3 Replies Latest reply on Dec 24, 2011 4:57 AM by gthomas

    Seam with PicketLink IDP

    matthew.hayes

      We are currently overhauling the security on all our applications converting everything to SAML/SSO using Picketlink.  I have been able to setup the sample IDP along with the sample applications and converted some of our applications.  The apps I've converted so far are mostly similar in architecture to the samples, JSP with a security domain that handles the Service Provider HTTP Redirect to the IDP.    Next I'm trying to convert some of the SEAM applications and can't seem to find a good example of how this would work.

      The documentation for adding SAML and Open ID to Seam (http://community.jboss.org/wiki/HowtoaddSAMLandOpenIDauthenticationtoyourSeamapplication) relies on external IDPs and the user selecting the IDP to use.  Instead we want to use the PicketLink IDP we have configured internally and to have all unauthenticated requests forward to it automatically similar to how the examples for the non-SEAM apps work.  I tried modifying the seam-sp example to point at the internal IDP but I'm stuck on how saml-entities.xml file would be configured for the Picklink IDP.

      But given how the seam-sp example is different from how we want it to work I'm wondering if I would be better off adding the valves for the SPRedirectFormAuthenticator, etc to get back the principal as we do in the other applications and then using that to populate the seam Identity (if that's even possible).

       

      For a little insight onto how things are configured -

      The IDP is currently configured to authenticate against number of LDAP trees/forests.  Initially it does a Kerberos SSO using SPENGO (JBoss Negotiation) falling back on the user entering their login information for improperly configured browsers.  It then uses that login to pull back the roles (LdapExtLoginModule) across the various LDAP sources.  The IDP is currently on the same JBoss instance as the SP apps it supports but the current plan is to move it to its own servers/domain for production.

       

      The SP apps number several dozen spread across a few server farms, using a number of different technologies each to different extents including JSP, SEAM, EJB, WS all which we eventually hope we can get using the same IDP for SSO.

        • 1. Re: Seam with PicketLink IDP
          marcelkolsteren

          Hi Matthew,

           

          Thanks for the clearly posed questions and the insight you gave to your environment!

           

          Maybe the documentation is not too clear about it, but it is possible to bypass the IDP selection screen by using the defaultIdentityProvider tag. You'll find it in the article. It's also used in the seam-sp sample application: look in external-authentication-config.xml; the service provider running at saml.picketlink.org uses it).

           

          My advice is not to fallback to the valve-solution for the Seam applications. Using the valve approach was what I started with 1.5 years ago when I was trying to use SAML-based logins for Seam applications. At the end it worked, but it didn't integrate well with Seam and it was really more of a hack than a clean solution. If you're interested you can read here about this approach:

           

          Seam Integration With JBoss Identity

           

          Then the problem with filling in the saml-entities.xml. What you need to have is the SAML meta information that describes your PicketLink IDP. Most IDPs are able to generate their meta information so you can wire them up to their SPs easily. Don't know whether PicketLink IDP supports that. Just to give you an example of how that's supposed to work, read the section "Deploy and configure seam-sp application on JBoss AS 5.1" of this article:

           

          External authentication example using OpenSSO

           

          How to obtain the SAML meta info for a PicketLink IDP is a separate question that doesn't have to do with the PicketLink Seam module. The PicketLink Seam module is just an SP-side module, and it assumes that the IDP adheres to the SAML standards. So if you've got questions on how to obtain the PicketLink IDP SAML metadata, please do it in a separate post.

           

          Regards,

          Marcel

          • 2. Re: Seam with PicketLink IDP
            matthew.hayes

            Thanks, I had missed the line about the defaultIdentityProvider tag.  I think once I get the SAML meta figured out I should be set.

            • 3. Re: Seam with PicketLink IDP
              gthomas

              Hi Matthew,

              I am also trying to integrate seam-sp with an internal PicketLink IDP ( uses a database as the identity store) and am unable to figure out how to configure saml-entities.xml.  Were you able to configure saml-entities.xml file for the Picklink IDP ? Any insights on how you integrated seam-sp with an internal IDP would be very helpful. Thanks in advance !!

               

              Regards,

              GThomas