How to disable roles for SAML authenticaton
rhodri May 10, 2012 6:30 PMHello everyone --
I have enabled my app to function as a SAML Service Provider, and I am trying to authenticate with an Identity Provider that is running on an instance of Liferay, with its own SAML implementation accepting POST authentication requests.
An AuthRequest is being sent from JBoss to Liferay, and Liferay is responding with an AuthResponse that authenticates the user -- however, the JBoss instance then just gives me back a 403 error, that I am unauthorized to view the content.
My idea of what is causing this is that the user being authenticated by the AuthResponse is not registered with JBoss in the "manager" role (I am following the code from the example applications).
Is there a way to instruct JBoss authentication to allow through any user regardless of role, so long as a "success" response arrives from the IdP?
I have tried setting DISABLE_ROLE_PICKING to true on the SAML2AuthenticationHandler, but that seems to make no difference. I have tried entering my username ("test@liferay.com") into the mgmt-users.properties, application-users.properties and giving it a manager role in application-roles.properties, but this has made no difference. I have also tried removing the <auth-constraint> from web.xml that restricts access to the manager role (and other way of removing roles from my app) but I get NullPointerExceptions and parsing errors.
Any ideas?
Thanks!
Rhodri
Here is my configuration:
META-INF/jboss-deployment-structure.xml
<jboss-deployment-structure> <deployment> <dependencies> <module name="org.picketlink" /> </dependencies> </deployment> </jboss-deployment-structure>
WEB-INF/jboss-web.xml
<jboss-web> <security-domain>sp</security-domain> <context-root>service-provider</context-root> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name> </valve> </jboss-web>
WEB-INF/picketlink.xml
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="POST" ServerEnvironment="jboss"> <IdentityURL>${idp.url::http://localhost:8081/c/portal/saml/sso}</IdentityURL> <ServiceURL>${service-provider.url::http://localhost:8080/service-provider/}</ServiceURL> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"> <Option Key="DISABLE_ROLE_PICKING" Value="true"/> <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </Handler> </Handlers> </PicketLink>
WEB-INF/web.xml
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>Everything</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>Camden Service Provider</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginerror.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>The role that is required to log in to the Manager Application</description> <role-name>manager</role-name> </security-role> </web-app>