Hide Forgot
Description of problem: SSO does not work for distributed PicketLink Service Provider. When a user logs in to SP through IdP and then access the SP on different node, the user should be logged in (because of Web SSO) and get requested protected resource. But, the user is redirected to IdP to log in instead. In case the session on IdP is still valid, the user obtains assertion and is redirected back to SP -- in browser, all is hidden under the hood. Version-Release number of selected component (if applicable): 2.5.4.SP7-redhat-1 How reproducible: Given: * EAP instance EAP1 with distributable PicketLink SP * EAP instance EAP2 with distributable PicketLink SP * EAP instance EAP3 with PicketLink IdP * no load balancer to simplify the test case Procedure: When user requests SP @ EAP1, then user should be redirected to IdP, and IdP shoud prompt user to log in. [OK] When user logs in to IdP, then IdP should redirect user back to SP @ EAP1, and SP should return index page (user should be logged in to SP @ EAP1). [OK] When user requests SP @ EAP2, then SP should return index page without redirecting to IdP (user should be logged in to SP @ EAP2 by Web SSO). [FAILURE] Actual results: User is not logged in to SP @ EAP2, and is redirected to IdP. Expected results: User is logged in to SP @ EAP2 -- the index page should be returned. Additional info: The issue is not valid for EAP 7.
Created attachment 1146852 [details] sp.war for EAP1
Created attachment 1146853 [details] sp.war for EAP2
Created attachment 1146854 [details] idp.war for EAP3
To start EAP instances from EAP_HOME: cp -r standalone standalone1; cp -r standalone standalone2; cp -r standalone standalone2 bin/standalone.sh -c standalone-ha.xml -Djboss.server.base.dir=`pwd`/standalone1 -Djboss.node.name=host1 bin/standalone.sh -c standalone-ha.xml -Djboss.server.base.dir=`pwd`/standalone2 -Djboss.node.name=host2 -Djboss.socket.binding.port-offset=200 bin/standalone.sh -Djboss.server.base.dir=`pwd`/standalone3 -Djboss.node.name=host3 -Djboss.socket.binding.port-offset=300 CLI commands for security domains: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"users.properties"), ("rolesProperties"=>"roles.properties")]) /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule, flag=required) CLI command for EAP1 and EAP2 to enable Web SSO: /subsystem=web/virtual-server=default-host/sso=configuration:add(cache-container="web", cache-name="sso")