Use of Third Party SAML Processors in front of JBoss AS

Assume your use case involves the use of an appliance in front of JBoss AS. Now the appliance is able to perform all SAML operations.  If the use case requires the trusted security propagation from the appliance to JBoss AS instance for web applications, then you will need the following:

  1. PicketLink Authenticator.  PicketLink provides one: https://docs.jboss.org/author/display/PLINK/PicketLinkAuthenticator
  2. A custom login module.  PicketLink has a feature request on this: https://issues.jboss.org/browse/PLFED-265

Where does the SAML token get processed?

It is a matter of choice.

 

Two strategies:

 

  1. In an ideal setup, the code resides in the authenticator.  It can extract the saml token - get the username and then call the underlying realm (and indirectly the jaas framework with username/dummy_cred). Then you have a custom login extending AbstractServerLoginModule - constructs an identity (with the passed username) and checks whether the dummy password is of a particular format (to account for the case when the authenticator is not what you want) and also a rolegroup.
  2. In the other setup, the authenticator is PicketLinkAuthenticator and the processing is done by a heavyweight login module.

 

 

Custom Tomcat Authenticator

The Tomcat Authenticator is needed to front the http call. It then needs to call the authenticate method on the Realm.  In JBoss AS, the Realm will be JBossWebRealm.  The authentication aspect will include a call to the underlying JAAS framework. The custom Tomcat Authenticator can process the saml token - extract the username.

 

Login Module

The login module needs to process the saml token coming in either the http header of cookie. You can get access to the ServletRequest via http://www.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication

Now it is upto the appliance and the login module to figure out what format the saml token will be in the header.  At a bare minimum, a base64 encoded version of the saml token will suffice.

Remember, that the login module needs to extend AbstractServerLoginModule. Look at the source code of the UsersRolesLoginModule to get an idea.

The login module can use the PicketLink parsing mechanism (SAMLParser class) to parse the token.  Create an identity and roles for the JAAS subject.

Establishing Trust between the Appliance and JBoss AS

It is recommended to have mutual authenticated ssl between the appliance and the JBoss AS instance. If the two run inside a trusted subnet, then plain ssl is fine.