1 Reply Latest reply on Apr 19, 2013 3:41 PM by anil.saldhana

    Problem to propagate SAML assertion to Web Service after IDP authentification




      After experimenting a little with Picketlink components, we encounter the folowwing problem.


      The scenario we try to implement involves the following components :


      An IDP and an STS server deployed on a JBoss EAP 5.1.2 (AS1);

      A web application (A) whose ressources (jsp) are protected by roles, deployed on a second JBoss EAP 5.1.2 (AS2). This application calls a web service (SA) whose methods are also protected by roles, deployed on a third JBoss EAP 5.1.2 server (AS3);


      When a user logs in the Service Provider (application A), we want his SAML assertion (returned by the IDP) used to call the web service SA (SAML propagation) ;


      Our web application (A)  uses ServiceProviderAuthenticator with redirect and the SAML2LoginModule is configured on AS2 as explained in PicketLink documentation ;

      We have configured the AS3 server with a SAML2STSLoginModule which should call the STS server to validate the propagated SAML assertion and recreate a JAAS context.

      We have also configure SAML handlers (SAML2Handler & co) both at client side (A) and server side (SA) ;


      When accessing application A, everything works fine (redirection to IDP, authentification) and we got a SAML assertion back on the response. Role protection works fine.

      However, when we try to call our web service SA from application A, we got a problem. SAML2Handler doesn’t propagate the SAML assertion.


      After reading the documentation, and various posts on the PicketLink forum, our understanding is that, at the moment, the Web SSO stuff (IDP and SP) and the STS stuff are different worlds in PicketLink and are not quite well intergrated :


      SAML2Handler is looking for a SAML assertion either in the SOAP MessageContext under the key "org.picketlink.trust.saml.assertion" or in the JAAS subject on the security context.

      However the SP components (ServiceProviderAuthenticator and SAML2LoginModule) don’t create a Subject and a JAAS context compatible with the STS layer (SAML2Handler).


      We tried different things proposed in various posts (from a custom SAML2LoginModule to deploy on AS2 in order to create the expected Subject in JAAS context for SAML propagation) to the issuing of a new SAML assertion by calling the STS server before to call the web service. None of this is satisfiying or working.


      Could you please point us to a viable solution ? Do you have plans to better integrate SP with SAML propagation (Web Service or EJB) ? For which version ?


      Thanks a lot for your help !!