Hello,

I tried to get Picketlink 1.04 working on a Novell Access Manager IDP. I did not work out of box as the IDP returned the <AuthnStatement> before the <AttributeStatement> and the code in SAML2AuthenticationHandler did not expect this. As the xsd does permit this swap I changed the code to the following;

         //Let us get the roles
         for(int i = 0 ; i < assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().size() ; i++)
         {
            Object s = assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().get(i) ;

            if (s instanceof AttributeStatementType)
            {
                 AttributeStatementType attributeStatement = (AttributeStatementType) s ;
                 List<Object> attList = attributeStatement.getAttributeOrEncryptedAttribute();
                 for(Object obj:attList)
                 {
                    AttributeType attr = (AttributeType) obj;
                    List<Object> attributeValues = attr.getAttributeValue();
                    if( attributeValues != null)
                    {
                       for( Object attrValue : attributeValues )
                       {
                          if( attrValue instanceof String )
                          {
                             roles.add( (String) attrValue );
                          }
                          else if( attrValue instanceof Node )
                          {
                             Node roleNode = (Node) attrValue;
                             roles.add( roleNode.getFirstChild().getNodeValue() );
                          }
                          else throw new RuntimeException( "Unknown role object type : " +  attrValue );
                       }
                    }
                 }
             }
         }

I loop through all sections and only parse the AttributeStatementType's.

Hopefully you can change this in the trunk and release it on 1.05 ? Let me know!

Thanks,

Edwin