2 Replies Latest reply: Jun 29, 2012 12:20 PM by Régis Ramillien RSS

Picketlink as SP and Portwise as IDP + SAML: Cannot get roles

Régis Ramillien Newbie

Hello,

 

I'm new to Identity Federation, SAML, etc. So excuse me if this is a newbie question, but...

 

I try to make a federation identity between a JBOSS AS 5 as SP using Picketlink and a Portwise as an IDP.

 

I followed the documentation to configure the Jboss and everything works fine (good job on the doc !) except that I always get a 403...

 

I think (but not sure) that's because the roles are not returned correctly by the Portwise or not read correctly by Picketlink or because a configuration is missing somewhere (but where ?).

 

I configured Portwise to send me the roles as an attribute. This give me something like this in its SAML response:

<saml:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myRole</saml:AttributeValue>

</saml:Attribute>

 

My picketlink.xml file is very simple:

<?xml version="1.0" encoding="UTF-8"?>

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0">

        <IdentityURL>https://......./</IdentityURL>

        <ServiceURL>http://........./</ServiceURL>

    </PicketLinkSP>

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

    </Handlers>

</PicketLink>

 

And the context.xml is even simpler:

<?xml version="1.0" encoding="UTF-8"?>

<Context>

    <Valve

        className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />

</Context>

 

Of course, I configured the web.xml to handle the security role

<security-role>

        <role-name>myRole</role-name>

    </security-role>

 

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Restricted Area</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>myRole</role-name>

        </auth-constraint>

    </security-constraint>

 

    <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>Portwise SAML v2 Test</realm-name>

        <form-login-config>

            <form-login-page>/login.jsp</form-login-page>

            <form-error-page>/loginFailed.jsp</form-error-page>

        </form-login-config>

    </login-config>

 

To sumarize, when I connect to my web page, the request is done by Picketlink to the Portwise, there is an exchange which seems ok, and Portwise send the saml to the server, then the server try to display the restricted page but display instead a 403.

 

I'm searching for a while now, but can't find where is the issue...

 

Does someone have an idea !?

 

I've seen in the picketlink that the NameFormat of the <saml:attribute> in the saml response have the value "urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups". perhaps is it because of this ? But if it is, I cannot configure portwise to use this...

 

Thanks !!!