asgardeo / asgardeo-tomcat-saml-agent Goto Github PK

Describe the issue:

Currently, upon successful authentication, the SSO agent redirects the user to the page registered in the ACS URL (eg: app/home).

However, if a user tries to access another secured page (eg: app/myAccount) without having an authenticated session with the IdP, the user is first prompted for authentication. Then upon successful authentication, the user is redirected to the app/home where the user should have been redirected to the original page he tried to access; app/myAccount.

Expected behaviour

The Agent should keep track of the original page the user tried to access (target page), and redirect the user to the target page upon successful authentication.

Description

The sample app needs to be dockerized in order to facilitate convenient deployments.

Description:
After initiating an SLO request from a secondary application and then, refreshing the logged-in secured page (eg: home.jsp in the sample-app in tomcat-saml-agent) of the primary app does not redirect the user to a login page nor does it prompt the user for authentication. Instead a new logged in session would be created and the secured page would be accessible.

Steps to reproduce:

1. Configure two webapps with the WSO2-IS. In my testing, I configured the pickup-dispatch webapp (OIDC) and the sample-app (SAML).
2. Enable Single Logout under the service provider configurations (Inbound Authentication Configuration -> SAML2 Web SSO Configuration) of the sample-app.
3. Login from the pickup-dispatch app providing the user credentials.
4. Open a new tab on the same browser and log in to the sample-app. (Should not be prompted for authentication in this step)
5. After getting to the home page of both the applications, click on logout from the pickup-dispatch app.
6. Verify if the user is logged out. (The user should be redirected to the log in page of the pickup-dispatch app.)
7. Switch to the sample-app application, (The user should be on the home.jsp page of the sample-app), and hit refresh on browser.
8. The home.jsp page of the sample-app would still be accessible.

Description:
Currently there is no developer catalog for describing, and for explaining the functionalities of the configurations in app.properties file.
A catalog with a description of each property, along with an example use case would be sufficient to give the idea of how each property can be used.

ref: https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1352-00/en_US/HTML/am51_pdg190.htm#apxoldproperties

Description

We need to provide the capability to configure the properties of sample-app.properties file dynamically.

Approach

1. Define a notation to infer environment values for property placeholder.
2. Implement env variable inferring for the defined notation.

Describe the issue:

SSOAgentConfig is singleton, so changing this object with requests should be synchronized or use copy of object. Concrete example of code is here:
https://github.com/asgardio/asgardio-tomcat-saml-agent/blob/master/io.asgardio.tomcat.saml.agent/src/main/java/io/asgardio/tomcat/saml/agent/SAML2SSOAgentFilter.java#L148-L151

After incorrect case variable ssoAgentConfig.getSAML2().isPassiveAuthn ends with value true a then all next logins will be passive.

I made pull request for this bug, that includes changes after code review.

How to reproduce:

I wrote test for this case https://github.com/boulik/tomcat-saml-agent-stressTest
Expected behavior:

--

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [IS 5.7.0]
• OS: [Windows, Linux, Mac]
• Browser: [Chrome, Firefox, Edge, Safari]
• SDK Version: [0.1.18]
  --

Optional Fields

Related issues:

Suggested labels:

Describe the issue:

Cross protocol SLO is not working properly for SAML tomact agent sample applictaion

When logout from the OIDC application which is SSO and SLO enabled, below behavior found

1. Stay in same page when refresh is done from the SAML application for IDP initiated SSO in SAML application.
2. Prompt the Login page when refresh is done from the SAML application for SP initiated SSO in SAML application.

Logout from the SAML application is not functioning properly in both cases.

How to reproduce:

1.Setup the sample SAML agent application
2. Setup OIDC Application in order to work the SSO
( SSO & SLO enabled, IDP initialed SSO & SLO enabled with back channel logout enabled both applications)
3. Logout from the OIDC application
4. behavior

• Refresh the SAML application when SSO initiated by IDP, it will stay in same page without knowing back channel is logout.

• Refresh the SAML application when SSO initaied by SP itself, then it will prompt Login page because of SAML2RequestID is null in [1] and send SSO request again to IS. This is always gives null even without logout is performed every refresh it calls the SSO request to IS.

Here, InResponseTo value not there in the IDP initialed SAML response while SAML response in SP initialed scenario has some value. Both case it doesn't fire /logout flow in the SAML2SSOAgentFilter instead always fire [2] condition

[1] https://github.com/asgardio/asgardio-java-saml-sdk/blob/master/io.asgardio.java.saml.sdk/src/main/java/io/asgardio/java/saml/sdk/SAML2SSOManager.java#L376
[2] https://github.com/asgardio/asgardio-tomcat-saml-agent/blob/master/io.asgardio.tomcat.saml.agent/src/main/java/io/asgardio/tomcat/saml/agent/SAML2SSOAgentFilter.java#L94
Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [IS 5.10.0]
• OS: [Linux,]
• Browser: [Chrome]
• SDK Version: [io.asgardio.tomcat.saml.agent:0.1.16 ]

Optional Fields

Related issues:

Suggested labels:

Describe the issue:
The following error prevents the web app from deploying if the keyStore related properties are not included in the .properties file.

org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class [io.asgardeo.tomcat.saml.agent.SSOAgentContextEventListener]
        java.lang.NullPointerException
                at io.asgardeo.tomcat.saml.agent.SSOAgentContextEventListener.contextInitialized(SSOAgentContextEventListener.java:80)
                at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4716)
                at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5172)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
                at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
                at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
                at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1023)
                at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1903)
                at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
...

How to reproduce:

Remove the Keystore-related configurations from the properties file and deploy the web app.