-
Bug
-
Resolution: Won't Do
-
Minor
-
None
-
None
-
None
-
None
Picketlink IDP tries to validate its own response against trusted domain in GLO. It will validate the incoming request for and then will try to validate the IDP response to the initial request.
If the IDP domain is not in the trusted domain list, the the following exception is thown:
11:33:33,425 ERROR [org.picketlink.common] (http-/) Exception in processing request:: org.picketlink.common.exceptions.ProcessingException: org.picketlink.common.exceptions.fed.IssuerNotTrustedException: org.picketlink.common.exceptions.fed.IssuerNotTrustedException: Issuer not Trusted by the IDP: https://idp-dev.haha.hou/idp/ at org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler$IDPTrustHandler.trustIssuer(SAML2IssuerTrustHandler.java:123) [picketlink-federation-2.5.2.Final.jar:] at org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler$IDPTrustHandler.handleStatusResponseType(SAML2IssuerTrustHandler.java:91) [picketlink-federation-2.5.2.Final.jar:] at org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler.handleStatusResponseType(SAML2IssuerTrustHandler.java:66) [picketlink-federation-2.5.2.Final.jar:] at AbstractIDPValve.processSAMLResponseMessage(AbstractIDPValve.java) at AbstractIDPValve.handleSAMLMessage(AbstractIDPValve.java) at AbstractIDPValve.invoke(AbstractIDPValve.java) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.CP04.jar:7.2.0.CP04] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] Caused by: org.picketlink.common.exceptions.fed.IssuerNotTrustedException: org.picketlink.common.exceptions.fed.IssuerNotTrustedException: Issuer not Trusted by the IDP: https://idp-dev.haha.hou/idp/ at org.picketlink.common.DefaultPicketLinkLogger.samlIssuerNotTrustedException(DefaultPicketLinkLogger.java:1496) [picketlink-common-2.5.2.Final-CP01.jar:] ... 16 more Caused by: org.picketlink.common.exceptions.fed.IssuerNotTrustedException: Issuer not Trusted by the IDP: https://idp-dev.haha.hou/idp/ at org.picketlink.common.DefaultPicketLinkLogger.samlIssuerNotTrustedError(DefaultPicketLinkLogger.java:1486) [picketlink-common-2.5.2.Final-CP01.jar:] at org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler$IDPTrustHandler.trustIssuer(SAML2IssuerTrustHandler.java:118) [picketlink-federation-2.5.2.Final.jar:] ... 15 more
A dirty fix is to add the idp hostname in the IDP trusted domains list
