0 Replies Latest reply: May 24, 2012 1:36 PM by Markus Plangg RSS

SAML2AttributeHandler configuration and Roles

Markus Plangg Newbie

Hi,

 

I'm using DatabaseServerLoginModule on the IDP side of picketlink and I try to provide some Attributes to the SP (Firstname, Lastname, email).

 

The SAML2AttributeHandler shows some strange behaviour.

 

When I add it to the configuration of the IDP

 

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
                    <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
                    <Trust>
                              <Domains>localhost</Domains>
                    </Trust>
          </PicketLinkIDP>
          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
                    <Handler
                              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
                    <Handler
                              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
                    <Handler
                              class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
                              <Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" />
                              <Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />
                    </Handler>
                    <Handler
                              class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
          </Handlers>
</PicketLink>

 

the AttributeManager is not called at all. But when I add it as an attribute to the PicketLinkIDP element it is called twice.

 

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
                    AttributeManager="eu.myproject.idp.UserAttributeManager">
                    <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
...

 

 

- First from DelegatedAttributeManager.getAttributes(Principal, List<String>) with the logged in user principal and a lot of attributes I did not specify: [username, firstName, lastName, email, userRoles, mail, cn, commonname, givenname, surname, employeeType, employeeNumber, facsimileTelephoneNumber]

- Then from SAML2AttributeHandler.handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse) with userPrincipal == null and only the attributes I specifed.

 

 

 

Also on the SP side, when I try to get the roles from the PolicyContext

 

Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
Set<Principal> principals = caller.getPrincipals();

 

I get a Principal called "Roles" that contains all roles plus all attributes.

 

I my configuration wrong or is this expected or a bug?

 

Cheers,

Markus