STSLoginModules

The page describes the Login Modules (LM) that integrate with PicketLinkSTS.

 

STSIssuingLoginModule

This is a JAAS LM for PicketLink STS (Security Token Service) that issues security tokens.This LM expects to be created with a callback handler that can handle NameCallback and a PasswordCallback, which should be match the username and password for whom a security token will be issued.

 

Configuration example

<application-policy name="saml-issue-token">
    <authentication>
        <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
            <module-option name="endpointURI"></module-option>
            <module-option name="tokenType"></module-option>
        </login-module>
</authentication>

Configuration properties

configFile
The configuration for the underlying STSClient.

 

endpointURI
The ultimate recipient of the token. This will be set at the AppliesTo for the RequestSecurityToken. This is an option configuration property.

 

tokenType
The type of security token to be issued.

 

STSValidatingLoginModule

This is a JAAS LoginModule for PicketLink STS (Security Token Service) that validates security tokens.This LoginModule only performs validation of existing SAML Assertions and does not issue any such Assertions.

 

Configuration example

<application-policy name="saml-validate-token">
    <authentication>
        <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
        </login-module>
    </authentication>
</application-policy>

Configuration properties

configFile
The configuration for the underlying STSClient.

 

JAAS Callbacks and stacked Login Modules

This section describes the the callback required by these LMs and also the options for stacking login modules.
The following options are available for retreiving username/credentials for the LMs described in this page:

  1. Use the username/credential from Callback handlers, NameCallback and PasswordCallback
  2. Use the username/credential specified the properties file specified using the 'configFile' property.
  3. Use the username/credential from the login modules earlier in the login modules stack. Known as password stacking.

 

1. Username/credential from Callback handler configuration

<application-policy name="saml-issue-token">
    <authentication>

        <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
         </login-module>
    </authentication>
</application-policy>

This configuration would be used when you want the call back handler to supply the username/credential.

2. Username/credential from Login Module 'configFile'

 

<application-policy name="saml-issue-token">
    <authentication>

        <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
            <module-option name="useOptionsCredentials">true</module-option>
        </login-module>
    </authentication>
</application-policy>

This configuration could be used in situations where the token validation is done without regard to the username/credentials used to authenticate with PicketLinkSTS. An example of this could be where the validation is done only using the digital signature of the security token.

3. Username/credential from stacked Login Module

 

<application-policy name="saml-issue-token">
    <authentication>

        <login-module code="org.picketlink.security.auth.spi.UsersRolesLoginModule" flag = "required">
            <module-option name="usersProperties">props/esb-users.properties</module-option>
            <module-option name="rolesProperties">props/esb-roles.properties</module-option>
            <module-option name="password-stacking">useFirstPass</module-option>
        </login-module>
        <login-module code="org.picketlink.identity.federation.api.wstrust.auth.STSIssuingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
            <module-option name="endpointURI">http://security_saml/goodbyeworld</module-option>
            <module-option name="password-stacking">useFirstPass</module-option>
        </login-module>
        <login-module code="org.picketlink.identity.federation.api.wstrust.auth.STSValidatingLoginModule" flag="required">
            <module-option name="configFile">/sts-client.properties</module-option>
        </login-module>
    </authentication>
</application-policy>

Password stacking can be configured which means that a Login module configured with 'password-stacking' set to 'true' will set the username and password in the shared state map. Login modules that come after can set 'password-stacking' to 'useFirstPass' which means that that login module will use the username and password from the shared map.

STS Client configuration example

 

portName=PicketLinkSTSPort
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
username=admin
password=admin