0 Replies Latest reply on Jul 30, 2013 10:55 AM by michael_s

    picketlink-as7-subsystem config : handler-parameter ignored?

    michael_s
    michael_s Jul 30, 2013 10:55 AM

      Hi,

       

      I'm trying to integrate an external IDP (PingFederate) into our new JBoss-Environment. It works fine with EAP 6.1.0 (PicketLink 2.1.6) and using the "traditional" configuration (->providing the picketlink.xml within WEB-INF as well as the security-domain + valve in jboss-web.xml + the module-dependency via jboss-deployment-structure).

       

      Now i'm moving to use the new as7-subsystem integration (picketlink-as7-extension-1.0.1.Final).

       

      It nearly works,  ... there's "only" one small problem left - i need to set the NameId-Format to ...entity for the SAML2AuthenticationHandler, otherwise a transient "userid" is sent back after successfull logon on the IDP which is useless for our apps. I just copied the handlers of my working picketlink.xml to the <service-provider>, like

       

       
      {code:xml}
      <service-provider alias="myapp-web.war" post-binding="true" security-domain="sp" url="http://localhost:8080/myapp/init" supportsSignatures="false" />
      <handlers>
           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
                <handler-parameter name="NAMEID_FORMAT" value="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
           </handler>
           <handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
      {code}

       

      ...but it has no effect, the idp still returns a transient userid.

       

      After debugging & inspecting the 1.0.1.Final sources of the picketlink-as7-extension i think the problem lies in the org.picketlink.as.subsystem.service.AbstractEntityProviderService::configureHandlers()-method: It removes all the "common" handlers from the provided configuration (basically all of the handler above are "common" handlers...) - hence getting rid of my NAMEID_FORMAT parameter as well:

       

      {code:java}
      private void configureHandlers() {    
           List<Handler> handlers = getPicketLinkType().getHandlers().getHandler();
       
           // remove the common handlers from the configuration. leaving only the user defined handlers.
           for (Class commonHandlerClass : commonHandlersList) {
                for (Handler handler : new ArrayList<Handler>(handlers)) {
                     if (handler.getClazz().equals(commonHandlerClass.getName())) {
                          getPicketLinkType().getHandlers().remove(handler);
                     }
                }
           }
       
           getPicketLinkType().setHandlers(new Handlers());
       
           doAddHandlers();
       
           for (Handler handler : handlers) {
                getPicketLinkType().getHandlers().add(handler);
           }
       
      }
      {code}

       

       

      The ServiceProviderService::doAddHandlers() then add these handlers again - but only with a default-configuration.

       

      Did I miss something in my configuration or is this a bug ?

       

      Thanks in Advance,

      Michael