PicketLink у поставщика услуг, отвечающего 302 в EAP 7.1 с SAML - PullRequest
0 голосов
/ 25 марта 2020

Runtime: JBOSS EAP 7.1, встроенный EAP picketLink и Chrome.
JAR: <resource-root path="/jboss/eap/7.1/jboss-eap/modules/system/layers/base/org/picketlink/federation/main/picketlink-federation-2.5.5.SP8-redhat-1.jar"/>

Мы включили SSO, инициированную SP, с IDP, и мы можем получить ответ SAML от ВПЛ. IDP публикует ответ saml в закодированном формате Base64. В то время как Chrome отправляет ответ SAML поставщику услуг, поставщик услуг не может прочитать ответ SAML.

Picketlink на поставщике услуг в конце отвечает на запрос 302 HTTP-статуса в браузер при публикации ответа SAML поставщику услуг. В связи с 302, сервис-провайдер HTTP перенаправляет на страницу, которая упоминается в заголовке Location. Из-за перенаправления через GET, ответ SAML теряется.

Chrome Журнал браузера при публикации на сервере-провайдере ::

Запрос:

Request URL: https://serviceProvider.com:8583/SECUI/jaxrs/Authentication
Request Method: POST
Status Code: 302 Found
Remote Address: 10.10.10.10:8583
Referrer Policy: no-referrer-when-downgrade

Заголовок ответа:

Access-Control-Allow-Origin: https://IdentyProvider.com
Cache-Control: max-age=0
Connection: Keep-Alive
Content-Length: 0
Date: Wed, 25 Mar 2020 05:49:06 GMT
Expires: 0
Keep-Alive: timeout=15, max=1500
Location: https://serviceProvider.com:8583/SECUI/UI/index.htm
Pragma: no-cache
Server: JBCS httpd
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Заголовок запроса:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 6627
Content-Type: application/x-www-form-urlencoded
Cookie: secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*
DNT: 1
Host: serviceProvider.com:8583
Origin: https://IdentyProvider.com:8443
Referer: https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

SAMLResponse:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
cHJvdG9jb2wiIElEPSJzMmIyYmZiOGZjOWEyMzI3MGU4OTgwMGExNTZhOTQ3ZWIxMGNkZTU2Zjgi
IEluUmVzcG9uc2VUbz0iSURfMDNmZTEzMWUtYjIwZS00OTU1LTg2MjYtZGYyMWFkZmI0ZGZhIiBW
ZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0wMy0yNVQwNTo0OTowNFoiIERlc3RpbmF0
aW9uPSJodHRwczovL2hrbHZhdWFwcDE3NS5oay5zdGFuZGFyZGNoYXJ0ZXJlZC5jb206ODU4My9T
RUNVSS9qYXhycy9BdXRoZW50aWNhdGlvbiI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpv
YXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPlNTTy1JRFA8L3NhbWw6SXNzdWVyPjxz
Y

Журнал JBOSS:

13:49:05,653 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /SECUI for path /SECUI/jaxrs/Authentication
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Security constraints for request /SECUI/jaxrs/Authentication are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Authenticating required for request HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Setting authentication required for exchange HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Attempting to authenticate HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}, authentication required: true
13:49:05,655 DEBUG [io.undertow.request.security] (default task-70) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@1cb334c2 for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:06,381 DEBUG [org.jboss.modcluster] (UndertowEventHandlerAdapter - 1) MODCLUSTER000009: Sending STATUS for default-server
13:49:06,382 DEBUG [io.undertow.request] (default I/O-2) Received CPING, sending CPONG
13:49:06,700 DEBUG [io.undertow.request.security] (default task-70) Authenticated as 1575777, roles []
13:49:06,701 DEBUG [io.undertow.request.security] (default task-70) Authentication outcome was AUTHENTICATED with method org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism@b6af5cf for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN], Location=[https://serviceProvider.com:8583/SECUI/UI/index.htm], Date=[Wed, 25 Mar 2020 05:49:06 GMT], X-Content-Type-Options=[nosniff], Content-Length=[0]}}
13:49:06,701 DEBUG [io.undertow.request.security] (default task-70) Authentication result was AUTHENTICATED for HttpServerExchange{ POST /SECUI/jaxrs/Authentication request {Cache-Control=[max-age=0], Accept-Encoding=[gzip, deflate, br], DNT=[1], Origin=[https://IdentyProvider.com:8443], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Host=[serviceProvider.com:8583], Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Sec-Fetch-Mode=[navigate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Content-Length=[6627], Content-Type=[application/x-www-form-urlencoded], Upgrade-Insecure-Requests=[1]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN], Location=[https://serviceProvider.com:8583/SECUI/UI/index.htm], Date=[Wed, 25 Mar 2020 05:49:06 GMT], X-Content-Type-Options=[nosniff], Content-Length=[0]}}
13:49:07,014 DEBUG [io.undertow.request] (default I/O-12) Received CPING, sending CPONG
13:49:07,014 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /SECUI for path /SECUI/UI/index.htm
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Security constraints for request /SECUI/UI/index.htm are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authenticating required for request HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Setting authentication required for exchange HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Attempting to authenticate HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}, authentication required: true
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@1cb334c2 for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,015 DEBUG [io.undertow.request.security] (default task-71) Authenticated as 1575777, roles []
13:49:07,016 DEBUG [io.undertow.request.security] (default task-71) Authentication outcome was AUTHENTICATED with method org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism@b6af5cf for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,016 DEBUG [io.undertow.request.security] (default task-71) Authentication result was AUTHENTICATED for HttpServerExchange{ GET /SECUI/UI/index.htm request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[en-US,en;q=0.9], Cache-Control=[max-age=0], Sec-Fetch-Mode=[navigate], Accept-Encoding=[gzip, deflate, br], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36], Sec-Fetch-Dest=[document], Connection=[keep-alive], Sec-Fetch-Site=[same-site], Cookie=[secure=vReGx1TlykEsdWTMHUr3Y7TGMcDVekUasOvNnbAt.CAT_ICM_HUB_SEC_01; amlbcookie=01; iPlanetDirectoryPro=pa8p9OjugxK8YgBtiTAmClm9-dc.*AAJTSQACMDUAAlNLABxKMXNTaU1mOWhteWEwK0FaWFhwaTBwTGFvbHM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*], Referer=[https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4?ReqID=ID_03fe131e-b20e-4955-8626-df21adfb4dfa&index=null&acsURL=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&spEntityID=https://serviceProvider.com:8583/SECUI/jaxrs/Authentication&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST], Upgrade-Insecure-Requests=[1], Host=[serviceProvider.com:8583]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-XSS-Protection=[1], X-Content-Type-Options=[nosniff], Pragma=[no-cache], X-Frame-Options=[SAMEORIGIN]}}
13:49:07,223 DEBUG [io.undertow.request] (default I/O-12) Received CPING, sending CPONG

Журнал HTTP:

10.128.117.63 - - [25/Mar/2020:13:58:40 +0800] "POST /SECUI/jaxrs/Authentication HTTP/1.1" 302 -

==> ssl_request_log.2020-03-25 <==
[25/Mar/2020:13:58:40 +0800] 10.128.117.63 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /SECUI/jaxrs/Authentication HTTP/1.1" -

==> ssl_access_log.2020-03-25 <==
10.128.117.63 - - [25/Mar/2020:13:58:40 +0800] "GET /SECUI/UI/index.htm HTTP/1.1" 200 7342

==> ssl_request_log.2020-03-25 <==
[25/Mar/2020:13:58:40 +0800] 10.128.117.63 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /SECUI/UI/index.htm HTTP/1.1" 7342

PiketLink. xml

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" LogOutPage="/customLogout.jsp" SupportsSignatures="true" BindingType="POST">
    <IdentityURL>https://IdentyProvider.com:8443/openam/SSOPOST/metaAlias/SSO/idp4</IdentityURL>
    <!-- <ServiceURL>https://serviceProvider.com:8583/SECUI/UI/index.htm</ServiceURL> -->
<ServiceURL>https://serviceProvider.com:8583/SECUI/jaxrs/Authentication</ServiceURL>


            <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
      <Auth Key="KeyStoreURL" Value="/jboss/eap/7.1/instances/CAT_ICM_HUB_SEC_01/MFA.jks" />
      <Auth Key="KeyStorePass" Value="changeit" />
      <Auth Key="SigningKeyPass" Value="changeit" />
      <Auth Key="SigningKeyAlias" Value="serviceProvider.com" />
      <ValidatingAlias Key="serviceProvider.com" Value="serviceProvider.com" />
              <ValidatingAlias Key="IdentyProvider.com" Value="IdentyProvider.com" />
    </KeyProvider>

  </PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
            <!-- <Handler class="org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse"/> -->
            <!-- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler "/> -->
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" >
            <!-- <Option Key="ASSERTION_CONSUMER_URL" Value="https://serviceProvider.com:8583/SECUI/UI/index.htm"/> -->
            </Handler>
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
            <!-- <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" /> -->

  </Handlers>
</PicketLink>
Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.
...