TODO - 不悔必省

アプリ作成
- サンプルと同等のアプリを一から作成
- Googleとの認証連携をやってみる
SP
- SAML2LoginModule確認
- ハンドラのコード確認
- 要素のスキーマ確認
- Form認証指定の要不要の確認
- ~~設定ファイル確認~~
IdP
- 要素の動作確認
- 要素のスキーマ確認
- JBoss インスタンスを分けてテスト
- ハンドラのコード確認
- ~~設定ファイル確認~~
署名付きのサンプル確認
Tomcatで動かす

DONE

~~ログを確認~~

1.1. /sales/へのリクエスト時-1
ログの各行の定型部分は省略。

REQUEST URI       =/sales/
          authType=null
 characterEncoding=null
     contentLength=-1
       contentType=null
       contextPath=/sales
            cookie=JSESSIONID=CBDAFB23F28D90849E23CB3DD676DB0F
            header=host=localhost:8080
            header=user-agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
            header=accept=application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            header=accept-language=ja-jp
            header=accept-encoding=gzip, deflate
            header=cookie=JSESSIONID=CBDAFB23F28D90849E23CB3DD676DB0F
            header=connection=keep-alive
            locale=ja_JP
            method=GET
          pathInfo=null
          protocol=HTTP/1.1
       queryString=null
        remoteAddr=127.0.0.1
        remoteHost=127.0.0.1
        remoteUser=null
requestedSessionId=CBDAFB23F28D90849E23CB3DD676DB0F
            scheme=http
        serverName=localhost
        serverPort=8080
       servletPath=/index.jsp
          isSecure=false

1.2. /sales/へのリクエスト時-2

TRACE [org.jboss.security.plugins.JaasSecurityManager] (http-0.0.0.0-8080-1) Constructing
DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@7556d1e2
DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@24c560f1
DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@24c560f1

1.3. /sales/へのリクエスト時-3

TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are:[org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1477696b, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@2ba9fa4c]
TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Handlers are : [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1477696b, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@2ba9fa4c]
TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler
TRACE [org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor] (http-0.0.0.0-8080-1) Finished Processing handler:org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler
TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator] (http-0.0.0.0-8080-1) SAML Document=<ns3:AuthnRequest xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" AssertionConsumerServiceURL="http://localhost:8080/sales/" ID="ID_24c6a996-5696-4556-b872-e7c875cb07f1" IssueInstant="2011-05-25T00:09:13.123+09:00" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><Issuer>http://localhost:8080/sales/</Issuer></ns3:AuthnRequest>
TRACE [org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator] (http-0.0.0.0-8080-1) URL used for sending:http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP

2.1. /sales/からのレスポンス

     authType=null
contentLength=-1
  contentType=null
       cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8; domain=null; path=/sales
       header=Pragma=no-cache
       header=Cache-Control=no-cache, no-store
       header=Expires=Thu, 01 Jan 1970 09:00:00 JST
       header=Set-Cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8; Path=/sales
       header=Location=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP
      message=null
   remoteUser=null
       status=302

2.2. SAML Request

<?xml version="1.0"?>
<ns3:AuthnRequest
   xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
   xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" 
   xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" 
   AssertionConsumerServiceURL="http://localhost:8080/sales/" 
   ID="ID_24c6a996-5696-4556-b872-e7c875cb07f1" 
   IssueInstant="2011-05-25T00:09:13.123+09:00" 
   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
   Version="2.0">
 <Issuer>http://localhost:8080/sales/</Issuer>
</ns3:AuthnRequest>

3.1. /idp/へのリダイレクト時-1

2011-05-25 00:09:13,446 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = GET
SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP
SAMLResponse=null
true

3.2. /idp/へのリダイレクト時-2

[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Storing the SAMLRequest/SAMLResponse and RelayState in session
[org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) Creating SDC for domain=jboss-web-policy
[org.jboss.security.plugins.JaasSecurityManager] (http-0.0.0.0-8080-1) Constructing
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@7556d1e2
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) CachePolicy set to: org.jboss.util.TimedCachePolicy@37fa3ed9
[org.jboss.security.integration.JNDIBasedSecurityManagement] (http-0.0.0.0-8080-1) setCachePolicy, c=org.jboss.util.TimedCachePolicy@37fa3ed9
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=null:user principal=null
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}

4.1. /idp/のFormへのSubmit時-1

2011-05-25 00:09:23,083 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = POST
SAMLRequest=null
SAMLResponse=null
true

4.2. /idp/のFormへのSubmit時-2 ユーザとロールを設定

[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) Begin isValid, principal:tomcat, cache info: null
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) defaultLogin, principal=tomcat
[org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(jboss-web-policy), size=12
[org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(jboss-web-policy), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:

[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) initialize
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Security domain: other
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) findResource: null
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Properties file=vfsfile:/opt/as/jboss-5.1.0.GA/server/default/deploy/idp.war/WEB-INF/classes/users.properties, defaults=null
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Loaded properties, users=[tomcat]
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) findResource: null
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Properties file=vfsfile:/opt/as/jboss-5.1.0.GA/server/default/deploy/idp.war/WEB-INF/classes/roles.properties, defaults=null
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Loaded properties, users=[tomcat]
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) login
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) User 'tomcat' authenticated, loginOk=true
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) commit, loginOk=true
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Checking user: tomcat, roles string: manager,sales,employee
[org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8080-1) Adding to Roles: manager,sales,employee
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@2f2be3d9, subject=Subject(1786500032).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager))
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) updateCache, inputSubject=Subject(1786500032).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)), cacheSubject=Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager))
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@23f12964[Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553453]
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) End isValid, true
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.jboss-web-policy] (http-0.0.0.0-8080-1) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@23f12964[Subject(1561168454).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553453]
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP:user principal=null

5.1. /idp/へのリダイレクト時-1

2011-05-25 00:09:23,104 DEBUG [org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve] (http-0.0.0.0-8080-1) SP Sent::Method = GET
SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP
SAMLResponse=null
true

5.2. /idp/へのリダイレクト時-2 SAML Response作成

[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Storing the SAMLRequest/SAMLResponse and RelayState in session
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Referer in finally block=null:user principal=GenericPrincipal[tomcat(employee,manager,sales,)]
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Retrieved saml messages and relay state from sessionsaml Request message=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9/o5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo+3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle/PP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz/W9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y/JwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd+B0CCxWlSN53edHp7eVLrI0J+17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP::SAMLResponseMessage=null:relay state=nullSignature=null::sigAlg=null
[org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (http-0.0.0.0-8080-1) Handlers are=[org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler@204db0e4, org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@4c98594d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@260ef584, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@2018c0a1]
[org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) Domains that IDP trusts=localhost,jboss.com,jboss.org and issuer domain=localhost
[org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler] (http-0.0.0.0-8080-1) Domains that IDP trusts=localhost,jboss.com,jboss.org and issuer domain=localhost
[org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler] (http-0.0.0.0-8080-1) AssertionConsumerURL=http://localhost:8080/sales/::assertion validity=300000
[org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler] (http-0.0.0.0-8080-1) Response=<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns3:Response Destination="http://localhost:8080/sales/" IssueInstant="2011-05-25T00:09:23.117+09:00" Version="2.0" InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" ID="ID_4573ac56-abf5-40a3-85d0-01500328f844" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer>http://localhost:8080/idp/</Issuer><ns3:Status><ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns3:Status><Assertion IssueInstant="2011-05-25T00:09:23.117+09:00" ID="ID_99a02bcc-1a82-4b6c-8040-d3fa418cad90" Version="2.0"><Issuer>http://localhost:8080/idp/</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">tomcat</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" Recipient="http://localhost:8080/sales/" NotOnOrAfter="2011-05-25T00:09:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/></SubjectConfirmation></Subject><Conditions NotOnOrAfter="2011-05-25T00:14:23.117+09:00" NotBefore="2011-05-25T00:09:23.117+09:00"/><AttributeStatement><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">employee</AttributeValue></Attribute><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">manager</AttributeValue></Attribute><Attribute FriendlyName="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role"><AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">sales</AttributeValue></Attribute></AttributeStatement></Assertion></ns3:Response>
[org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) IDP:Destination=http://localhost:8080/sales/
[org.picketlink.identity.federation.web.util.IDPWebRequestUtil] (http-0.0.0.0-8080-1) Redirecting to=http://localhost:8080/sales/?SAMLResponse=7ZVba9swFMe%2FStAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n%2Bw2aTrSdIyxl%2B0lKIefzuV%2FzpFzZSN2B7bTysLosW2UZd40Q1ujmOZW%2Br%2B8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy%2FekVj9%2FBA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo%2BVihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm%2BBk4n%2FixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn%2F2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY%2BDVPAqo3%2Bt9NW2%2FA7CFfmNr2u5GF1q03J3vuDeIitcDyjr%2BtjWgXKocLoV3OXk2dnB%2B4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl%2FApw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB%2BC%2Fsc5s4ZWW4d9FMKrc%2F7yDa6NL6Sqnnq2zhDRjfgA%2Fx0%2FpVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK%2FXVyuxgZajAys%2FhrEctkf4hD3P3FPnC3i0fl%2BNVGtUQNs1%2BgkgJ2%2FzKY4M%2F54qLVd8Dea%2FKMeiDMt7XhJyaqXI4fF%2F%2BSjsn6ziBw%3D%3D
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:null
[org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8080-1) Setting threadlocal:{}

5.3. /idp/へのリダイレクト時-3 SAML Response

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:Response
    xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" 
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" 
    xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" 
    Destination="http://localhost:8080/sales/" 
    IssueInstant="2011-05-25T00:09:23.117+09:00" 
    Version="2.0" 
    InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" 
    ID="ID_4573ac56-abf5-40a3-85d0-01500328f844">
 <Issuer>http://localhost:8080/idp/</Issuer>
 <ns3:Status>
  <ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
 </ns3:Status>
 <Assertion IssueInstant="2011-05-25T00:09:23.117+09:00" 
     ID="ID_99a02bcc-1a82-4b6c-8040-d3fa418cad90" Version="2.0">
  <Issuer>http://localhost:8080/idp/</Issuer>
  <Subject>
   <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
     tomcat
   </NameID>
   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData 
        InResponseTo="ID_24c6a996-5696-4556-b872-e7c875cb07f1" 
        Recipient="http://localhost:8080/sales/" 
        NotOnOrAfter="2011-05-25T00:09:23.117+09:00" 
        NotBefore="2011-05-25T00:09:23.117+09:00"/>
   </SubjectConfirmation>
  </Subject>
  <Conditions 
      NotOnOrAfter="2011-05-25T00:14:23.117+09:00" 
      NotBefore="2011-05-25T00:09:23.117+09:00"/>
  <AttributeStatement>
   <Attribute FriendlyName="role" 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role">
    <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:type="xs:string">
      employee
    </AttributeValue>
   </Attribute>
   <Attribute FriendlyName="role" 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
       Name="role">
    <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:type="xs:string">
      manager
    </AttributeValue>
   </Attribute>
   <Attribute FriendlyName="role" 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="role">
    <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      sales
    </AttributeValue>
   </Attribute>
  </AttributeStatement>
 </Assertion>
</ns3:Response>

6.1. /sales/へのリダイレクト時-1

REQUEST URI       =/sales/
          authType=null
 characterEncoding=null
     contentLength=-1
       contentType=null
       contextPath=/sales
            cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8
            header=host=localhost:8080
            header=origin=http://localhost:8080
            header=accept-encoding=gzip, deflate
            header=accept-language=ja-jp
            header=user-agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
            header=accept=application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            header=referer=http://localhost:8080/idp/?SAMLRequest=fdFdS8MwFAbgv1LipbQ5Tb9DO5juwoHi2Kq3kmVxK3TJzEmtP9%2Fo5gTB3YQkPCcv56TWmPDp4HZ6qd4GhS742Pcaub9uyGA1NwI7fxR7hdxJvpo%2B3HMWAT9Y44w0PTkWXMYCUVnXGU3Oz7OG7Jw7cErHcYzGJDJ2SxkAUKioRxvstle%2FPP2HxxTSL6609Hr6k3NrNA57ZVfKvndSPS3vz%2FW9kaLfGXS8hBIoil4hJcF81pD57IWlMhdVlYdZ7pc0y%2FJwXRYsVIUsi0yuoXiNPUYc1FyjE9o1hEEch5CFLGsBOFQ8TqKYJdd%2BB0CCxWlSN53edHp7eVLrI0J%2B17aLcPG4aknwrCz6nnxQBGRSf4fbyaV2anpCNf37v5NP
            header=cookie=JSESSIONID=0804A3AF261E8E9E5355B4801A2EC5F8
            header=connection=keep-alive
            locale=ja_JP
            method=GET
         parameter=SAMLResponse=7ZVba9swFMe/StAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n+w2aTrSdIyxl+0lKIefzuV/zpFzZSN2B7bTysLosW2UZd40Q1ujmOZW+r+8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy/ekVj9/BA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo+VihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm+Bk4n/ixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn/2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY+DVPAqo3+t9NW2/A7CFfmNr2u5GF1q03J3vuDeIitcDyjr+tjWgXKocLoV3OXk2dnB+4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl/Apw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB+C/sc5s4ZWW4d9FMKrc/7yDa6NL6Sqnnq2zhDRjfgA/x0/pVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK/XVyuxgZajAys/hrEctkf4hD3P3FPnC3i0fl+NVGtUQNs1+gkgJ2/zKY4M/54qLVd8Dea/KMeiDMt7XhJyaqXI4fF/+Sjsn6ziBw==
          pathInfo=null
          protocol=HTTP/1.1
       queryString=SAMLResponse=7ZVba9swFMe%2FStAehyL5ltjCMWQNhUAv0JSytyHLx4mGLRlJIe23n%2Bw2aTrSdIyxl%2B0lKIefzuV%2FzpFzZSN2B7bTysLosW2UZd40Q1ujmOZW%2Br%2B8BcucYKv59RULx5R1RjstdIOeL5yHubVgnNQKHdyHM7RxrmOE7Ha78S4aa7MmIaWU0Ix4qLJy%2FekVj9%2FBA0LjHgclPL0A66TifaQD32jBm422jqU0pcTyBixBo%2BVihpaLb3EyjbhIJpiXdYJjyiOcJhXFNEgojcK0TuPYw2ovz70eroWxmPAsm%2BBk4n%2FixDso02mIYSrSaSJKOq0Df83aLSyVdVy5GQppEGCa4DC5p5TRjIXROAimn%2F2JUjR6AGOHvL1gqMiHu6Y4XYSsOpKTFyTv27dy3G3t8flCVzB64M0WzvfGDjRbbYUAaxEpcnLscL5v3V6xLOM0LIXAAU9DHJcTgVMaU1xFNY%2BDVPAqo3%2Bt9NW2%2FA7CFfmNr2u5GF1q03J3vuDeIitcDyjr%2BtjWgXKocLoV3OXk2dnB%2B4VWtezhXoVrcBtdnY8gWlYCN2DQSR8L7vjvjtSNdl%2FApw4fiurJW3Vr5rUD8yF8B0J2EvpenV2bfjpOVPRqLXJvr2RvtH8o2SB%2BC%2Fsc5s4ZWW4d9FMKrc%2F7yDa6NL6Sqnnq2zhDRjfgA%2Fx0%2FpVB4d5jb92PSuk5gY4iDdv18kQ92ndfqK%2FXVyuxgZajAys%2FhrEctkf4hD3P3FPnC3i0fl%2BNVGtUQNs1%2BgkgJ2%2FzKY4M%2F54qLVd8Dea%2FKMeiDMt7XhJyaqXI4fF%2F%2BSjsn6ziBw%3D%3D
        remoteAddr=127.0.0.1
        remoteHost=127.0.0.1
        remoteUser=null
requestedSessionId=0804A3AF261E8E9E5355B4801A2EC5F8
            scheme=http
        serverName=localhost
        serverPort=8080
       servletPath=/index.jsp
          isSecure=false

6.2. /sales/へのリダイレクト時-2

[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil] (http-0.0.0.0-8080-1) Now=2011-05-25T00:09:23.270+09:00 ::notBefore=2011-05-25T00:09:23.117+09:00::notOnOrAfter=2011-05-25T00:14:23.117+09:00
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) Begin isValid, principal:tomcat, cache info: null
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) defaultLogin, principal=tomcat
[org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) Begin getAppConfigurationEntry(sp), size=12
[org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8080-1) End getAppConfigurationEntry(sp), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:

[org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) initialize
[org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) Security domain: sp
[org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) login
[org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) User 'tomcat' authenticated, loginOk=true
[org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) commit, loginOk=true
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@1e5dfa5e, subject=Subject(736116965).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager))
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) updateCache, inputSubject=Subject(736116965).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)), cacheSubject=Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager))
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@320470d2[Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553095]
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) End isValid, true
[org.jboss.security.plugins.auth.JaasSecurityManagerBase.sp] (http-0.0.0.0-8080-1) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@320470d2[Subject(264540388).principals=org.jboss.security.SimplePrincipal@1429394820(tomcat)org.jboss.security.SimpleGroup@1737169117(Roles(members:employee,sales,manager)),credential.class=java.lang.String@620880001,expirationTime=1306251553095]
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
[org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

6.3. /sales/へのリダイレクト時-3

     authType=FORM
contentLength=-1
  contentType=text/html;charset=ISO-8859-1
       header=Pragma=No-cache
       header=Cache-Control=no-cache
       header=Expires=Thu, 01 Jan 1970 09:00:00 JST
       header=X-Powered-By=Servlet 2.5; JBoss-5.0/JBossWeb-2.1
      message=null
   remoteUser=tomcat
       status=200