Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
Description
Picketlink (version picketlink-impl-2.5.5.SP1-redhat-1, runtime environment) ignores EntityId configuration from picketlink.xml config file.
Due to this limitation, we have to create an individual SP configuration item on our IdP for each Assertion Consumer Service Location, instead of using one EntityID for multiple ACS-URL’s. This is inefficient and does not scale for our enterprise.
picketlink.xml:
<?xml version="1.0" encoding="UTF-8"?>
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP
xmlns="urn:picketlink:identity-federation:config:2.1"
EntityID="http://localhost:9080/XXX/"
ServerEnvironment="tomcat"
BindingType="POST"
SupportsSignatures="true"
CanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
SAML-Request send by Picketlink:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="http://vm98222216.sv.db.de/bpa/" Destination="https://sso.test.service.deutschebahn.com/saml/idp/profile/redirectorpost/sso" ForceAuthn="false" ID="ID_9068ecb8-4eb0-4e3b-9e9d-c49fb9b74f18" IsPassive="false" IssueInstant="2018-02-23T13:04:32.064Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://vm98222216.sv.db.de/bpa/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_9068ecb8-4eb0-4e3b-9e9d-c49fb9b74f18">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>bBL...dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>joHr...</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>sheLQP...</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>