picketlink-as7-subsystem config : handler-parameter ignored?
michael_s Jul 30, 2013 10:55 AMHi,
I'm trying to integrate an external IDP (PingFederate) into our new JBoss-Environment. It works fine with EAP 6.1.0 (PicketLink 2.1.6) and using the "traditional" configuration (->providing the picketlink.xml within WEB-INF as well as the security-domain + valve in jboss-web.xml + the module-dependency via jboss-deployment-structure).
Now i'm moving to use the new as7-subsystem integration (picketlink-as7-extension-1.0.1.Final).
It nearly works, ... there's "only" one small problem left - i need to set the NameId-Format to ...entity for the SAML2AuthenticationHandler, otherwise a transient "userid" is sent back after successfull logon on the IDP which is useless for our apps. I just copied the handlers of my working picketlink.xml to the <service-provider>, like
{code:xml}
<service-provider alias="myapp-web.war" post-binding="true" security-domain="sp" url="http://localhost:8080/myapp/init" supportsSignatures="false" />
<handlers>
<handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<handler-parameter name="NAMEID_FORMAT" value="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
</handler>
<handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
{code}
...but it has no effect, the idp still returns a transient userid.
After debugging & inspecting the 1.0.1.Final sources of the picketlink-as7-extension i think the problem lies in the org.picketlink.as.subsystem.service.AbstractEntityProviderService::configureHandlers()-method: It removes all the "common" handlers from the provided configuration (basically all of the handler above are "common" handlers...) - hence getting rid of my NAMEID_FORMAT parameter as well:
{code:java}
private void configureHandlers() {
List<Handler> handlers = getPicketLinkType().getHandlers().getHandler();
// remove the common handlers from the configuration. leaving only the user defined handlers.
for (Class commonHandlerClass : commonHandlersList) {
for (Handler handler : new ArrayList<Handler>(handlers)) {
if (handler.getClazz().equals(commonHandlerClass.getName())) {
getPicketLinkType().getHandlers().remove(handler);
}
}
}
getPicketLinkType().setHandlers(new Handlers());
doAddHandlers();
for (Handler handler : handlers) {
getPicketLinkType().getHandlers().add(handler);
}
}
{code}
The ServiceProviderService::doAddHandlers() then add these handlers again - but only with a default-configuration.
Did I miss something in my configuration or is this a bug ?
Thanks in Advance,
Michael