2 Replies Latest reply on Mar 19, 2014 8:05 AM by advommen

    How to configure SP when no role is assigned by IdP?

    advommen

      The Quikstarts, especially the sales-post SP has been a great example for adding SSO to an existing web application.

      I use the idp in the quickstarts with users having roles defined in resource roles.properties, and <security-constraint> with matching <auth-constraint>:

       

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>FDB Application</web-resource-name>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>fdbuser</role-name>

              </auth-constraint>

          </security-constraint>

       

      This works as expected, put fails for users not having the fdbuser role.

      Various ways, for example by removing the auth-constraint or matching it on wildcard *, fail however,

       

      How can I configure my web application with a user NOT having a role from idp?

       

      The particular use case is that if the user can log in at idp, he must have access to the application. Inside the application we handle the authorization,based on the principal from

      org.jboss.security.SecurityContextAssociation.getPrincipal()