1 Reply Latest reply on Apr 2, 2010 12:58 PM by anil.saldhana

    STS and LDAP Attributes

    kirkm
    kirkm Apr 2, 2010 10:32 AM

      We have been looking at the use of Picketlink as a federated web services security solution.  In going through some of the samples for the Identity provider we have seen articles or samples of how to get roles from an LDAP for inclusion as attributes into a SAML assertion. Does the STS provide such a capability? In a quick review of code, it does not appear that mechanisms are directly provided to do this but the STS appears to be very extensible. It looks like a custom Claims Processor and possible Token Provider modifications could be implemented to provide such a capability.  Are there example claim processors available to use as a model? What other STS capabilties are provided to include attributes within the issued SAML assertions?

       

      Kirk   

        • 1. Re: STS and LDAP Attributes
          anil.saldhana
          anil.saldhana Apr 2, 2010 12:58 PM (in response to kirkm)

          Kirk, you are right. The IDP for the SAML Web Browser Profile support has the code to pick up attributes via PicketBox Attribute Mapping mechanism.  We have not extended that capabilities to the STS.  The other feature we have just started looking at for the STS is the use of XACML Authorization requests/responses via SAML Attribute Statements. (http://community.jboss.org/message/534730#534730)

           

          I welcome you to provide a code submission to picketlink if you would like to bring the attribute mechanism to the STS. We need it for sure. But we may not work on it right away.

            • Actions