PicketLink IDP Using LDAP Attributes

    The IDP sometime needs to send user attributes via SAML Attribute statements in the assertion, to a service provider. The IDP when running on JBoss AS can use the following:


    1. Set the Attribute Manager on the IDP to be org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager
    2. <PicketLinkIDP  AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"> 
    3. Configure the security domain of the IDP to also include mapping configuration for attributes.
    4. Configure JBoss AS Attribute Mapping Provider that can interface with the ldap. This mapping provider should go in the security domain configuration.  Reference: http://community.jboss.org/wiki/MappingRolesInJBossApplicationServerV5x   (Remember, it is type=attribute   on the mapping provider)
    5. The ldap mapping provider in JBAS is


    Code: http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/attribute/LdapAttributeMappingProvider.java



    If you want to get a glimpse into the mapping provider configuration, look in https://community.jboss.org/wiki/PicketLinkSTSLoginModules