7 Replies Latest reply on Nov 16, 2012 9:23 AM by pcraveiro

    Are there any built-in attributes passed to AttributeManager?

    ndrw_cheung

      Hi. I have developed a Custom AttributeManager which retrieves attributes for a user using LDAP from eDirectory. I understand that we specify the attributes to be passed from IDP from SP in the picketlink.xml file on the IDP side (see below in green), but when I put in debugging statements in my Custom Attribute Manager, I found that there are a set of attributes passed to the Attribute Manager that are NOT specified in my list of attributes (see below in red).  My questions are : Where do these attributes come from? Who pass them in? Are they built-in? (I'm pretty sure it wasn't in my code or configurations knowingly because some of the names of these unexpected attributes are not used in our eDirectory at all). Is there a way to change them?

       

      Thanks for answering.

       

      -Andrew

       

      ---------------------------------------

       

      Details about my setup and code snippets are as follows:

       

      My setup:

      -PicketLink version 2.1.4

      -IDP runs on tomcat (version 6.0.35), uses JNDIRealm that interacts with eDirectory.

      -Users are stored in eDirectory. The roles are stored in an attribute in the user object.

      -SP runs on JBoss EPP 5.2.1.

       

      ----------------

      picketlink.xml on IDP side:

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" AttributeManager="demo.eDirAttributeManager">

              <IdentityURL>http://localhost:8180/IDP/</IdentityURL>

              <Trust>

                  <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>

              </Trust>

          </PicketLinkIDP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

          

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

              <!--  Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.tomcat.TomcatAttributeManager"/>

              -->

              <Option Key="ATTRIBUTE_MANAGER" Value="com.brookfieldres.SAML2.eDirAttributeManager"/>

                <Option Key="ATTRIBUTE_KEYS" Value="cn,mail,title"/>

              </Handler>

       

          </Handlers>

          <!--

              The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.

              This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.

           -->

       

          <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0">

              <TokenProviders>

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:1.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:2.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />

              </TokenProviders>

      </PicketLinkSTS>

       

      </PicketLink>

       

      ------------------

      context.xml :

       

      <Context> 

      <Realm className="org.apache.catalina.realm.JNDIRealm" allRolesMode="strict" connectionName="cn=myuser,o=com" connectionPassword="hello123" connectionURL="ldap://MY_TREE:389" userBase="o=com"  userRoleName="EmployeeTypeCt" userSearch="(cn={0})" userSubtree="true"/>

          <Valve

              className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" />

          <Valve

              className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" ignoreAttributesGeneration="false"/>

      </Context>

      ------------------

       

      eDirAttributeManager.java :

       

      [code snipped]

      public Map<String, Object> getAttributes(Principal userPrincipal, List<String> attributeKeys) {

              Map<String, Object> result = null;

        

              String cn = userPrincipal.getName();

              String[] attributes = attributeKeys.toArray(new String[0]);

              String[] arrMappedAttributes = new String[attributes.length];

              int i=0;

              for (String tmpAttribute : attributes) {

                  _Logger.info("DEBUG : looping through attributes : tmpAttribute = " + tmpAttribute);

                  String mappedAttribute = "";

              }

       

       

               ...code to retrieve attributes from eDir

       

      -------------------------

      In the server.log on the IDP side :

       

      2012-11-08 08:59:26,571 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = mail

      2012-11-08 08:59:26,572 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = cn

      2012-11-08 08:59:26,573 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = commonname

      2012-11-08 08:59:26,573 INFO  [dmeo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = givenname

      2012-11-08 08:59:26,574 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = surname

      2012-11-08 08:59:26,574 INFO  [dmeo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = employeeType

      2012-11-08 08:59:26,575 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = employeeNumber

      2012-11-08 08:59:26,576 INFO  [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = facsimileTelephoneNumber

       

       


        • 1. Re: Are there any built-in attributes passed to AttributeManager?
          pcraveiro

          Hi,

           

              Yes, those attribute keys are automatically added durint the IDP startup.

           

              When configuring the attribute manager, you have two options:

           

            • Use the AttributeManager attribute (PicketLinkIDP)
            • Use the SAML2AttributeHandler

             

              Which one to choose is a matter of configuration. If your manager does not need any specific configuration you can use the attribute. Otherwise you can use the handler given that it allows to provide additional configuration using the Option element.

           

          Regards.

          Pedro Igor

          • 2. Re: Are there any built-in attributes passed to AttributeManager?
            thofer

            Are there any examples how to write an AttributeManager?

             

            I try to add some attributes to the SAML response at the IDP and retrieve these attributes at SP. During deployment of the IDP my AttributeManager gets loaded ... the logging is called, but in the SAML response the attributes are missing. And how can I retrieve them at the SP side?

             

            Any hints?

             

            regards

            tom

            • 3. Re: Are there any built-in attributes passed to AttributeManager?
              pcraveiro

              How did you configure your custom AttributeManager ?

               

              Using the AttributeManager attribute (PicketLinkIDP element) or the SAML2AttributeHandler ? The configuration you provided (picketlink.xml) shows that you're using both. That should work too.

               

              To handle the attributes at the SP side you can write a custom handler to process them or get them from the HttpSession as follows:

               

              • session.getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP)

               

              Please, let me know if you get this working. That way we'll update the docs and put more details/examples about the attribute stuff.

               

              Regards.

              Pedro Igor

              • 4. Re: Are there any built-in attributes passed to AttributeManager?
                thofer

                Hi

                 

                thank you for the swift answer!

                 

                The configuration that I use is as follows:

                picketlink.xml

                <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1" >

                 

                 

                          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">

                                    <IdentityURL>http://localhost:8080/idp/</IdentityURL>

                                    <Trust>

                                              <Domains>localhost,localhost:9190,localhost:8080</Domains>

                                    </Trust>

                          </PicketLinkIDP>

                          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

                           <Handler

                            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

                        <Handler

                            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

                        <Handler

                            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

                        <Handler

                            class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

                 

                        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

                                  <Option Key="ATTRIBUTE_MANAGER" Value="my.SAMLAttributeManager"/>

                        </Handler>

                          </Handlers>

                </PicketLink>

                 

                I realized while checking the logs that following misleading message occurs during IDP deployment:

                13:38:11,897 ERROR [org.picketlink.identity.federation] (MSC service thread 1-1) PLFED000238: AttributeManager set to my.SAMLAttributeManager

                13:38:11,897 ERROR [org.picketlink.identity.federation] (MSC service thread 1-1) PLFED000238: AttributeManager set to my.SAMLAttributeManager

                 

                It is marked as error message but it says exactly what I want to achieve.

                 

                Another aspect comming to my mind: when and where can I check out the source code of Picketlink 2.1.5 and build it by myself?

                 

                Edit: I forgot to mention that the IDP is running on JBoss AS 7.1.1

                 

                regards

                tom

                • 5. Re: Are there any built-in attributes passed to AttributeManager?
                  pcraveiro

                  The log entry is wrong. It should be TRACE and not ERROR. I'll fix that.

                   

                  Regarding the AttributeManager config, can you try to configure your custom attributemanager using the PicketLinkIDP AttributeManager attribute ? I'm suspecting we have an issue when using the handler config.

                   

                  If works, we can open a JIRA for that.

                   

                  Regards.

                  Pedro Igor

                  • 6. Re: Are there any built-in attributes passed to AttributeManager?
                    thofer

                    Hey Pedro!

                     

                    Thank you so much. Your suggestion made it working. I think there must be an explanation why there are two ways to configure the AttributeManager?! Can you tell me?

                    Could you also tell my where I can checkout the source code of picketlink 2.1.5? I tried the anonsvn, but it seems that the trunk of federation is 2.1.0 and cannot be built because of missing maven repositories, but I think that I can fix the latter issue by myself.

                     

                    Thank you again! I appreciate your help!

                     

                    regards

                    tom

                    • 7. Re: Are there any built-in attributes passed to AttributeManager?
                      pcraveiro

                      The main difference between the two ways is how you configure additional options to the AttributeManager. Using the handler approach you have the Option element that allows you to provide some custom config to your handler/attribute manager.

                       

                      Opened a JIRA for the SAML2AttributeHandler issue:

                       

                       

                      Regarding the sources, we've moved them to github:

                       

                       

                      Going to update the menu.

                       

                      Thanks.
                      Pedro Igor