Seam, SAML, JAAS: How do I map IDP to an application user?
jonananas Sep 23, 2010 2:45 AMI've been trying to add SAML authentication to my seam application.
I wan't to add SAML authentication to regular username,password authentication in one seam application.
I would also like to "map" the SAML-token to a user in the application userstore.
The application is a bit different from seam-sp in that we use JAAS instead of authenticator, from components.xml:
{code:xml}
<security:identity remember-me="true" jaas-config-name="appSecurityPolicy" />
{code:xml}
I'm having trouble understanding how to do this. My first approach was "hardcoding" the mapping in my own InternalAuthenticator:
from external-authentication-config.xml:
{code:xml}
<ServiceProvider protocol="http" hostname="localhost" internalAuthenticationMethod="#{fsokAuthenticator.internalAuthenticate}"...
{code:xml}
{code}
@Name("fsokAuthenticator")
@Scope(ScopeType.STATELESS)
@Stateless
@Local(FsokInternalAuthenticatorLocal.class)
public class FsokInternalAuthenticator implements FsokInternalAuthenticatorLocal {
@In
Identity identity;
@Logger
Log log;
public boolean internalAuthenticate(Principal principal, List<String> roles) {
if (principal instanceof SamlPrincipal) {
SamlPrincipal samlPrincipal = (SamlPrincipal) principal;
log.debug("Identity provider: " + samlPrincipal.getIdentityProvider().getEntityId());
// Should only continue if IDP matches the one I trust...
Credentials credentials = identity.getCredentials();
credentials.setUsername("username");
credentials.setPassword("password");
try {
String login = identity.login();
log.debug("After identity.login(): " + login);
} catch (Exception ex) {
log.debug("During identity.login(): ", ex);
return false;
}
return true;
}
return false;
}
}
{code}
However I get an exception during login, but the user gets logged in when I return false, and not logged in when I return true!
That's weird, but never mind for now...
My question is this: I can't help thinking that I'm doing this all wrong. I should for example be able to stack another LoginModule to take care of the mapping between IDP and username,
I can't really figure out how though (my understanding is that JAAS get invoked from Identity.login()?. Can you help?
Kind regards Jonas