1 Reply Latest reply on May 14, 2012 5:16 PM by anil.saldhana

    How to disable roles for SAML authenticaton

    rhodri

      Hello everyone --

       

      I have enabled my app to function as a SAML Service Provider, and I am trying to authenticate with an Identity Provider that is running on an instance of Liferay, with its own SAML implementation accepting POST authentication requests.

       

      An AuthRequest is being sent from JBoss to Liferay, and Liferay is responding with an AuthResponse that authenticates the user -- however, the JBoss instance then just gives me back a 403 error, that I am unauthorized to view the content.

       

      My idea of what is causing this is that the user being authenticated by the AuthResponse is not registered with JBoss in the "manager" role (I am following the code from the example applications).

       

      Is there a way to instruct JBoss authentication to allow through any user regardless of role, so long as a "success" response arrives from the IdP?

       

      I have tried setting DISABLE_ROLE_PICKING to true on the SAML2AuthenticationHandler, but that seems to make no difference. I have tried entering my username ("test@liferay.com") into the mgmt-users.properties, application-users.properties and giving it a manager role in application-roles.properties, but this has made no difference. I have also tried removing the <auth-constraint> from web.xml that restricts access to the manager role (and other way of removing roles from my app) but I get NullPointerExceptions and parsing errors.

       

      Any ideas?

       

      Thanks!

      Rhodri

       


       

      Here is my configuration:

       

      META-INF/jboss-deployment-structure.xml

       

      <jboss-deployment-structure>
        <deployment>
          <dependencies>
            <module name="org.picketlink" />
          </dependencies>
        </deployment>
      </jboss-deployment-structure>
      

       

      WEB-INF/jboss-web.xml


      <jboss-web>
        <security-domain>sp</security-domain>
        <context-root>service-provider</context-root>
        <valve>
          <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
        </valve>
      </jboss-web>
      

       

      WEB-INF/picketlink.xml


      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
        <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="POST" ServerEnvironment="jboss">
          <IdentityURL>${idp.url::http://localhost:8081/c/portal/saml/sso}</IdentityURL>
          <ServiceURL>${service-provider.url::http://localhost:8080/service-provider/}</ServiceURL>
        </PicketLinkSP>
        <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
          <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
              <Option Key="DISABLE_ROLE_PICKING" Value="true"/>
              <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
          </Handler>
        </Handlers>
      </PicketLink>
      

       

      WEB-INF/web.xml

       

      <web-app version="3.0"
          xmlns="http://java.sun.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="
              http://java.sun.com/xml/ns/javaee
              http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
      
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>Everything</web-resource-name>
              <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
              <role-name>manager</role-name>
            </auth-constraint>
          </security-constraint>
      
          <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>Camden Service Provider</realm-name>
              <form-login-config>
                  <form-login-page>/login.jsp</form-login-page>
                  <form-error-page>/loginerror.jsp</form-error-page>
              </form-login-config>
          </login-config>
      
          <security-role>
            <description>The role that is required to log in to the Manager Application</description>
            <role-name>manager</role-name>
          </security-role>
      </web-app>
      
      


        • 1. Re: How to disable roles for SAML authenticaton
          anil.saldhana

          You can use JAAS stacking at your service provider to generate the necessary roles. Use one of the login modules we have for JBossAS (DB, LDAP etc) and useFirstPass module option so that the SAML2LoginModule is used first and then the stacked login module just picks the roles.