Return to Cheatsheet for PicketLink and JBoss AS <<<
This article will talk about achieving SAML v2 Web Browser SSO on JBoss AS7.0 and beyond. Ideally the recommendation is that you are running the latest version of JBoss AS7.
How do I configure JBoss AS 7 for achieving SAML based SSO?
1. We need to configure the module for org.picketlink
Unzip the attached picketlink-module.zip under jboss-as-web-7.0.0.Final/modules/org directory.
You should see something like:
~/jboss-as-web-7.0.0.Final/modules/org/picketlink/main$ ls module.xml picketlink-fed-2.0.1.final.jar picketlink-bindings-2.0.1.final.jar picketlink-fed-2.0.1.final.jar.index picketlink-bindings-2.0.1.final.jar.index picketlink-trust-jbossws-2.0.1.final.jar picketlink-bindings-jboss-2.0.1.final.jar picketlink-trust-jbossws-2.0.1.final.jar.index picketlink-bindings-jboss-2.0.1.final.jar.index
NOTE: The .index files are created when you start JBoss AS7.
Also note that we are adding a new module under org.jboss.security called "xacml"
2. Deploy the PicketLink web apps.
They are attached as picketlink-webapps.zip
Unzip it under ~/jboss-as-web-7.0.0.Final/standalone/deployments directory.
You should see something like:
~/jboss-as-web-7.0.0.Final/standalone/deployments$ ls employee-post.war idp.war sales-post.war employee.war picketlink-sts.war README.txt sales.war
3. Configure the necessary security domains in standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.0"> <security-domains> <security-domain name="other" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"/> </authentication> </security-domain> <security-domain name="jmx-console" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="idp" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> </login-module> </authentication> </security-domain> <security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/> </authentication> </security-domain> </security-domains> </subsystem>
Note that we added the blocks for "jmx-console", "idp" and "sp" in the security subsystem right after "other".
4. Start JBoss AS7.0
~/jboss-as-web-7.0.0.Final/bin$ ./standalone.sh ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/anil/jboss-as-web-7.0.0.Final JAVA: /opt/java/jdk1.6.0_23/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman ========================================================================= 08:35:20,535 INFO [org.jboss.modules] JBoss Modules version 1.0.1.GA 08:35:21,978 INFO [org.jboss.msc] JBoss MSC version 1.0.0.GA 08:35:22,153 INFO [org.jboss.as] JBoss AS 7.0.0.Final "Lightning" starting 08:35:26,164 INFO [org.jboss.as] creating http management service using network interface (management) port (9990) securePort (-1) 08:35:26,205 INFO [org.jboss.as.logging] Removing bootstrap log handlers 08:35:26,346 INFO [org.jboss.as.connector.subsystems.datasources] (Controller Boot Thread) Deploying JDBC-compliant driver class org.h2.Driver (version 1.2) 08:35:26,400 INFO [org.jboss.as.clustering.infinispan.subsystem] (Controller Boot Thread) Activating Infinispan subsystem. 08:35:26,715 INFO [org.jboss.as.naming] (Controller Boot Thread) Activating Naming Subsystem 08:35:26,752 INFO [org.jboss.as.naming] (MSC service thread 1-2) Starting Naming Service 08:35:26,763 INFO [org.jboss.as.osgi] (Controller Boot Thread) Activating OSGi Subsystem 08:35:26,829 INFO [org.jboss.as.security] (Controller Boot Thread) Activating Security Subsystem 08:35:26,868 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 3.2.0.Beta2 08:35:26,949 INFO [org.xnio] (MSC service thread 1-1) XNIO Version 3.0.0.Beta3 08:35:26,978 INFO [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.0.0.Beta3 08:35:27,702 INFO [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-1) The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/java/jdk1.6.0_23/jre/lib/i386/server:/opt/java/jdk1.6.0_23/jre/lib/i386:/opt/java/jdk1.6.0_23/jre/../lib/i386:/usr/lib64/qt-3.3/lib:/usr/lib64/qt-3.3/lib::/usr/java/packages/lib/i386:/lib:/usr/lib 08:35:27,742 INFO [org.jboss.as.jmx.JMXConnectorService] (MSC service thread 1-4) Starting remote JMX connector 08:35:27,751 INFO [org.jboss.as.ee] (Controller Boot Thread) Activating EE subsystem 08:35:27,863 INFO [org.jboss.as.remoting] (MSC service thread 1-2) Listening on /127.0.0.1:9999 08:35:28,250 INFO [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-3) Starting Coyote HTTP/1.1 on http--127.0.0.1-8080 08:35:28,708 INFO [org.jboss.as.connector] (MSC service thread 1-3) Starting JCA Subsystem (JBoss IronJacamar 1.0.0.CR2) 08:35:29,059 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) Bound data source [java:jboss/datasources/ExampleDS] 08:35:29,705 INFO [org.jboss.as.deployment] (MSC service thread 1-2) Started FileSystemDeploymentService for directory /home/anil/jboss-as-web-7.0.0.Final/standalone/deployments 08:35:29,782 INFO [org.jboss.as] (Controller Boot Thread) JBoss AS 7.0.0.Final "Lightning" started in 10435ms - Started 98 of 153 services (55 services are passive or on-demand) 08:35:29,826 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) Starting deployment of "idp.war" 08:35:29,826 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) Starting deployment of "picketlink-sts.war" 08:35:29,826 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) Starting deployment of "sales.war" 08:35:30,700 INFO [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-1) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments 08:35:30,700 INFO [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (MSC service thread 1-2) IDPWebBrowserSSOValve:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments 08:35:30,756 INFO [org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve] (MSC service thread 1-2) Did not find picketlink-sts.xml. We will install default configuration 08:35:30,807 INFO [org.jboss.web] (MSC service thread 1-4) registering web context: /picketlink-sts 08:35:30,820 INFO [org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS] (MSC service thread 1-2) core-sts.xml configuration file loaded 08:35:30,851 INFO [org.jboss.web] (MSC service thread 1-1) registering web context: /sales 08:35:30,851 INFO [org.jboss.web] (MSC service thread 1-2) registering web context: /idp 08:35:30,892 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "picketlink-sts.war" 08:35:30,892 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "idp.war" 08:35:30,892 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployed "sales.war" 08:38:36,216 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) Starting deployment of "employee.war" 08:38:36,267 INFO [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-4) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments 08:38:36,275 INFO [org.jboss.web] (MSC service thread 1-4) registering web context: /employee 08:38:36,283 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "employee.war" 08:40:31,451 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) Starting deployment of "sales-post.war" 08:40:31,504 INFO [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-2) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments 08:40:31,514 INFO [org.jboss.web] (MSC service thread 1-2) registering web context: /sales-post 08:40:31,527 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "sales-post.war" 08:41:26,599 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) Starting deployment of "employee-post.war" 08:41:26,663 INFO [org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator] (MSC service thread 1-4) BaseFormAuthenticator:: Setting the CanonicalizationMethod on XMLSignatureUtil::http://www.w3.org/2001/10/xml-exc-c14n#WithComments 08:41:26,677 INFO [org.jboss.web] (MSC service thread 1-4) registering web context: /employee-post 08:41:26,685 INFO [org.jboss.as.server.controller] (DeploymentScanner-threads - 1) Deployed "employee-post.war"
5. Access the sample web apps in browser tabs. When asked to login, use (user: tomcat and password: tomcat)
http://localhost:8080/employee/
http://localhost:8080/sales-post/
http://localhost:8080/employee-post/
6. You should see the SSO in action. The logout link is to global logout, which logs you at the IDP.
Additional Settings:
For JBoss AS 7.0.0.final only (You should be using 7.0.1 and beyond)
In standalone.xml, right after the extensions element at the top, configure a system property.
<server name="xyz.home" xmlns="urn:jboss:domain:1.0"> <extensions> <extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.clustering.jgroups"/> <extension module="org.jboss.as.connector"/> .... <extension module="org.torquebox.web"/> </extensions> <system-properties> <property name="org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR" value="false"/> </system-properties>
PicketLink IDP
The IDP web application provided by PicketLink is the Identity Provider. As a deployer, you should configure this web app to your organization/production use.
Note that when you directly log into the IDP without going to a service provider application, the IDP thinks that is a SAML v1.1 interaction and once authenticated, takes you to a hosted section of the IDP. We provide a sample index dashboard page. The links have to be of the format. You are linking to the IDP with a TARGET. The redirection will happen to the target with the additional query parameter, SAMLResponse that contains the SAML token.
<br/> <a href="?TARGET=http%3A//localhost%3a8080/sales-saml11/">Sales</a> <br/> <a href="?TARGET=http%3A//localhost%3a8080/employee-saml11/">Employee</a>
Troubleshooting:
1. After authentication, the the webapp shows redirection failed.
Configure the system property as shown in additional settings.
2. I just cannot get it to work.
You can see an instance of AS7.0 with the configuration, attached HERE
How do I enable SSO for my web application?
First ensure that you have META-INF/jboss-deployment-structure.xml with:
<jboss-deployment-structure> <deployment> <!-- Add picketlink module dependency --> <dependencies> <module name="org.picketlink" /> </dependencies> </deployment> </jboss-deployment-structure>
Then in the WEB-INF directory, you will need a jboss-web.xml :
<jboss-web> <security-domain>sp</security-domain> <valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator</class-name> </valve> </jboss-web>
This does SAML POST binding. For the redirect binding, check the sales.war or employee.war settings.
Of course, you need a WEB-INF/picketlink-idfed.xml
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0" ServerEnvironment="tomcat">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
<ServiceURL>${employee-post.url::http://localhost:8080/employee-post/}</ServiceURL>
</PicketLinkSP>
The service URL should be the url of your webapp. You can set it as a system property and the default is shown when the system property is missing.
Another file WEB-INF/picketlink-handlers.xml
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/> </Handlers>
Comments