PicketLink: SAML v1.1 Support

This article will be the one stop guide for the SAML v1.1 support in Project PicketLink. The main jira issue for this is https://issues.jboss.org/browse/PLFED-189 

Information on SAML v1.1

http://en.wikipedia.org/wiki/SAML_1.1

Description

SAML v1.1 support basically involves the IDP first scenario, unlike SAML v2.0 which involves the SP first scenarios.

A Walk Through

  1. User accesses the IDP.
  2. The IDP seeing that there is neither SAML v2 request nor response, assumes a "IDP first scenario" using SAML v1.1
  3. The IDP challenges the user to authenticate.
  4. Upon authentication, the IDP shows the hosted section where you are displayed a page that links to all the service provider applications.
  5. The user chooses a SP application.
  6. The IDP redirects the user to the service provider with a SAML v1.1 assertion in the query parameter, SAMLResponse
  7. The Service Provider checks the SAML v1.1 assertion and provides access.

 

Service Provider Support for SAML v1.1

Since the user goes to the IDP first and then redirected back to a Service Provider via the TARGET query parameter,  you can obtain SAMLv1.1 specific behavior for web apps utilizing PicketLink by using SAML11SPRedirectFormAuthenticator (https://issues.jboss.org/browse/PLFED-200)

References

Picketlink v2 Builds