Description of problem: Lets have PicketLink SAML based SSO using REDIRECT binding. When IdP is redirecting (back) to SP, the redirect response is sent with non-zero content-length header but without a content. A client (httpunit) expects content that never comes. This applies to SP initiated SSO and for SAML v2.0 unsolicited response. In case of SAML v1.1 unsolicited response, the redirection is ok (no content and no non-zero content-length header) -- in AbstractIDPValve, it is processed separately and response object is recycled before redirection (line 706: response.getCoyoteResponse().recycle();), unlike in other cases. Version-Release number of selected component (if applicable): PicketLink 2.5.3.SP10-redhat-1 How reproducible: Test cases from AbstractIdPInitiatedSsoTestCase with SP initiation or SAML v2.0 unsolicited responses. Steps to Reproduce: Run IdPInitiatedSsoRedirectTestCase#testSpInitiatedSso test case. Actual results: Waiting 1 minute (timeout) because of corrupted redirection, and failure because an assertion is no longer valid. Expected results: No waiting.
Failed verification 6.4.0.DR11. See [1] for wireshark dump of communication of IdPInitiatedSsoRedirectTestCase#testSpInitiatedSsoHelloWorld test, especially line 140.
Created attachment 997556 [details] idp.war
Created attachment 997557 [details] sp.war Attaching reproducer. Steps: - start EAP - use JBoss CLI to configure security domains: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required) /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=UsersRoles:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required) reload - deploy attached applications (idp.war, sp.war) - open SP in Internet Explorer 10/11: http://localhost:8080/sp/ - you are redirected to IdP login form - use tomcat/tomcat credentials to authenticate. ... and wait for the SP page
John Doyle <jdoyle> updated the status of jira EAP6-222 to Closed