SAML2AttributeHandler configuration and Roles
mksplg May 24, 2012 1:36 PMHi,
I'm using DatabaseServerLoginModule on the IDP side of picketlink and I try to provide some Attributes to the SP (Firstname, Lastname, email).
The SAML2AttributeHandler shows some strange behaviour.
When I add it to the configuration of the IDP
{code:xml}
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
<Trust>
<Domains>localhost</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" />
<Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
{code}
the AttributeManager is not called at all. But when I add it as an attribute to the PicketLinkIDP element it is called twice.
{code:xml}
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
AttributeManager="eu.myproject.idp.UserAttributeManager">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
...
{code}
- First from DelegatedAttributeManager.getAttributes(Principal, List<String>) with the logged in user principal and a lot of attributes I did not specify: [username, firstName, lastName, email, userRoles, mail, cn, commonname, givenname, surname, employeeType, employeeNumber, facsimileTelephoneNumber]
- Then from SAML2AttributeHandler.handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse) with userPrincipal == null and only the attributes I specifed.
Also on the SP side, when I try to get the roles from the PolicyContext
{code}
Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
Set<Principal> principals = caller.getPrincipals();
{code}
I get a Principal called "Roles" that contains all roles plus all attributes.
I my configuration wrong or is this expected or a bug?
Cheers,
Markus