Bug 1326822

Summary: Web SSO does not work for distributed PicketLink Service Provider
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Kotek <okotek>
Component: PicketLinkAssignee: jboss-set
Status: CLOSED WONTFIX QA Contact: Ondrej Kotek <okotek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: anmiller, bdawidow, psilva, pskopek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 12:28:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sp.war for EAP1
none
sp.war for EAP2
none
idp.war for EAP3 none

Description Ondrej Kotek 2016-04-13 13:23:05 UTC
Description of problem:
SSO does not work for distributed PicketLink Service Provider. When a user logs in to SP through IdP and then access the SP on different node, the user should be logged in (because of Web SSO) and get requested protected resource. But, the user is redirected to IdP to log in instead.

In case the session on IdP is still valid, the user obtains assertion and is redirected back to SP -- in browser, all is hidden under the hood.


Version-Release number of selected component (if applicable):
2.5.4.SP7-redhat-1


How reproducible:
Given:
* EAP instance EAP1 with distributable PicketLink SP
* EAP instance EAP2 with distributable PicketLink SP
* EAP instance EAP3 with PicketLink IdP
* no load balancer to simplify the test case

Procedure:
When user requests SP @ EAP1, then user should be redirected to IdP, and IdP shoud prompt user to log in. [OK]
When user logs in to IdP, then IdP should redirect user back to SP @ EAP1, and SP should return index page (user should be logged in to SP @ EAP1). [OK]
When user requests SP @ EAP2, then SP should return index page without redirecting to IdP (user should be logged in to SP @ EAP2 by Web SSO). [FAILURE]

Actual results:
User is not logged in to SP @ EAP2, and is redirected to IdP.

Expected results:
User is logged in to SP @ EAP2 -- the index page should be returned.

Additional info:
The issue is not valid for EAP 7.

Comment 2 Ondrej Kotek 2016-04-13 13:30:04 UTC
Created attachment 1146852 [details]
sp.war for EAP1

Comment 3 Ondrej Kotek 2016-04-13 13:31:08 UTC
Created attachment 1146853 [details]
sp.war for EAP2

Comment 4 Ondrej Kotek 2016-04-13 13:32:01 UTC
Created attachment 1146854 [details]
idp.war for EAP3

Comment 5 Ondrej Kotek 2016-04-13 13:39:48 UTC
To start EAP instances from EAP_HOME:
cp -r standalone standalone1; cp -r standalone standalone2; cp -r standalone standalone2
bin/standalone.sh -c standalone-ha.xml -Djboss.server.base.dir=`pwd`/standalone1 -Djboss.node.name=host1
bin/standalone.sh -c standalone-ha.xml -Djboss.server.base.dir=`pwd`/standalone2 -Djboss.node.name=host2 -Djboss.socket.binding.port-offset=200
bin/standalone.sh -Djboss.server.base.dir=`pwd`/standalone3 -Djboss.node.name=host3 -Djboss.socket.binding.port-offset=300


CLI commands for security domains:
/subsystem=security/security-domain=idp:add(cache-type=default)
/subsystem=security/security-domain=idp/authentication=classic:add
/subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")])

/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required)


CLI command for EAP1 and EAP2 to enable Web SSO:
/subsystem=web/virtual-server=default-host/sso=configuration:add(cache-container="web", cache-name="sso")