Version 7
Created by beve on Nov 13, 2009 2:48 AM. Last modified by pskopek on Jun 1, 2010 3:41 AM.

    The page describes the Login Modules (LM) that integrate with PicketLinkSTS.

     

    STSIssuingLoginModule

    This is a JAAS LM for PicketLink STS (Security Token Service) that issues security tokens.This LM expects to be created with a callback handler that can handle NameCallback and a PasswordCallback, which should be match the username and password for whom a security token will be issued.

     

    Configuration example

    <application-policy name="saml-issue-token">
        <authentication>
            <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
                <module-option name="endpointURI"></module-option>
                <module-option name="tokenType"></module-option>
            </login-module>
    </authentication>

    Configuration properties

    configFile
    The configuration for the underlying STSClient.

     

    endpointURI
    The ultimate recipient of the token. This will be set at the AppliesTo for the RequestSecurityToken. This is an option configuration property.

     

    tokenType
    The type of security token to be issued.

     

    STSValidatingLoginModule

    This is a JAAS LoginModule for PicketLink STS (Security Token Service) that validates security tokens.This LoginModule only performs validation of existing SAML Assertions and does not issue any such Assertions.

     

    Configuration example

    <application-policy name="saml-validate-token">
        <authentication>
            <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
            </login-module>
        </authentication>
    </application-policy>

    Configuration properties

    configFile
    The configuration for the underlying STSClient.

     

    JAAS Callbacks and stacked Login Modules

    This section describes the the callback required by these LMs and also the options for stacking login modules.
    The following options are available for retreiving username/credentials for the LMs described in this page:

    1. Use the username/credential from Callback handlers, NameCallback and PasswordCallback
    2. Use the username/credential specified the properties file specified using the 'configFile' property.
    3. Use the username/credential from the login modules earlier in the login modules stack. Known as password stacking.

     

    1. Username/credential from Callback handler configuration

    <application-policy name="saml-issue-token">
        <authentication>
            <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
             </login-module>
        </authentication>
    </application-policy>

    This configuration would be used when you want the call back handler to supply the username/credential.

    2. Username/credential from Login Module 'configFile'

     

    <application-policy name="saml-issue-token">
        <authentication>
            <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
                <module-option name="useOptionsCredentials">true</module-option>
            </login-module>
        </authentication>
    </application-policy>

    This configuration could be used in situations where the token validation is done without regard to the username/credentials used to authenticate with PicketLinkSTS. An example of this could be where the validation is done only using the digital signature of the security token.

    3. Username/credential from stacked Login Module

     

    <application-policy name="saml-issue-token">
        <authentication>
            <login-module code="org.picketlink.security.auth.spi.UsersRolesLoginModule" flag = "required">
                <module-option name="usersProperties">props/esb-users.properties</module-option>
                <module-option name="rolesProperties">props/esb-roles.properties</module-option>
                <module-option name="password-stacking">useFirstPass</module-option>
            </login-module>
            <login-module code="org.picketlink.identity.federation.api.wstrust.auth.STSIssuingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
                <module-option name="endpointURI">http://security_saml/goodbyeworld</module-option>
                <module-option name="password-stacking">useFirstPass</module-option>
            </login-module>
            <login-module code="org.picketlink.identity.federation.api.wstrust.auth.STSValidatingLoginModule" flag="required">
                <module-option name="configFile">/sts-client.properties</module-option>
            </login-module>
        </authentication>
    </application-policy>

    Password stacking can be configured which means that a Login module configured with 'password-stacking' set to 'true' will set the username and password in the shared state map. Login modules that come after can set 'password-stacking' to 'useFirstPass' which means that that login module will use the username and password from the shared map.

    STS Client configuration example

     

    portName=PicketLinkSTSPort
    portName=PicketLinkSTSPort
    endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
    username=admin
    password=admin
    5784 Views Categories: Tags: