1 2 Previous Next 24 Replies Latest reply: Mar 7, 2012 8:54 AM by song gu Go to original post RSS
  • 16. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    I have seen this page a hundred times and have tried different variations of what it is saying to do, but have been unsuccessful.

     

    The directions here are not  clear...

     

    I need to find instructions on this..."Configure the security domain of the IDP to also include mapping configuration for attributes." Here is how I am trying to map attribute values with LdapAttributeMappingProvider.

     

     

    <application-policy name="idp"> 
    <authentication> 
             <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" > 
              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>     
                          <module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option> 
                          <module-option name="java.naming.security.authentication">simple</module-option> 
                          <module-option name="java.naming.referral">follow</module-option>                
                          <module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxx,DC=com</module-option> 
                          <module-option name="bindCredential">xxxx</module-option>
                          <module-option name="baseCtxDN">DC=xxxx,DC=com</module-option> 
                          <module-option name="baseFilter">(sAMAccountName={0})</module-option> 
                     <module-option name="rolesCtxDN">DC=xxxx,DC=com</module-option>
                     <module-option name="roleFilter">(member={1})</module-option>
                     <module-option name="roleAttributeID">cn</module-option>
                     <module-option name="roleAttributeIsDN">false</module-option>
                     <module-option name="roleRecursion">-1</module-option>
                     <module-option name="searchTimeLimit">10000</module-option>
                          <module-option name="allowEmptyPasswords">false</module-option>
                          <module-option name="defaultRole">manager</module-option>        
                  </login-module>      
           </authentication>
          
        <mapping>
          <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute"/>
          <module-option name = "attributeList">mail, cn</module-option>
      </mapping>

          
    </application-policy>

     

    BUT...

    Every time I try to use the JBossAppServerAttributeManager class as the "ATTRIBUTE_MANAGER ", I get the following error...

     

    java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null

    at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:227)

    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:641)

    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:383)

    at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)

    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

    at java.lang.Thread.run(Thread.java:662)

     

     

     

    If I use the EmptyManager, everything works, but I get no values passed to the SP.

     

     

    In my investigation, I think I am using an older version of the jboss-security.jar file as I noticed that "MappingType.ATTRIBUTE" doesnt exist in the jar file I am using, although the value is used by the JBossAppServerAttributeManager.

     

    I have a fresh install of jboss as 5.1.0 installed. Am I using a wrong version?

     

     

     

     

  • 17. Re: Problem with SAML2AttributeHandler
    Anil Saldhana Master

    https://community.jboss.org/wiki/PicketLinkSTSLoginModules

     

    looking at the mapping module configuration.   In this case, you will need to use "type=attribute"  as you are doing attribute mapping.  Do it on the IDP security domain.

  • 18. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    Sorry Anil... I do not understand your response to my question.

     

    I have posted my application Policy from my login-config.xml. This can successfully authenticate and authorize me against our AD, and can will successfully let me into our SP from our IDP app.

     

    In my  application Policy , I have the mapping module defined, but do not think its correct.

     

    I am relatively new to JBoss, and have found too many different, conflicting examples.

     

    I would like to see one example of how to map LDAP attributes so they are passed from IDP to SP.

  • 19. Re: Problem with SAML2AttributeHandler
    Oved Ourfali Newbie

    Hey Anil,

     

    I'd appreciate if you look at the steps I posted above, and tell me what's the correct configuration.

    Once you do that I'll be happy to add a wiki page in here that explains it all, with examples and etc.

     

    It will be helpful knowing what's the minimal configuration requirements, and what can be done with the rest of the configuration options.

     

    Thank you,

    Oved

  • 20. Re: Problem with SAML2AttributeHandler
    song gu Newbie

    Hi Shane,

    I got almost the same issue as you met:

     

    My situation may be a bit different in that I am tying my authentication to LDAP and need to pass some LDAP attributes (i.e. "mail", or "surname") passed to the SP from the IDP.

    ...

    Every time I try to use the JBossAppServerAttributeManager class as the "ATTRIBUTE_MANAGER ", I get the following error...

     

    java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null

     

    and I've searched the community, finding no solution.

     

    I wonder if you have figure it out?

    Thank you,

    Song Gu

  • 21. Re: Problem with SAML2AttributeHandler
    Pedro Igor Apprentice

    Hi song,

     

        Take a look at this code and configurations to see if it helps in something.     

     

        This is the IDP configuration with a CustomSAMLAttributeManager and a CustomRoleGenerator (in this the case you need to get the roles from somewhere else).

     

    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0"

              AttributeManager="CustomSAMLAttributeManager"

              RoleGenerator="CustomRoleGenerator">

     

      ...

     

    </PicketLinkIDP>

     

        This is the CustomSAMLAttributeManager, using a database to load the attributes for a specific user. You can change the logic to obtain the attributes from the LDAP.

     

    public class CustomSAMLAttributeManager implements AttributeManager {

     

     

              private Connection getConnection() throws SQLException{

                        try {

                                  InitialContext ic = new InitialContext();

                                  DataSource ds = (DataSource) ic.lookup("java:AttributesDS");

                                  return ds.getConnection();

                        } catch (NamingException e) {

     

                        }

     

     

                        return null;

              }

     

              private PreparedStatement getRolesStatement(Connection conn) throws SQLException{

                        return conn.prepareStatement("select attr1, attr2 from some_table where userName = ?");

              }

     

              public Map<String, Object> getAttributes(Principal userPrincipal,

                                  List<String> attributeKeys) {

                        return getPrincipalAttributes(userPrincipal);

              }

     

     

              private HashMap<String, Object> getPrincipalAttributes(Principal userPrincipal) {

                        HashMap<String, Object> attributes = new HashMap<String, Object>();

     

                        Connection conn = null;

                        PreparedStatement stm = null;

                        ResultSet rs = null;

     

                        try {

                                  conn = this.getConnection();

                                  stm = this.getRolesStatement(conn);

     

     

                                  stm.setString(1, userPrincipal.getName());

     

                                  rs = stm.executeQuery();

     

                                  if (rs.next()){

                                            attributes.put(SAMLAttributesConstants.ATTR1, rs.getString("attr1"));

                                            attributes.put(SAMLAttributesConstants.ATTR2, rs.getString("attr2"));

                                  }

     

     

                        } catch (Exception e) {

                        } finally {

                                  // cleanup resources

                        }

     

     

     

                        return attributes;

              }

    }

     

        I hope this can help you in something.

     

    Regards.

    Pedro Silva

  • 22. Re: Problem with SAML2AttributeHandler
    Shane Freed Newbie

    I did get the attributes to be returned from my LDAP via the Security Context using the following settings in my login-conf.xml...


    <application-policy name="idp">
         <authentication>
              <mapping>
                   <mapping-module
                        code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider"
                        type="attribute">
                        <module-option name="attributeList">cn,mail,extensionAttribute3</module-option>
                        <module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxx.com</module-option>
                        <module-option name="bindCredential">xxxxxxx</module-option>
                        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                        <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                        <module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option>
                        <module-option name="baseCtxDN">DC=xxxxx,DC=com</module-option>
                   </mapping-module>
              </mapping>

              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                   <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                   <module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option>
                   <module-option name="java.naming.security.authentication">simple</module-option>
                   <module-option name="java.naming.referral">follow</module-option>
                   <module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxxx,DC=com</module-option>
                   <module-option name="bindCredential">xxxxx</module-option>
                   <module-option name="baseCtxDN">DC=xxxxx,DC=com</module-option>
                   <module-option name="baseFilter">(sAMAccountName={0})</module-option>
                   <module-option name="rolesCtxDN">DC=xxxxx,DC=com</module-option>
                   <module-option name="roleFilter">(member={1})</module-option>
                   <module-option name="roleAttributeID">cn</module-option>
                   <module-option name="roleAttributeIsDN">false</module-option>
                   <module-option name="roleRecursion">-1</module-option>
                   <module-option name="searchTimeLimit">10000</module-option>
                   <module-option name="allowEmptyPasswords">false</module-option>
                   <module-option name="defaultRole">manager</module-option>
              </login-module>
          </authentication>
    </application-policy>

     

     

    In my idp handlers I had the following settings for my SAMLAttributeHandler and my ATTRIBUTE_MANAGER. Notice the ATTRIBUTE_KEYS are the same as listed above.   

    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
      <Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>
      <Option Key="ATTRIBUTE_KEYS" Value="cn, mail, extensionAttribute3"/>
    </Handler>

     

     

     

    The only change I made in the SAML2AttributeHandler, was to download the Handeler that Anil changed (listed in the post earlier) and changed one method. Notice what I block commented out and in which method.

       @Override
       public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException
       {

     

          super.initChainConfig(handlerChainConfig);
         
          log.trace("+++ initChainConfig begin +++  ");
         
          // Commented out of original code as this caused the Attribute Manager to be reset to the Tomcat Attribute Manager.     
          /*     
          Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);
          if (config instanceof IDPType)
          {
              IDPType idpType = (IDPType) config;
              String attribStr = idpType.getAttributeManager();
             
              System.out.println("Instantiating = " + attribStr);
             
              this.insantiateAttributeManager(attribStr);
          }
          */
          log.trace("+++ initChainConfig end +++  ");
       }
      

     

    I made no changes to the JBossAppServerAttributeManager, used it right as is was...
      
    Now the only problem I have left is on the other posts about the Attribute handler being invoked in the chain AFTER the response is already sent. Makes no sense why it is doing that, but it is clear in my case that the attributes I am getting above are never sent on the first response, but only if the original assertion expires and the SP requests a resend.

    Weird but true, I am hoping someone can tell me how to fix that...

     

  • 23. Re: Problem with SAML2AttributeHandler
    song gu Newbie

    Hi Pedro,

    Thank you for your help.

    Following your suggestion, I wrote a custom AttributeManager, instead of JBossAppServerAttributeManager, for atributes' retrieving, and it works.


  • 24. Re: Problem with SAML2AttributeHandler
    song gu Newbie

    Hi Shane,

    Thank you for your response.

    I followed your instrutions step by step,  howerver, I still got the following error:

     

    java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null

      at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:227)

      at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:664)

      at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:405)

      at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)

      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

     

    But, after updating the content in SAML2AttributeHandler.java you mentioned, I wrote a custom AttributeManager as Pedro suggested.

    And finally, I got what I want.

1 2 Previous Next