missing context attributes

Wed, Feb 8, 2006

This was a really strange one. The Guanxi SSO and AA share Principals via the servlet context, which groups all the servlets in a webapp and allows them to share information.

The SSO creates the Principal, puts it in the servlet context and the AA picks it up later to match it against a SAML Request.

Well, for some reason, the AA was getting the servlet context but the attribute set by the SSO was missing.

The IdP’s SSO is at http://guanxi.uhi.ac.uk/idp/SSO

Here’s what was wrong. In Tomcat’s server.xml, the IdP’s context wasn’t mapped. Instead, it was being defined by the default context:

<Context path="" docBase=“idp”>   … </Context>

i.e. http://guanxi.uhi.ac.uk/idp/SSO was being mapped to the default context above.

Now, the WAYF was redirecting to http://guanxi.uhi.ac.uk/SSO, which mapped to the default context in Tomcat. However, the Guanxi SP’s metadata for the IdP was pointing to http://guanxi.uhi.ac.uk/idp/AA. As far as Tomcat was concerned the /idp context was different from the / context so the AA was getting a completely new context and not the same one the SSO was using. Hence the missing attributes.

The fix was to sort the config! First, fix the Tomcat context:

<Context path="/idp" docBase=“idp”>   … </Context>

and then change the WAYF to point to http://guanxi.uhi.ac.uk/idp/SSO

and lo and behold the AA’s attributes came back!

comments powered by Disqus