Redirect using SAML is not landing in my configured page

Question

I am facing an issue while using SAML to implement SSO on my web application.

After successful login I want to redirect to my application’s dashboard / main menu. But, it gets redirected to http://:/IDBUS/first-idau/IDP-1/SAML2/SSO/POST.

1. The flow is, I request my application’s context url in browser. In josso I have configured it to be redirected to atricore. Then there is a change in request headers and the request comes back to same application url I requested. Now I use a filter and redirect it to JOSSO login page. So this single request lands in JOSSO login page.

2. When I give credentials and login, then JOSSO authenticates and sets the user principal and sends the request to my url. Here I have a filter to forward to my dashboard. In this step after I give authentication information in JOSSO login page, instead of getting my dashboard, it gets redirected to some JOSS page (http://:/IDBUS/first-idau/IDP-1/SAML2/SSO/POST) this is in OSGi bundle in Atricore.

When I debug, I see a HTTP header as “referer”. It pointing to the above URL. I think it should point to my application’s dashboard url which I have configured in josso-agent-config.xml

I did one analysis and found something interesting. In step 1, I have used a filter in my application to redirect to JOSSO login page. Instead of doing that, I allowed to complete the request. Then it gets landed in a page in my application. Now in the same session (in browser), I manually made request to JOSSO login page. Then I got the JOSSO login page (this is step 2). Then I gave credentials and requested to login. Now it gets successfully forwarded to the intended my application’s dashboard page.

So my guess is that, there should be something wrong with my filter where I redirect to JOSSO login page.

I am using Atricore Identity Bus 1.0.0-m1+JOSSO 1.8.2+Spring 2.5.6.SEC01. Please help me on this.

Answer 1

Hi Joseph,

First of all, I'd strongly suggest you to upgrade to Atricore M2 which was released last week and available here : http://sourceforge.net/projects/atricore/files/Atricore%20Identity%20Bus/Atricore%20Identity%20Bus%201.0.0%20M2/atricore-idbus-1.0.0-m2.zip/download . This release delivers tons of fixes and many significant enhancements such as native HA and scalability out-of-the-box support.

Also, make sure that you're using the final JOSSO 1.8.2 bits - not JOSSO 1.8.2 r1575 - released last week and available from the JOSSO web site (http://www.josso.org) .

Then, you should deploy the reference identity appliance for realizing a simple SAML-based Federated SSO setting encompassing a JOSSO Service Provider and a SAML2 Identity Provider. Make sure to follow the quick start :http://www.josso.org/confluence/display/IDBUS/Quick+Start

Going back to your original question, the URI your seeing is because JOSSO is relying on a SAML2 IdP Entity the authentication request (read: AuthNRequest) which, upon handled, returns the correpsonding SAML Response conveying authentication assertions.

The bottom line is that within a FSSO setting, the JOSSO Gateway concern is realized by an Identity Provider hosted in Atricore IDBus. Atricore Identity Bus is playing nice with JOSSO Agents (read: by speaking the "JOSSO" protocol) while bringing the standard-based FSSO capabilities on board, and without forcing you to invest in retrofitting your JOSSO Partner applications to SAML.

Hope this sheds some light on your issue and the subject in general.

Regards, Gianluca.