Missing context attributes
This was a really strange one. The Guanxi SSO and AA share Principals via the servlet context, which groups all the servlets in a webapp and allows them to share information.
The SSO creates the Principal, puts it in the servlet context and the AA picks it up later to match it against a SAML Request.
Well, for some reason, the AA was getting the servlet context but the attribute set by the SSO was missing.
The IdP’s SSO is at http://guanxi.uhi.ac.uk/idp/SSO
Here’s what was wrong. In Tomcat’s server.xml, the IdP’s context wasn’t mapped. Instead, it was being defined by the default context:
<Context path=”" docBase=”idp”>
…
</Context>
i.e. http://guanxi.uhi.ac.uk/idp/SSO was being mapped to the default context above.
Now, the WAYF was redirecting to http://guanxi.uhi.ac.uk/SSO, which mapped to the default context in Tomcat. However, the Guanxi SP’s metadata for the IdP was pointing to http://guanxi.uhi.ac.uk/idp/AA. As far as Tomcat was concerned the /idp context was different from the / context so the AA was getting a completely new context and not the same one the SSO was using. Hence the missing attributes.
The fix was to sort the config! First, fix the Tomcat context:
<Context path=”/idp” docBase=”idp”>
…
</Context>
and then change the WAYF to point to http://guanxi.uhi.ac.uk/idp/SSO
and lo and behold the AA’s attributes came back!