|
By Jim Faut, with contributions from Rick Palkovic, March 2009
|
|
|
[Part
1] [Part
2] [Part 3] [Part 4] [Part 5]
In this example, you explore an OpenSSO deployment designed for cross-domain sign-on. Using the Live HTTP Headers and HackBar add-ons for the popular Mozilla Firefox web browser, you can gain insight into OpenSSO interactions and better understand how the system works.
For an overview, software configuration details, and links to other examples, see Troubleshooting OpenSSO with Firefox Add-Ons: Part 1, Introduction.
Contents
This second example shows a more complex interaction between OpenSSO and the policy agent. In this example, Cookie Hijacking Prevention has been enabled according to the directions in Sun OpenSSO Enterprise 8.0 Administration Guide: Precautions Against Session-Cookie Hijacking in an OpenSSO Enterprise Deployment. The sequence diagram in Figure 1 depicts the interactions among the browser, policy agent, and OpenSSO during a CDSSO exchange.
Figure 1: Interaction Among the Browser, Policy Agent, and OpenSSO During a CDSSO Exchange |
Again, you can examine the HTTP traffic with the Live HTTP Headers and HackBar Firefox add-ons.
In your Firefox browser, navigate to the protected URL http://agent.customer.com/. The browser is redirected to the OpenSSO login page, and the corresponding HTTP traffic is captured in the Live HTTP Headers window. For the OpenSSO server and policy agent host configured as described in Part 1 of this series, the following data will be captured:
1. User Makes Initial Request
The user, who has not yet logged in to OpenSSO, requests a page that is protected by the policy agent.
|
http://agent.customer.com/
GET / HTTP/1.1
Host: agent.customer.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
|
2. Agent Sends Redirect to CDCServlet
The policy agent responds by redirecting the user to the OpenSSO CDCServlet. Note that the original page URL is specified by the goto parameter.
|
HTTP/1.x 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 25 Feb 2009 18:07:50 GMT
Location: http://osso.customer.com:8080/opensso/cdcservlet?goto=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
Content-Length: 0
|
3. Browser Follows Redirect
The browser then follows the redirect instruction and passes the goto parameter as part of the URL.
|
http://osso.customer.com:8080/opensso/cdcservlet?goto=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
GET /opensso/cdcservlet?goto=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z HTTP/1.1
Host: osso.customer.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
|
4. CDCServlet Renders Login Page and Sets Cookies
The OpenSSO CDCServlet renders a login page and sets some cookies that are used by the OpenSSO infrastructure. For example, the amlbcookie can be used by a load balancer to provide server stickiness in a multiple-host deployment.
|
HTTP/1.x 200 OK
X-Powered-By: JSP/2.1
Server: Sun Java System Application Server 9.1_02
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Enterprise 8.0 Build 6(2008-October-31 09:07)
AM_CLIENT_TYPE: genericHTML
Set-Cookie: AMAuthCookie=AQIC5wM2LY4Sfcw6Aeu+zeWSgeIphPOXdZRCCeLyzhMdGKU=@AAJTSQACMDE=#; Domain=osso.customer.com; Path=/
Set-Cookie: amlbcookie=01; Domain=osso.customer.com; Path=/
Set-Cookie: JSESSIONID=e9f02751d9313033352d976b476e; Path=/opensso
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Feb 2009 18:07:50 GMT
|
In the next sequence, the user enters a login name and password. These credentials are submitted to OpenSSO. A SAML transaction occurs and the user is issued a Master SSO Token and a Restricted SSO Token. The user is then redirected back to agent.customer.com.
5. User Submits AuthN Credentials
The user enters a login name and password. These credentials are represented as IDToken1 and IDToken2, respectively, in the HTTP POST data.
|
http://osso.customer.com:8080/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4Sfcw6Aeu%2BzeWSgeIphPOXdZRCCeLyzhMdGKU%3D%40AAJTSQACMDE%3D%23
POST /opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4Sfcw6Aeu%2BzeWSgeIphPOXdZRCCeLyzhMdGKU%3D%40AAJTSQACMDE%3D%23 HTTP/1.1
Host: osso.customer.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://osso.customer.com:8080/opensso/cdcservlet?goto=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
Cookie: JSESSIONID=e9f02751d9313033352d976b476e; AMAuthCookie=AQIC5wM2LY4Sfcw6Aeu+zeWSgeIphPOXdZRCCeLyzhMdGKU=@AAJTSQACMDE=#; amlbcookie=01
Content-Type: application/x-www-form-urlencoded
Content-Length: 391
IDToken0=&IDToken1=testuser&IDToken2=password&IDButton=Log+In&goto=L29wZW5zc28vY2Rjc2VydmxldD9UQVJHRVQ9aHR0cCUzQSUyRiUyRmFnZW50LmN1c3RvbWVyLmNvbSUzQTgwJTJGaW5kZXguaHRtbCZSZXF1ZXN0SUQ9MTIxNTQmTWFqb3JWZXJzaW9uPTEmTWlub3JWZXJzaW9uPTAmUHJvdmlkZXJJRD1odHRwJTNBJTJGJTJGYWdlbnQuY3VzdG9tZXIuY29tJTNBODAlMkZhbWFnZW50Jklzc3VlSW5zdGFudD0yMDA5LTAyLTI1VDExJTNBMDclM0E1MFo%3D&encoded=true&gx_charset=UTF-8
|
6. CDCServlet Sets Master SSO Token and Redirects to CDCServlet
OpenSSO authenticates the user and sets a new iPlanetDirectoryPro cookie to represent the user's master SSO token. Note that the cookie domain is set to osso.customer.com. This domain is different from the one in the example of Part 2. This change in the cookie domain was one of the changes made to OpenSSO to enable the CDSSO functionality. Setting a specific host for the cookie domain prevents that cookie from being sent to any other host. This master SSO token must be protected since it acts like a master key to the SSO infrastructure.
|
HTTP/1.x 302 Moved Temporarily
X-Powered-By: Servlet/2.5
Server: Sun Java System Application Server 9.1_02
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Enterprise 8.0 Build 6(2008-October-31 09:07)
AM_CLIENT_TYPE: genericHTML
X-AuthErrorCode: 0
Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcw6Aeu+zeWSgeIphPOXdZRCCeLyzhMdGKU=@AAJTSQACMDE=#; Domain=osso.customer.com; Path=/
Set-Cookie: sunIdentityServerAuthNServer=http://osso.customer.com:8080; Domain=.customer.com; Path=/
Set-Cookie: AMAuthCookie=LOGOUT; Domain=osso.customer.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Location: http://osso.customer.com:8080/opensso/cdcservlet?TARGET=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
Date: Wed, 25 Feb 2009 18:08:00 GMT
----------------------------------------------------------
|
7. Browser Follows Redirect
The browser follows the redirect instruction to the OpenSSO CDCServlet again. This time, the CDCServlet recognizes the valid Master SSO Token.
|
http://osso.customer.com:8080/opensso/cdcservlet?TARGET=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
GET /opensso/cdcservlet?TARGET=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z HTTP/1.1
Host: osso.customer.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://osso.customer.com:8080/opensso/cdcservlet?goto=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
Cookie: JSESSIONID=e9f02751d9313033352d976b476e; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4Sfcw6Aeu+zeWSgeIphPOXdZRCCeLyzhMdGKU=@AAJTSQACMDE=#; sunIdentityServerAuthNServer=http://osso.customer.com:8080
|
8. CDCServlet Renders Form with SAML POST
The CDCServlet responds by rendering an HTML form with an embedded SAML message. This message contains the new Restricted SSO Token. Although this cookie is created by the OpenSSO server, it cannot be set by the normal Set-Cookie response header, because the Restricted SSO Token must be confined to the host with the policy agent, agent.customer.com. The host agent.customer.com is the only host that can set such a cookie, so the information is encapsulated within a SAML assertion that is submitted to the agent.customer.com host.
|
HTTP/1.x 200 OK
X-Powered-By: Servlet/2.5
Server: Sun Java System Application Server 9.1_02
Pragma: no-cache
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 3568
Date: Wed, 25 Feb 2009 18:08:00 GMT
----------------------------------------------------------
|
9. Browser Submits SAML Data
The next request shows the browser submitting the form that contains the SAML assertion from OpenSSO. The SAML assertion is encoded in a form element named LARES. It is not readable, but you can use the HackBar add-on to decode it.
|
http://agent.customer.com/index.html
POST /index.html HTTP/1.1
Host: agent.customer.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://osso.customer.com:8080/opensso/cdcservlet?TARGET=http%3A%2F%2Fagent.customer.com%3A80%2Findex.html&RequestID=12154&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%2Fagent.customer.com%3A80%2Famagent&IssueInstant=2009-02-25T11%3A07%3A50Z
Cookie: sunIdentityServerAuthNServer=http://osso.customer.com:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 3398
LARES=PGxpYjpBdXRoblJlc3BvbnNlIHhtbG5zOmxpYj0iaHR0cDovL3Byb2plY3RsaWJlcnR5Lm9yZy9zY2hlbWFzL2NvcmUvMjAwMi8xMiIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpwcm90b2NvbCIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFJlc3BvbnNlSUQ9InM0YjE5NThhMmIzYjAzNDZkNzhiNDU0MDc2YzRjNzhjZDY4YzRjY2Y5IiAgSW5SZXNwb25zZVRvPSIxMjE1NCIgTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjAiIElzc3VlSW5zdGFudD0iMjAwOS0wMi0yNVQxODowODowMFoiPjxzYW1
...
31 lines omitted for brevity
...
1lbnRSZWY%2BPC9saWI6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPgo8bGliOlByb3ZpZGVySUQ%2BaHR0cDovL29zc28uY3VzdG9tZXIuY29tOjgwODAvb3BlbnNzby9jZGNzZXJ2bGV0PC9saWI6UHJvdmlkZXJJRD48L2xpYjpBdXRoblJlc3BvbnNlPgo%3D
|
To decode the value of the LARES form field with the HackBar add-on:
a.) Copy the text from the Live HTTP Headers window, as shown in Figure 2.
Figure 2: Copying the Value of the LARES Form Field |
b.) Paste the text into the HackBar window, and delete the LARES= characters at the beginning of the data, as shown in Figure 3.
Figure 3: Deleting "LARES=" Characters |
c.) Highlight all the remaining data and choose URL Decode from the HackBar Encoding menu, as shown in Figure 4.
Figure 4: Using URLdecode on LARES Form Field Data |
d.) Decode the data again, this time with Base64 Decode from the HackBar Encoding menu.
Figure 5: Base64 Decoding the LARES Form Field Data |
The result is shown in Figure 6: the SAML assertion is sent from OpenSSO to the policy agent through the user's browser.
Figure 6: Reading the LARES Form Field Data |
The data below shows the assertion as plain text. Key elements are emphasized in bold.
|
<lib:AuthnResponse xmlns:lib="http://projectliberty.org/schemas/core/2002/12" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ResponseID="s4b1958a2b3b0346d78b454076c4c78cd68c4ccf9" InResponseTo="12154" MajorVersion="1" MinorVersion="0" IssueInstant="2009-02-25T18:08:00Z">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:lib="http://projectliberty.org/schemas/core/2002/12" id="s8ee8a4b409b1d034faec2fdbcedb47c013079fce01" MajorVersion="1" MinorVersion="0" AssertionID="s8ee8a4b409b1d034faec2fdbcedb47c013079fce01" Issuer="http://osso.customer.com:8080/opensso/cdcservlet" IssueInstant="2009-02-25T18:08:00Z" InResponseTo="12154" xsi:type="lib:AssertionType">
<saml:Conditions NotBefore="2009-02-25T18:08:00Z" NotOnOrAfter="2009-02-25T18:09:00Z" >
<saml:AudienceRestrictionCondition>
<saml:Audience>
http://agent.customer.com:80/amagent</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="DataStore" AuthenticationInstant="2009-02-25T18:08:00Z" ReauthenticateOnOrAfter="2009-02-25T18:09:00Z" xsi:type="lib:AuthenticationStatementType">
<saml:Subject xsi:type="lib:SubjectType">
</pre>
<b>
<pre>
<saml:NameIdentifier NameQualifier="http://osso.customer.com:8080/opensso/cdcservlet">AQIC5wM2LY4SfcwLe10zMVcAZrzjMEldBn0m7UGuCUpIJSs%3D%40AAJTSQACMDE%3D%23</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
<lib:IDPProvidedNameIdentifier NameQualifier="http://osso.customer.com:8080/opensso/cdcservlet" >
AQIC5wM2LY4SfcwLe10zMVcAZrzjMEldBn0m7UGuCUpIJSs%3D%40AAJTSQACMDE%3D%23</lib:IDPProvidedNameIdentifier>
</saml:Subject>
<saml:SubjectLocality IPAddress="192.168.1.96" DNSAddress="osso.customer.com" />
<lib:AuthnContext>
<lib:AuthnContextClassRef>
http://www.projectliberty.org/schemas/authctx/classes/Password</lib:AuthnContextClassRef>
<lib:AuthnContextStatementRef>
http://www.projectliberty.org/schemas/authctx/classes/Password</lib:AuthnContextStatementRef>
</lib:AuthnContext>
</saml:AuthenticationStatement>
</saml:Assertion>
<lib:ProviderID>
http://osso.customer.com:8080/opensso/cdcservlet</lib:ProviderID>
</lib:AuthnResponse>
|
Note that the time difference between the NotBefore and NotOnOrAfter times is exactly one minute. The specified time period implies that the clocks on the OpenSSO server and the policy agent host need to be well synchronized. If possible, servers in an OpenSSO infrastructure should be synchronized by an automated protocol such as NTP.
The value of the NameIdentifier element represents the user's new restricted SSO token. You can see this value being set as a cookie in the next response.
10. Web Server Renders Originally Requested Page
The policy agent has inspected the SAML assertion and validated its contents. Remember that the content of the SAML assertion also contains the new restricted SSO token. You can see that the response from the policy agent contains a Set-Cookie directive that sets the new cookie in the user's browser. The browser now has two SSO Tokens. The master SSO token is used for the OpenSSO server and is limited to the osso.customer.com domain. The restricted SSO token is used for the policy agent host agent.customer.com.
|
HTTP/1.x 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 25 Feb 2009 18:08:00 GMT
Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwLe10zMVcAZrzjMEldBn0m7UGuCUpIJSs%3D%40AAJTSQACMDE%3D%23;Path=/
Content-Type: text/html
Last-Modified: Mon, 16 Feb 2009 13:28:23 GMT
Content-Length: 12038
Etag: "2f06-499969f7"
Accept-Ranges: bytes
----------------------------------------------------------
|
Firefox, combined with the Live HTTP Headers and HackBar Add-ons, is a powerful troubleshooting tool. Inspecting the traffic flowing through a browser can provide valuable insight into the transactions that comprise an OpenSSO solution. This example shows how enabling the Cross-Domain Single Sign-On feature increases the amount of traffic passed through the user's browser. This data can seem overwhelming at first. With the help of the HackBar Add-on you can decode the data and really understand the interaction between the policy agent and the OpenSSO server.
More examples will be added as they become available:
Do you have comments about this article? We welcome your participation in our community. Please keep your comments civil and on point. You may optionally provide your email address to be notified of replies - your information is not used for any other purpose. By submitting a comment, you agree to these Terms of Use.
|
 Jim Faut, a Technical Manager in Sun Federal's Professional Services group, specializes in OpenSSO, GlassFish, Identity Manager, and Portal deployments. He has been deploying solutions with Java technology since 1999. Jim's blog focuses on Sun software products and related technologies. |
 Rick Palkovic is a staff writer for Sun Developer Network. He has written about the Solaris OS and Java technologies for longer than he likes to admit, composing everything from man pages to technical white papers.
|
|
Print-friendly Version
