How do I get the OpenSSO/OpenAM Fedlet working w/ ADFS 2.0?

Question

I'm trying to get the OpenSSO(OpenAM) fedlet up and running against an ADFS2.0 server. I've gotten imported their metadata (idp.xml) and exchanged certificates with the ADFS server. I had to remove some elements from the XML file; claimstypes and some other such elements.

When I click the "Run Fedlet (SP) initiated Single Sign-On using HTTP POST binding" link to attempt a SSO, I get bounced to an "HTTP Status 500 - Single Sign On failed" page.

My fedlet is running on myServer.domain.net and the ADFS server is adfs.domain.net.

I've decoded the SAML request that I'm making to the ADFS server:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s25420b00d06164c30c915b9f69c6e5b73408c6b27" Version="2.0" IssueInstant="2011-03-14T21:37:27Z" Destination="https://adfs.domain.net/adfs/ls/" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://myServer:8999/fedlet/fedletapplication">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myServer.domain.net</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="myServer.domain.net" AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

These are the errors and stack stack trace from my jboss log:

2011-03-14 16:22:00,330 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger access
INFO: GOT_RESPONSE_FROM_POST
{}
2011-03-14 16:22:00,331 ERROR [STDERR] Mar 14, 2011 4:22:00 PM com.sun.identity.plugin.log.impl.FedletLogger error
INFO: WRONG_STATUS_CODE
{_12549e97-9ef2-49f2-a3c2-3dd40171ce8a}
{}
2011-03-14 16:22:00,331 INFO  [STDOUT] ### {SAMLResponse=[Ljava.lang.String;@1d341d34}\
2011-03-14 16:22:00,331 INFO  [STDOUT] ### SAMLResponse:

The SAMLResponse from the ADFS server:

<samlp:Response ID="_12549e97-9ef2-49f2-a3c2-3dd40171ce8a" Version="2.0" IssueInstant="2011-03-14T21:22:38.770Z" Destination="https://myServer:8999/fedlet/fedletapplication" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="s2d4265ae10edc2e33c08dc34c248a95dd771ce4ce" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain.net/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_12549e97-9ef2-49f2-a3c2-3dd40171ce8a">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>AX/P9yGMxS6g8X5wbWqV1bbDeIxJXuHhr5OK3VJ9lzU=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>ViPPkKk8KLx6TUHWjaVcbiDHEBQOio7+7gJqC2lnVeT6Ja4MqrF6GtIX8MjwHAHM+s5gOcxdldPYoKNfAkh12C690BQvlWXQd0nc6NmDVNvYGSCWy2JL19wiBDoNreWO4YwCXOoeHOS/CvsxB1gE5CiyQ8BzbsIAGvH3+uIVOcOrj30SuDQkXYBqnZw5OPM9BlmG7C4UBS8wlO44Ukbvs0oqwgVxSeBk6kywBYW9PoNGCc6ViTZwhWoQYGj2dFd/k282mzaZ4cz+aHBpAYMju9QJuXPpzdtP4Ms6x8BxpBrQUwPcg9+wV+jtwCmMgarFfOWwlR00b6m64XdPK9bmJw==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <ds:X509Data>
        <ds:X509Certificate>MIIC2DCCAcCgAwIBAgIQE8jPCJT5aIVMphr1XJ3sNDANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBhZGZzLm1tcGxwLm5ldDAeFw0xMDExMzAyMjAzMDVaFw0xMTExMzAyMjAzMDVaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGFkZnMubW1wbHAubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvl/P5VDzs+hpXiStYihulMkz+iR6LjDSy5sxjePEylM2XbYxMJJIuUhvHq86sb4FKiTZWAzh9VkDLvee8j+KDwuYR3yQ0VDteD/ig/hSN5ehpzijPOLhTh+7DbUqVzcXKdrhVXfhvybfeDSNEAY424h+rusdj+hIn0ggrn+rwXhC6satnbZvxhbUssiRFAEXdDKNuakpywZUw97XjTUBxm6E6GwoCznQX/wk6F82z0AkcGUV9pUOs83aPA97DBjq4oGCt+uqVUtO/KauFmydtVojU7RyYsoPOguPEOODOACd7tnag/6qyPZEroHk8OU7VdzjGg2ItXOAYlDV3HTb1QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBwACOtAkh4rngQCWf98Lsu0GuvzIhVJ+RO+Jlwc058FOXT+whyHyEJVm0joiR89lILsUJDEnYcoXEBHoiAGblDAyT+bqqWJuJBenRfXlBGlQfoGGz4eOAQ7gWkXL5kToDVtosSJ1ZtbWTeum9bYTS3xy7qzsbJLXSXUZ7mrz/kbA9ksSmTInDPhkLBkcg/OQhcDQ0F0J+ab5iGKRGkNmLgI3JRs6WRjrFRg0V8aQAtU94m6hvceu2QI8q8t9asQ3JISHLLaTUs7jDXp7j8xbeMHm8exs80mebDoJLWVEsvVLSSuUU8cTxNScpInnpjE82qH2baa2ig+XfVQbyxyJjc</ds:X509Certificate>
      </ds:X509Data>
    </KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
  </samlp:Status>
</samlp:Response>

The error/stacktrace:

2011-03-14 16:22:00,331 ERROR [STDERR] com.sun.identity.saml2.common.SAML2Exception: Single Sign On failed.
2011-03-14 16:22:00,331 ERROR [STDERR]  at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(Unknown Source)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jsp.fedletSampleApp_jsp._jspService(fedletSampleApp_jsp.java:262)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
2011-03-14 16:22:00,331 ERROR [STDERR]  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:332)
2011-03-14 16:22:00,331 ERROR [STDERR]  at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
2011-03-14 16:22:00,332 ERROR [STDERR]  at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
2011-03-14 16:22:00,332 ERROR [STDERR]  at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
2011-03-14 16:22:00,332 ERROR [STDERR]  at java.lang.Thread.run(Thread.java:810)

Could this be from editing the metadata that the ADFS server provided me? I'm having trouble figuring out where to dig from here.

Thanks,

Answer 1

Have you read through Creating a Virtual Organization Using Federated Identity Services with OpenSSO and Microsoft Active Directory Federation Services?.

The details are in the White Paper at the bottom.

The OpenSSO instructions are here : WS-Federation Operations