19:01 2017  ilgrosso:15:11:58.705 ERROR org.apache.wss4j.common.saml.OpenSAMLUtil - Unable to bootstrap the opensaml3 library - all SAML operations will fail
Tue Mar 14 14:19:01 2017  ilgrosso:org.opensaml.core.xml.config.XMLConfigurationException: Cannot create instance of org.opensaml.xacml.profile.saml.impl.ReferencedPoliciesTypeImplBuilder
Tue Mar 14 14:19:01 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.createClassInstance(XMLConfigurator.java:318) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:19:01 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:238) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:19:03 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:203) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:19:05 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:188) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:19:08 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:162) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:19:10 2017  ilgrosso: at org.apache.wss4j.common.saml.OpenSAMLBootstrap.bootstrap(OpenSAMLBootstrap.java:89) ~[wss4j-ws-security-common-2.1.8.jar:2.1.8
Tue Mar 14 14:20:14 2017  ilgrosso:in my own variant, I simply did remove all the xacml entries OpenSAMLBootstrap#XML_CONFIGS, as I don't need XACML, at least for the moment
Tue Mar 14 14:21:37 2017  coheigea:ilgrosso: Hmm do you have the opensaml-xacml-impl + opensaml-xacml-saml-impl jars on the classpath?
Tue Mar 14 14:21:49 2017  ilgrosso:ah, no I don't
Tue Mar 14 14:22:08 2017  ilgrosso:is the XACML support really needed?
Tue Mar 14 14:23:06 2017  coheigea:Well no. However, we use that bootstrap file in CXF for all opensaml initialization, and we needed to add in the xacml stuff to get it to work for the xacml support in CXF
Tue Mar 14 14:24:34 2017  coheigea:ilgrosso: If you want you could submit a patch to WSS4J to set a flag whether to include the xacml config files or not?
Tue Mar 14 14:24:58 2017  ilgrosso:ok, it makes sense: for the moment I'll try adding more deps and see how it goes
Tue Mar 14 14:25:16 2017  ilgrosso:I end up with mixed OpenSAML deps, some are 3.1.1, some 3.2.0
Tue Mar 14 14:28:03 2017  ilgrosso:I have now forced the deps like this:
Tue Mar 14 14:28:04 2017  ilgrosso: <dependency>
Tue Mar 14 14:28:04 2017  ilgrosso: <groupId>org.apache.cxf</groupId>
Tue Mar 14 14:28:04 2017  ilgrosso: <artifactId>cxf-rt-rs-security-sso-saml</artifactId>
Tue Mar 14 14:28:04 2017  ilgrosso: <version>${cxf.version}</version>
Tue Mar 14 14:28:04 2017  ilgrosso: <exclusions>
Tue Mar 14 14:28:07 2017  ilgrosso: <exclusion>
Tue Mar 14 14:28:09 2017  ilgrosso: <groupId>org.opensaml</groupId>
Tue Mar 14 14:28:11 2017  ilgrosso: <artifactId>opensaml-xacml-impl</artifactId>
Tue Mar 14 14:28:13 2017  ilgrosso: </exclusion>
Tue Mar 14 14:28:15 2017  ilgrosso: <exclusion>
Tue Mar 14 14:28:18 2017  ilgrosso: <groupId>org.opensaml</groupId>
Tue Mar 14 14:28:20 2017  ilgrosso: <artifactId>opensaml-xacml-saml-impl</artifactId>
Tue Mar 14 14:28:22 2017  ilgrosso: </exclusion>
Tue Mar 14 14:28:24 2017  ilgrosso: <exclusion>
Tue Mar 14 14:28:27 2017  ilgrosso: <groupId>org.apache.geronimo.specs</groupId>
Tue Mar 14 14:28:29 2017  ilgrosso: <artifactId>geronimo-javamail_1.4_spec</artifactId>
Tue Mar 14 14:28:31 2017  ilgrosso: </exclusion>
Tue Mar 14 14:28:33 2017  ilgrosso: </exclusions>
Tue Mar 14 14:28:35 2017  ilgrosso: </dependency>
Tue Mar 14 14:28:37 2017  ilgrosso:
Tue Mar 14 14:28:40 2017  ilgrosso: <dependency>
Tue Mar 14 14:28:42 2017  ilgrosso: <groupId>org.opensaml</groupId>
Tue Mar 14 14:28:44 2017  ilgrosso: <artifactId>opensaml-saml-impl</artifactId>
Tue Mar 14 14:28:46 2017  ilgrosso: </dependency>
Tue Mar 14 14:28:48 2017  ilgrosso: <dependency>
Tue Mar 14 14:28:50 2017  ilgrosso: <groupId>org.opensaml</groupId>
Tue Mar 14 14:28:53 2017  ilgrosso: <artifactId>opensaml-xacml-impl</artifactId>
Tue Mar 14 14:28:55 2017  ilgrosso: <version>${opensaml.version}</version>
Tue Mar 14 14:28:57 2017  ilgrosso: </dependency>
Tue Mar 14 14:28:59 2017  ilgrosso: <dependency>
Tue Mar 14 14:29:02 2017  ilgrosso: <groupId>org.opensaml</groupId>
Tue Mar 14 14:29:04 2017  ilgrosso: <artifactId>opensaml-xacml-saml-impl</artifactId>
Tue Mar 14 14:29:06 2017  ilgrosso: <version>${opensaml.version}</version>
Tue Mar 14 14:29:08 2017  ilgrosso: </dependency>
Tue Mar 14 14:29:12 2017  ilgrosso:let's see how it goes...
Tue Mar 14 14:31:07 2017  ilgrosso:the error is now different:
Tue Mar 14 14:31:19 2017  ilgrosso:java.lang.ClassNotFoundException: org.opensaml.xacml.profile.saml.impl.ReferencedPoliciesTypeImplBuilder
Tue Mar 14 14:31:19 2017  ilgrosso: at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1333) ~[catalina.jar:8.0.41]
Tue Mar 14 14:31:19 2017  ilgrosso: at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1167) ~[catalina.jar:8.0.41]
Tue Mar 14 14:31:19 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.createClassInstance(XMLConfigurator.java:312) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:31:19 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:238) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:31:20 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:203) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:31:22 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:188) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:31:25 2017  ilgrosso: at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:162) ~[opensaml-core-3.2.0.jar:?]
Tue Mar 14 14:31:27 2017  ilgrosso: at org.apache.wss4j.common.saml.OpenSAMLBootstrap.bootstrap(OpenSAMLBootstrap.java:89) ~[wss4j-ws-security-common-2.1.8.jar:2.1.8]
Tue Mar 14 14:31:29 2017  ilgrosso: at org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine(OpenSAMLUtil.java:86) ~[wss4j-ws-security-common-2.1.8.jar:2.1.8]
Tue Mar 14 14:32:38 2017  ilgrosso:ah, my bad, sorry
Tue Mar 14 14:37:15 2017  sberyozkin:ilgrosso: hi, good to see you've decided to give it a try :-). FYI, here is an example of how I used in a talend demo: https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2/sso-saml. Was a long time ago when I last time tried it but it was working back then :-), Colm helped to set up a Shibboleth instance so it was all good, I used that demo to do the docs. This feature is def used, we had a number of issues reported agai
Tue Mar 14 14:37:15 2017  sberyozkin:nst it by the users
Tue Mar 14 14:38:35 2017  ilgrosso:sberyozkin: I am using namely the SAMLProtocolResponseValidator class, and been looking at SamlPostBindingFilter to mimic its behavior
Tue Mar 14 14:43:00 2017  ilgrosso:coheigea: the classpath stuff is now working fine, thx
Tue Mar 14 14:43:26 2017  ilgrosso:...but I am still struggling to put the SAMLProtocolResponseValidator at work
Tue Mar 14 14:45:06 2017  ilgrosso:coheigea: about the Crypto argument of SAMLProtocolResponseValidator#validateSamlResponse - is it expected to contain the IdP's cert (derived from the initial metadata import) or rather SP's, e.g. mine?
Tue Mar 14 14:47:25 2017  sberyozkin:ilgrosso: right in the demo we use the redirecting filter, https://github.com/Talend/tesb-rt-se/blob/master/examples/cxf/jaxrs-oauth2/sso-saml/social-app-war/src/main/webapp/WEB-INF/socialApp.xml#L24, it should be good, but I thought we also tried SamlPostBindingFilter somewhere, I think this filter depends on binding SamlRequestInfo which it creates to a JSP or similar view handler which would map SamlRequestInfo into HTML with the auto subm
Tue Mar 14 14:47:25 2017  sberyozkin:itting form...
Tue Mar 14 14:47:56 2017  ilgrosso:sberyozkin: that part is already fine, translated in Syncope's architecture, thx
Tue Mar 14 14:48:06 2017  sberyozkin:ilgrosso: nice
Tue Mar 14 14:48:27 2017  ilgrosso:I am able to correctly generate the SAML request: the problems I have now are about decrypting the response coming from IdP
Tue Mar 14 14:48:33 2017  ilgrosso:well, actually the assertions
Tue Mar 14 15:04:55 2017  sberyozkin:ilgrosso: I vaguely recall you need to get a callback, ex, https://github.com/Talend/tesb-rt-se/blob/master/examples/cxf/jaxrs-oauth2/sso-saml/samlp-racs-war/src/main/java/oauth2/sso/SSOCallbackHandler.java, and then register it, https://github.com/Talend/tesb-rt-se/blob/master/examples/cxf/jaxrs-oauth2/sso-saml/samlp-racs-war/src/main/webapp/WEB-INF/applicationContext.xml#L38, signature.properties will point to a store which I guess must als
Tue Mar 14 15:04:56 2017  sberyozkin:o contain a decrypting private key
Tue Mar 14 15:05:08 2017  sberyozkin:ilgrosso: Colm will know for sure
Tue Mar 14 15:27:32 2017  ilgrosso:it worked! (1st time)
Tue Mar 14 15:27:47 2017  ilgrosso:I am able to verify the IdP's assertion
Tue Mar 14 15:27:56 2017  ilgrosso:I am now able to verify the IdP's assertion
Tue Mar 14 15:28:18 2017  ilgrosso:and to decrypt it to
Tue Mar 14 15:28:20 2017  ilgrosso:o
Tue Mar 14 16:01:56 2017  sberyozkin:ilgrosso: cool :-)
Tue Mar 14 16:02:22 2017  ilgrosso:sberyozkin: now, time to clean up some things and make some others more general, but I'm on my way
Tue Mar 14 16:02:30 2017  ilgrosso:...thx to CXF anyway :-)
Tue Mar 14 16:02:39 2017  ilgrosso:(and sberyozkin and coheigea in particular)
Tue Mar 14 16:03:03 2017  sberyozkin:ilgrosso: if that will work well for Syncope then it would be awesome, thanks :-)
Tue Mar 14 16:10:38 2017  coheigea:ilgrosso: Sorry I had to step out for a bit, is everything working now?
Tue Mar 14 16:10:47 2017  ilgrosso:coheigea: it seems so, thx
Tue Mar 14 16:11:06 2017  ilgrosso:I am not 100% sure of some details, but I guess that for 1st time implementation it can go
Tue Mar 14 16:11:49 2017  coheigea:ilgrosso: Sure, I can review it when I get a chance
Tue Mar 14 16:12:17 2017  ilgrosso:coheigea: thx, I'll make a PR of this work anyway before merging
Tue Mar 14 16:17:49 2017  ilgrosso:coheigea: do you know how to get a ParserPool when using OpenSAMLUtil?
Tue Mar 14 16:19:13 2017  coheigea:I'm not sure there is a way to get one...why do you need it?
Tue Mar 14 16:19:40 2017  ilgrosso:I need to parse IdP metadata
Tue Mar 14 16:19:51 2017  ilgrosso:originally I used to patch OpenSAMLUtil this way
Tue Mar 14 16:19:51 2017  ilgrosso:https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/OpenSAMLUtil.java#L182
Tue Mar 14 16:19:56 2017  ilgrosso:to get a parserpool
Tue Mar 14 16:20:13 2017  ilgrosso:now I have removed that class locally, as I am using wss4j's original one
Tue Mar 14 16:20:33 2017  ilgrosso:but I miss such feature
Tue Mar 14 16:21:02 2017  coheigea:looks like we need a patch to WSS4J
Tue Mar 14 16:21:46 2017  coheigea:Do you need to set the ParserPool to be namespace aware as well? The default one in WSS4J isn't
Tue Mar 14 16:22:22 2017  ilgrosso:no, I don't thx
Tue Mar 14 16:22:35 2017  ilgrosso:if you patch WSS4J, when is next release expected?
Tue Mar 14 16:23:03 2017  ilgrosso:(well, I could propose a patch too, anywway...)
Tue Mar 14 16:25:06 2017  coheigea:ilgrosso: Do you need 2.1.x or 2.2.0?
Tue Mar 14 16:25:12 2017  ilgrosso:AFAICT, wss4j's trunk is on Java 8, while 2_1_x-fixes is on Java 7
Tue Mar 14 16:25:21 2017  coheigea:right
Tue Mar 14 16:25:22 2017  ilgrosso:I need the latter, at least for Syncope 2.0.X
Tue Mar 14 16:25:37 2017  coheigea:OK I was thinking about 2 weeks. Does that suit?
Tue Mar 14 16:25:58 2017  ilgrosso:yes, thx
Tue Mar 14 16:26:12 2017  coheigea:ok please create a JIRA and submit a patch then :-)
Tue Mar 14 16:26:19 2017  ilgrosso:ok :-)
Tue Mar 14 16:26:47 2017  ilgrosso:only for ParserPool?
Tue Mar 14 16:28:11 2017  coheigea:sure
Tue Mar 14 16:28:48 2017  ilgrosso:would it be possible to upgrade to OpenSAML 3.2.0 too?
Tue Mar 14 16:28:54 2017  ilgrosso:(with a separate patch, naturally)
Tue Mar 14 16:30:16 2017  coheigea:ilgrosso: Not WSS4J 2.1.x unless there's a compelling reason to do so? 2.1.x is kind of stable now, I don't want to start breaking things
Tue Mar 14 16:30:34 2017  ilgrosso:coheigea: understand
Tue Mar 14 16:30:50 2017  ilgrosso:I thought so since OpenSAML 3.2.0 is quite old
Tue Mar 14 16:30:52 2017  coheigea:trunk will pick up 3.3.0 once Dan gets it into maven central (soon)
Tue Mar 14 16:31:12 2017  ilgrosso:ok, thx
Tue Mar 14 16:36:03 2017  ilgrosso:here you go: https://issues.apache.org/jira/browse/WSS-600
Tue Mar 14 16:38:05 2017  ilgrosso:about timings: once WSS4J 2.1.9 is out, then we need to have CXF to use this new version
Tue Mar 14 16:38:30 2017  ilgrosso:..and then the next CXF release to be made
Tue Mar 14 16:58:02 2017  _massi_:Joined the channel
Tue Mar 14 18:05:45 2017  coheigea:Left the channel

Comments