I have followed the steps in this tutorial to retrieve a ssoTokenID in my HTTP response header from the WSO2 Identity Server 4.1.0. I am running this locally.
I also have the the IdentitySAMLSSOService available at:
https://localhost:9443/services/IdentitySAMLSSOService?wsdl
This service provides 3 operations:
- authenticate
- doSingleLogout
- validateRequest
Using the authenticate operation, I want to verify that the user is indeed logged in. I expect to use the ssoTokenId that I have retrieved earlier. Also, I assume that the JSESSIONID is not relevant at this point.
ssoTokenId=1E5F811E2FAC8AFBEE31621E889DE3FD
I have used soapUI to start a SOAP request to the authenticate service. I have added basic authentication username/password.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
<soap:Header/>
<soap:Body>
<xsd:authenticate>
<!--Optional:-->
<xsd:authReqDTO>
<!--Optional:-->
<xsd1:assertionConsumerURL>http://localhost:8080/saml2.demo/consumer</xsd1:assertionConsumerURL>
<!--Optional:-->
<xsd1:assertionString></xsd1:assertionString>
<!--Optional:-->
<xsd1:certAlias></xsd1:certAlias>
<!--Optional:-->
<xsd1:claim></xsd1:claim>
<!--Optional:-->
<xsd1:doSignAssertions>false</xsd1:doSignAssertions>
<!--Optional:-->
<xsd1:doSingleLogout>false</xsd1:doSingleLogout>
<!--Optional:-->
<xsd1:id></xsd1:id>
<!--Optional:-->
<xsd1:issuer>saml2.demo</xsd1:issuer>
<!--Optional:-->
<xsd1:loginPageURL></xsd1:loginPageURL>
<!--Optional:-->
<xsd1:logoutURL></xsd1:logoutURL>
<!--Optional:-->
<xsd1:nameIDFormat></xsd1:nameIDFormat>
<!--Optional:-->
<xsd1:password></xsd1:password>
<!--Zero or more repetitions:-->
<xsd1:requestedClaims></xsd1:requestedClaims>
<!--Optional:-->
<xsd1:rpSessionId>1E5F811E2FAC8AFBEE31621E889DE3FD</xsd1:rpSessionId>
<!--Optional:-->
<xsd1:stratosDeployment>false</xsd1:stratosDeployment>
<!--Optional:-->
<xsd1:subject></xsd1:subject>
<!--Optional:-->
<xsd1:useFullyQualifiedUsernameAsSubject>false</xsd1:useFullyQualifiedUsernameAsSubject>
<!--Optional:-->
<xsd1:username></xsd1:username>
</xsd:authReqDTO>
<!--Optional:-->
<xsd:sessionId></xsd:sessionId>
</xsd:authenticate>
</soap:Body>
</soap:Envelope>
I received the following response:
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Body>
<ns:authenticateResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2301:SAMLSSORespDTO" xmlns:ax2299="http://base.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ax2301="http://dto.saml.sso.identity.carbon.wso2.org/xsd">
<ax2301:assertionConsumerURL xsi:nil="true"/>
<ax2301:errorMsg>login.fail.message</ax2301:errorMsg>
<ax2301:loginPageURL xsi:nil="true"/>
<ax2301:respString><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="dgjkpdhojndphkhklhlpcdjnbakojekiajbflpjp" IssueInstant="2013-07-11T08:46:32.008Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:9443/samlsso</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/><saml2p:StatusMessage>login.fail.message</saml2p:StatusMessage></saml2p:Status></saml2p:Response>]]></ax2301:respString>
<ax2301:sessionEstablished>false</ax2301:sessionEstablished>
<ax2301:subject xsi:nil="true"/>
</ns:return>
</ns:authenticateResponse>
</soapenv:Body>
</soapenv:Envelope>
I have tried to add the value of ssoTokenId in different places:
- I have tried adding the value of
ssoTokenIDto<xsd1:rpSessionId> - I have also tried to add it to
<xsd:sessionId> - Also tried adding it to the header of the SOAP request.
Unfortunately, in all cases, there is a login.fail.message. What is the proper way to check if a user is already authenticated?
