2 Replies Latest reply on Jun 29, 2012 12:20 PM by regis.ramillien

Picketlink as SP and Portwise as IDP + SAML: Cannot get roles

regis.ramillien Jun 26, 2012 12:07 PM

Hello,

I'm new to Identity Federation, SAML, etc. So excuse me if this is a newbie question, but...

I try to make a federation identity between a JBOSS AS 5 as SP using Picketlink and a Portwise as an IDP.

I followed the documentation to configure the Jboss and everything works fine (good job on the doc !) except that I always get a 403...

I think (but not sure) that's because the roles are not returned correctly by the Portwise or not read correctly by Picketlink or because a configuration is missing somewhere (but where ?).

I configured Portwise to send me the roles as an attribute. This give me something like this in its SAML response:

<saml:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myRole</saml:AttributeValue>

</saml:Attribute>

My picketlink.xml file is very simple:

<?xml version="1.0" encoding="UTF-8"?>

<IdentityURL>https://......./</IdentityURL>

</PicketLinkSP>

<Handler

class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

<Handler

class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

</Handlers>

</PicketLink>

And the context.xml is even simpler:

<?xml version="1.0" encoding="UTF-8"?>

<Valve

className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />

</Context>

Of course, I configured the web.xml to handle the security role

<security-role>

<role-name>myRole</role-name>

</security-role>

<security-constraint>

<web-resource-collection>

<web-resource-name>Restricted Area</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>myRole</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<realm-name>Portwise SAML v2 Test</realm-name>

<form-login-config>

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/loginFailed.jsp</form-error-page>

</form-login-config>

</login-config>

To sumarize, when I connect to my web page, the request is done by Picketlink to the Portwise, there is an exchange which seems ok, and Portwise send the saml to the server, then the server try to display the restricted page but display instead a 403.

I'm searching for a while now, but can't find where is the issue...

Does someone have an idea !?

I've seen in the picketlink that the NameFormat of the <saml:attribute> in the saml response have the value "urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups". perhaps is it because of this ? But if it is, I cannot configure portwise to use this...

Thanks !!!

1. Re: Picketlink as SP and Portwise as IDP + SAML: Cannot get roles

pcraveiro Jun 29, 2012 11:37 AM (in response to regis.ramillien)

Hi,

Can you share your SAML Assertion ?

Regards.
Pedro
Actions
2. Re: Picketlink as SP and Portwise as IDP + SAML: Cannot get roles

regis.ramillien Jun 29, 2012 12:20 PM (in response to pcraveiro)

Hello,

Thank you for your reply.

In fact, I have resolved the issue, but I don't really know where it cames from, because I modified 2 things...

- I had the JARs of picketlink in 2 different places. 1 in the server lib folder, and 1 in my web app lib folder...
- It could also come from the service URL I used. I made many tests and when it wouldn't work, the service URL pointed to a public page (not under constraints in the web.xml). Once I change this service URL (and pointed it to the context root) and removed the JARs of the lib folder, it works.

Once again, tahnks for your reply.

Best regards,

Régis Ramillien.
Actions

Go to original post