picketlink · pedroigor · Dec 15, 2014 · Dec 15, 2014
diff --git a/...rc/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/AbstractIDPValve.java b/...rc/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/AbstractIDPValve.java
@@ -957,10 +957,16 @@ protected void processSAMLRequestMessage(Request request, Response response, Req
         try {
             // if the destination is null, probably because some error occur during authentication, use the AuthnRequest
             // AssertionConsumerServiceURL as the destination
-            if (destination == null && samlObject instanceof AuthnRequestType) {
+            boolean forceAuthn = false;
+
+            if (samlObject instanceof AuthnRequestType) {
                 AuthnRequestType authRequest = (AuthnRequestType) samlObject;
 
-                destination = authRequest.getSenderURL().toASCIIString();
+                if (destination == null) {
+                    destination = authRequest.getSenderURL().toASCIIString();
+                }
+
+                forceAuthn = authRequest.isForceAuthn();
             }
 
             // if destination is still empty redirect the user to the identity url. If the user is already authenticated he
@@ -998,6 +1004,10 @@ protected void processSAMLRequestMessage(Request request, Response response, Req
                     auditHelper.audit(auditEvent);
                 }
 
+                if (forceAuthn) {
+                    session.expire();
+                }
+
                 webRequestUtil.send(holder);
             } else if (destination != null) {
                 response.sendRedirect(destination);

diff --git a/...org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java b/...org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java
@@ -126,6 +126,7 @@
 public class SPFormAuthenticationMechanism extends ServletFormAuthenticationMechanism {
 
     private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    public static final String INITIAL_LOCATION_STORED = "org.picketlink.federation.saml.initial_location";
 
     protected transient String samlHandlerChainClass = null;
 
@@ -250,6 +251,7 @@ public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange,
 
         // General User Request
         if (!isNotNull(samlRequest) && !isNotNull(samlResponse)) {
+            session.setAttribute(INITIAL_LOCATION_STORED, true);
             storeInitialLocation(exchange);
             return generalUserRequest(exchange,securityContext);
         }
@@ -569,12 +571,14 @@ private AuthenticationMechanismOutcome handleSAML2Response(HttpServerExchange ht
                     // Store the authenticated principal in the session.
                     session.setAttribute(FORM_ACCOUNT_NOTE, account);
 
-                    // Redirect to the original URL.  Note that this will trigger the
-                    // authenticator again, but on resubmission we will look in the
-                    // session notes to retrieve the authenticated principal and
-                    // prevent reauthentication
-                    handleRedirectBack(httpServerExchange);
-                    httpServerExchange.endExchange();
+                    if (session.getAttribute(INITIAL_LOCATION_STORED) != null) {
+                        // Redirect to the original URL.  Note that this will trigger the
+                        // authenticator again, but on resubmission we will look in the
+                        // session notes to retrieve the authenticated principal and
+                        // prevent reauthentication
+                        handleRedirectBack(httpServerExchange);
+                        httpServerExchange.endExchange();
+                    }
                 }
                 return AuthenticationMechanismOutcome.AUTHENTICATED;
             }
@@ -1062,7 +1066,14 @@ public AuthenticationMechanismOutcome handleSAML11UnsolicitedResponse(HttpServle
         // See if we got a response from IDP
         if (isNotNull(samlResponse)) {
             try {
-                InputStream base64DecodedResponse = RedirectBindingUtil.base64DeflateDecode(samlResponse);
+                InputStream base64DecodedResponse = null;
+
+                if ("GET".equalsIgnoreCase(request.getMethod())) {
+                    base64DecodedResponse = RedirectBindingUtil.base64DeflateDecode(samlResponse);
+                } else {
+                    base64DecodedResponse = PostBindingUtil.base64DecodeAsStream(samlResponse);
+                }
+
                 SAMLParser parser = new SAMLParser();
                 SAML11ResponseType saml11Response = (SAML11ResponseType) parser.parse(base64DecodedResponse);