-
15. Re: Problem with SAML2AttributeHandler
anil.saldhana Feb 17, 2012 10:06 AM (in response to sfreed6533)Have an article here: https://community.jboss.org/wiki/PicketLinkIDPUsingLDAPAttributes
-
16. Re: Problem with SAML2AttributeHandler
sfreed6533 Feb 17, 2012 3:01 PM (in response to anil.saldhana)I have seen this page a hundred times and have tried different variations of what it is saying to do, but have been unsuccessful.
The directions here are not clear...
I need to find instructions on this..."Configure the security domain of the IDP to also include mapping configuration for attributes." Here is how I am trying to map attribute values with LdapAttributeMappingProvider.
<application-policy name="idp">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxx,DC=com</module-option>
<module-option name="bindCredential">xxxx</module-option>
<module-option name="baseCtxDN">DC=xxxx,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=xxxx,DC=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="defaultRole">manager</module-option>
</login-module>
</authentication>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute"/>
<module-option name = "attributeList">mail, cn</module-option>
</mapping>
</application-policy>BUT...
Every time I try to use the JBossAppServerAttributeManager class as the "ATTRIBUTE_MANAGER ", I get the following error...
java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null
at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:227)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:641)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:383)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:662)
If I use the EmptyManager, everything works, but I get no values passed to the SP.
In my investigation, I think I am using an older version of the jboss-security.jar file as I noticed that "MappingType.ATTRIBUTE" doesnt exist in the jar file I am using, although the value is used by the JBossAppServerAttributeManager.
I have a fresh install of jboss as 5.1.0 installed. Am I using a wrong version?
-
17. Re: Problem with SAML2AttributeHandler
anil.saldhana Feb 17, 2012 3:15 PM (in response to sfreed6533)https://community.jboss.org/wiki/PicketLinkSTSLoginModules
looking at the mapping module configuration. In this case, you will need to use "type=attribute" as you are doing attribute mapping. Do it on the IDP security domain.
-
18. Re: Problem with SAML2AttributeHandler
sfreed6533 Feb 17, 2012 4:03 PM (in response to anil.saldhana)Sorry Anil... I do not understand your response to my question.
I have posted my application Policy from my login-config.xml. This can successfully authenticate and authorize me against our AD, and can will successfully let me into our SP from our IDP app.
In my application Policy , I have the mapping module defined, but do not think its correct.
I am relatively new to JBoss, and have found too many different, conflicting examples.
I would like to see one example of how to map LDAP attributes so they are passed from IDP to SP.
-
19. Re: Problem with SAML2AttributeHandler
oourfali Feb 20, 2012 4:31 AM (in response to oourfali)Hey Anil,
I'd appreciate if you look at the steps I posted above, and tell me what's the correct configuration.
Once you do that I'll be happy to add a wiki page in here that explains it all, with examples and etc.
It will be helpful knowing what's the minimal configuration requirements, and what can be done with the rest of the configuration options.
Thank you,
Oved
-
20. Re: Problem with SAML2AttributeHandler
gusong2540 Mar 3, 2012 6:25 AM (in response to sfreed6533)Hi Shane,
I got almost the same issue as you met:
My situation may be a bit different in that I am tying my authentication to LDAP and need to pass some LDAP attributes (i.e. "mail", or "surname") passed to the SP from the IDP.
...
Every time I try to use the JBossAppServerAttributeManager class as the "ATTRIBUTE_MANAGER ", I get the following error...
java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null
and I've searched the community, finding no solution.
I wonder if you have figure it out?
Thank you,
Song Gu
-
21. Re: Problem with SAML2AttributeHandler
pcraveiro Mar 3, 2012 11:10 PM (in response to sfreed6533)Hi song,
Take a look at this code and configurations to see if it helps in something.
This is the IDP configuration with a CustomSAMLAttributeManager and a CustomRoleGenerator (in this the case you need to get the roles from somewhere else).
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0"
AttributeManager="CustomSAMLAttributeManager"
RoleGenerator="CustomRoleGenerator">
...
</PicketLinkIDP>
This is the CustomSAMLAttributeManager, using a database to load the attributes for a specific user. You can change the logic to obtain the attributes from the LDAP.
public class CustomSAMLAttributeManager implements AttributeManager {
private Connection getConnection() throws SQLException{
try {
InitialContext ic = new InitialContext();
DataSource ds = (DataSource) ic.lookup("java:AttributesDS");
return ds.getConnection();
} catch (NamingException e) {
}
return null;
}
private PreparedStatement getRolesStatement(Connection conn) throws SQLException{
return conn.prepareStatement("select attr1, attr2 from some_table where userName = ?");
}
public Map<String, Object> getAttributes(Principal userPrincipal,
List<String> attributeKeys) {
return getPrincipalAttributes(userPrincipal);
}
private HashMap<String, Object> getPrincipalAttributes(Principal userPrincipal) {
HashMap<String, Object> attributes = new HashMap<String, Object>();
Connection conn = null;
PreparedStatement stm = null;
ResultSet rs = null;
try {
conn = this.getConnection();
stm = this.getRolesStatement(conn);
stm.setString(1, userPrincipal.getName());
rs = stm.executeQuery();
if (rs.next()){
attributes.put(SAMLAttributesConstants.ATTR1, rs.getString("attr1"));
attributes.put(SAMLAttributesConstants.ATTR2, rs.getString("attr2"));
}
} catch (Exception e) {
} finally {
// cleanup resources
}
return attributes;
}
}
I hope this can help you in something.
Regards.
Pedro Silva
-
22. Re: Problem with SAML2AttributeHandler
sfreed6533 Mar 6, 2012 3:11 PM (in response to gusong2540)I did get the attributes to be returned from my LDAP via the Security Context using the following settings in my login-conf.xml...
<application-policy name="idp">
<authentication>
<mapping>
<mapping-module
code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider"
type="attribute">
<module-option name="attributeList">cn,mail,extensionAttribute3</module-option>
<module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxx.com</module-option>
<module-option name="bindCredential">xxxxxxx</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option>
<module-option name="baseCtxDN">DC=xxxxx,DC=com</module-option>
</mapping-module>
</mapping><login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localldaphost:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindDN">CN=LDAPLOOKUP,CN=Users,DC=xxxxx,DC=com</module-option>
<module-option name="bindCredential">xxxxx</module-option>
<module-option name="baseCtxDN">DC=xxxxx,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=xxxxx,DC=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="defaultRole">manager</module-option>
</login-module>
</authentication>
</application-policy>In my idp handlers I had the following settings for my SAMLAttributeHandler and my ATTRIBUTE_MANAGER. Notice the ATTRIBUTE_KEYS are the same as listed above.
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>
<Option Key="ATTRIBUTE_KEYS" Value="cn, mail, extensionAttribute3"/>
</Handler>The only change I made in the SAML2AttributeHandler, was to download the Handeler that Anil changed (listed in the post earlier) and changed one method. Notice what I block commented out and in which method.
@Override
public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException
{super.initChainConfig(handlerChainConfig);
log.trace("+++ initChainConfig begin +++ ");
// Commented out of original code as this caused the Attribute Manager to be reset to the Tomcat Attribute Manager.
/*
Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);
if (config instanceof IDPType)
{
IDPType idpType = (IDPType) config;
String attribStr = idpType.getAttributeManager();
System.out.println("Instantiating = " + attribStr);
this.insantiateAttributeManager(attribStr);
}
*/
log.trace("+++ initChainConfig end +++ ");
}
I made no changes to the JBossAppServerAttributeManager, used it right as is was...
Now the only problem I have left is on the other posts about the Attribute handler being invoked in the chain AFTER the response is already sent. Makes no sense why it is doing that, but it is clear in my case that the attributes I am getting above are never sent on the first response, but only if the original assertion expires and the SP requests a resend.Weird but true, I am hoping someone can tell me how to fix that...
-
23. Re: Problem with SAML2AttributeHandler
gusong2540 Mar 7, 2012 8:36 AM (in response to pcraveiro)Hi Pedro,
Thank you for your help.
Following your suggestion, I wrote a custom AttributeManager, instead of JBossAppServerAttributeManager, for atributes' retrieving, and it works.
-
24. Re: Problem with SAML2AttributeHandler
gusong2540 Mar 7, 2012 8:54 AM (in response to sfreed6533)Hi Shane,
Thank you for your response.
I followed your instrutions step by step, howerver, I still got the following error:
java.lang.IllegalArgumentException: PL00092: Null Value:responseType is null
at org.picketlink.identity.federation.web.util.IDPWebRequestUtil.send(IDPWebRequestUtil.java:227)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.processSAMLRequestMessage(IDPWebBrowserSSOValve.java:664)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.invoke(IDPWebBrowserSSOValve.java:405)
at org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve.invoke(IDPSAMLDebugValve.java:59)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
But, after updating the content in SAML2AttributeHandler.java you mentioned, I wrote a custom AttributeManager as Pedro suggested.
And finally, I got what I want.