1 Reply Latest reply on Jun 17, 2014 12:53 PM by anil.saldhana

    Struggling with how IDP and STS work together.

    slopez01
    slopez01 Jun 13, 2014 8:02 PM

      Someone out there with more experience in picketlink can hopefully help me.

       

      I have the IDP set up and it's authenticating as expected and allowing access to the web resource.  I also have an STS configured for application to application communication, this works fine.

       

      I also understand that the IDP has an STS built into it for generating tokens.

       

      When using the STS, a call is made against a URL to validate the SAML token.  In the case of a web app, the IDP generates the SAML token, not the STS.  I can't find anything on the net that shows how the client should contact the STS in the IDP to authenticate a token.  Is there a URL or something that I'm missing.

       

      I have the IDP storing information via JPA but the STS does not seem to be able to use that for validation.

       

      So, I guess the question that I'm asking is how do these two work together.  Should I have the WSTrustClient call the IDP?  If so, where is the WSDL and URL for making the call?

       

      Any help is very much appreciated.

      • 132 Views
      • Tags:
        • 1. Re: Struggling with how IDP and STS work together.
          anil.saldhana
          anil.saldhana Jun 17, 2014 12:53 PM (in response to slopez01)

          One Use Case :-

          ===========

          When a PicketLink SP receives a SAML assertion from the IDP, we do save the assertion in the httpsession.

           

          Now in your application code, you can call EJBs using this SAML assertion (from httpsession) as token.  At the receiving end, the STS login modules that are configured for the EJB can validate this token via

          a) Check for issuer

          b) Check for expiration

          c) Validate the signature of the token

            • Actions