5 Replies Latest reply on Aug 26, 2014 12:05 AM by pcraveiro

    How to configure SAML2AttributeHandler

    jezelinside
    jezelinside Feb 13, 2013 2:31 AM 
      Hi All !
       
      I have a strange issue with SAML2AttributeHandler. Here is my custom manager :
      {code:java}
      public class MyCustomAttributeManager implements AttributeManager {
          @Override
                public Map<String, Object> getAttributes(final Principal userPrincipal, final List<String> attributeKeys) {
                          final Map<String, Object> res = new HashMap<String, Object>();
       
       
                          for (String s : attributeKeys) {
                                    System.err.println(s);
                          }
       
       
                          System.err.println("Hello, world !");
                          res.put("HELLO", "WORLD");
                          res.put("WORLD", "HELLO");
                          return res;
                }
      }
      {code}
       
      This manager is configured in my picketlink.xml (IDP-side) like this :
       
      {code:xml}
      <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
                     <Option Key="ATTRIBUTE_MANAGER" Value="some.package.MyCustomAttributeManager" />
                     <Option Key="ATTRIBUTE_KEYS" Value="HELLO,WORLD" />
            </Handler>
       </Handlers>
      {code}
       
      On the SP-side, I tried to decode these custom attributes using session.getAttribute(GeneralConstants.SESSION_ATTRIBUTES_MAP); but the only thing I got was the last role of the current user :
      *SESSION_ATTRIBUTE_MAP={Role=[VISAS]}*
       
      If I decode the SAML message, this is what I got so far :
       
      {code:xml}
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
                Destination="http://localhost:8080/my-service-provider/" 
                ID="ID_d4c2de93-7336-403a-9902-de3886e61afa" 
                InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865" 
                IssueInstant="2013-02-13T07:02:06.423Z" 
                Version="2.0">
                <saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>
                <samlp:Status>
                          <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
                </samlp:Status>
                <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_95a254f3-e447-4e9b-8091-5082182e8337" IssueInstant="2013-02-13T07:02:06.422Z" Version="2.0">
                          <saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>
                          <saml:Subject>
                                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">JEZELINSIDE</saml:NameID>
                                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                              <saml:SubjectConfirmationData InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865" NotOnOrAfter="2013-02-13T07:02:11.422Z" Recipient="http://localhost:8080/my-service-provider/"/>
                                    </saml:SubjectConfirmation>
                          </saml:Subject>
                          <saml:Conditions NotBefore="2013-02-13T07:02:06.422Z" NotOnOrAfter="2013-02-13T07:02:11.422Z">
                                    <saml:AudienceRestriction>
                                              <saml:Audience>http://localhost:8080/my-service-provider/</saml:Audience>
                                    </saml:AudienceRestriction>
                          </saml:Conditions>
                          <saml:AuthnStatement AuthnInstant="2013-02-13T07:02:06.423Z">
                                    <saml:AuthnContext>
                                              <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                                    </saml:AuthnContext>
                          </saml:AuthnStatement>
                          <saml:AttributeStatement>
                                    <saml:Attribute Name="Role">
                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOME</saml:AttributeValue>
                                    </saml:Attribute>
                                    <saml:Attribute Name="Role">
                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ACCREDITED</saml:AttributeValue>
                                    </saml:Attribute>
                                    <saml:Attribute Name="Role">
                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VISAS</saml:AttributeValue>
                                    </saml:Attribute>
                          </saml:AttributeStatement>
                </saml:Assertion>
      </samlp:Response>
      {code}
       
      As you can see, the SAML message doesn't contain the custom attributes (that is, "HELLO" and "WORLD" with corresponding values). Moreover, the SESSION_ATTRIBUTE_MAP seems to be polluted by the roles (but only the last one). 
      Has anyone already experienced such behaviour ? Any clue about what might be wrong ?
       
      Regards, Julien

       

      • 1562 Views
      • Tags:
        • 1. Re: How to configure SAML2AttributeHandler
          jezelinside
          jezelinside Feb 15, 2013 1:12 AM (in response to jezelinside)

          Update : If I remove the full SAML2AttributeHandler from picketlink.xml file (as well as ATTRIBUTE_GENERATOR custom option) and if I replace it with the attributeGenerator attribute on the <Handlers /> tag, I managed to receive my key/value pairs (HELLO=WORLD & WORLD=HELLO) on the SP side.

           

          But I also noticed that 2 new roles ('HELLO' and 'WORLD') appeared on the SP side, along 'SOME', 'ACCREDITED' and 'VISAS' real roles. Does it ring any bell ?

           

            • Actions
          • 2. Re: How to configure SAML2AttributeHandler
            rhuiser
            rhuiser Oct 20, 2013 7:39 AM (in response to jezelinside)

            Hi,

             

            I managed to reproduce your issue, but I cannot verify your solution:

             

            If I remove the full SAML2AttributeHandler from picketlink.xml file (as well as ATTRIBUTE_GENERATOR custom option) and if I replace it with the attributeGenerator attribute on the <Handlers /> tag, I managed to receive my key/value pairs (HELLO=WORLD & WORLD=HELLO) on the SP side.


            Could you provide me with the version and exact picketlink.xml configuration?


            Thanks,

            Robin


              • Actions
            • 3. Re: How to configure SAML2AttributeHandler
              hodrigohamalho
              hodrigohamalho Aug 25, 2014 4:23 PM (in response to jezelinside)

              I'm issuing this same problem.

               

              Please give more details about your solution.

                • Actions
              • 4. Re: How to configure SAML2AttributeHandler
                hodrigohamalho
                hodrigohamalho Aug 25, 2014 6:10 PM (in response to jezelinside)

                I solved it! o/

                 

                For it works, you need to put SAML2AttributeHandler at the beginning of Handlers tag. Something like this:

                <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

                  <Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.handler.SAML2CustomAttributeHandler"></Option>

                  <Option Key="ATTRIBUTE_KEYS" Value="HELLO, WORD" />

                  </Handler>

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

                  </Handlers>

                  • Actions
                • 5. Re: How to configure SAML2AttributeHandler
                  pcraveiro
                  pcraveiro Aug 26, 2014 12:05 AM (in response to hodrigohamalho)

                  Hey Guys,

                   

                  What about the AttributeManager attribute in the PicketLinkIDP element ?

                   

                  https://docs.jboss.org/author/display/PLINK/Identity+Provider+Configuration

                   

                  Did you try that ?

                   

                  Regards.

                    • Actions