PicketLink REST API

Background

You may be in a situation where you need SSO for your REST based applications.  The other situation is when you need SSO for your scripts.  This article will talk about the use of PicketLink Rest API to talk to various Identity Providers.

 

 

Required Libraries

  1. PicketLink  (2.0.3.Final and beyond)
  2. PicketLink Rest Jars (attached)
  3. Dependent Jars (attached)

 

View Source

 

https://github.com/picketlink2/picketlink-rest

 

Examples

When you want to do SAML2  SSO with an IDP using FORM authentication

 

 

import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.rest.api.PicketLinkRestClient;


PicketLinkRestClient client = new PicketLinkRestClient();

Map<String,String> options = new HashMap<String, String>();

options.put("idpURL", "http://localhost:8080/idp/");
options.put("serviceURL", "http://localhost:8080/sp/");
options.put("authType", "FORM");
options.put("issuer", "http://localhost:8080/sp/");

client.connect(options);
AssertionType assertion = client.callSAML20IDP("tomcat", "tomcat");
String username = client.userName(assertion));

List<String> roleKeys = null;
List<String> roles = client.getRoles(assertion, roleKeys);

 

When you want to do SAML2 SSO with an IDP using BASIC authentication

 

 

PicketLinkRestClient client = new PicketLinkRestClient();
Map<String,String> options = new HashMap<String, String>();

options.put("idpURL", "http://localhost:8080/idp-basic/");
options.put("serviceURL", "http://localhost:8080/sp/");
options.put("authType", "BASIC");
options.put("issuer", "http://localhost:8080/sp/");
options.put("realm", "PicketLink IDP Application");

client.connect(options);
AssertionType assertion = client.callSAML20IDP("tomcat", "tomcat");
String username = client.userName(assertion));

List<String> roleKeys = null;
List<String> roles = client.getRoles(assertion, roleKeys);

 

What are the options?

  • serviceURL   this is an URL of the application that requires SSO.  Remember that this should be trustable by the IDP. This url will be sent as part of the SAML handshake.
  • issuer:  an url representing the service provider application.
  • roleKeys:   the IDP may issue one or more attribute statements in the assertion. Some of these statements represent the roles.  You can provide a list of keys to indicate which of the attribute statements are roles. The roleKeys can be null (as shown in the examples).

How do I make subsequent calls to other resources?

We use HttpUnit underneath.  You can get access to the underlying WebConversation object   by calling   getConversation() method on the PicketLinkRestClient.   After that, use httpunit calls. Your underlying SSO will remain active for the reminder of the assertion.  More information on httpunit is at http://httpunit.sourceforge.net/

Dependent Jars

 

http://mirrors.ibiblio.org/pub/mirrors/maven2/httpunit/httpunit/1.7/httpunit-1.7.jar   (httpunit 1.7)