We are currently overhauling the security on all our applications converting everything to SAML/SSO using Picketlink. I have been able to setup the sample IDP along with the sample applications and converted some of our applications. The apps I've converted so far are mostly similar in architecture to the samples, JSP with a security domain that handles the Service Provider HTTP Redirect to the IDP. Next I'm trying to convert some of the SEAM applications and can't seem to find a good example of how this would work.
The documentation for adding SAML and Open ID to Seam (http://community.jboss.org/wiki/HowtoaddSAMLandOpenIDauthenticationtoyourSeamapplication) relies on external IDPs and the user selecting the IDP to use. Instead we want to use the PicketLink IDP we have configured internally and to have all unauthenticated requests forward to it automatically similar to how the examples for the non-SEAM apps work. I tried modifying the seam-sp example to point at the internal IDP but I'm stuck on how saml-entities.xml file would be configured for the Picklink IDP.
But given how the seam-sp example is different from how we want it to work I'm wondering if I would be better off adding the valves for the SPRedirectFormAuthenticator, etc to get back the principal as we do in the other applications and then using that to populate the seam Identity (if that's even possible).
For a little insight onto how things are configured -
The IDP is currently configured to authenticate against number of LDAP trees/forests. Initially it does a Kerberos SSO using SPENGO (JBoss Negotiation) falling back on the user entering their login information for improperly configured browsers. It then uses that login to pull back the roles (LdapExtLoginModule) across the various LDAP sources. The IDP is currently on the same JBoss instance as the SP apps it supports but the current plan is to move it to its own servers/domain for production.
The SP apps number several dozen spread across a few server farms, using a number of different technologies each to different extents including JSP, SEAM, EJB, WS all which we eventually hope we can get using the same IDP for SSO.