How to configure SAML2AttributeHandler
jezelinside Feb 13, 2013 2:31 AMHi All !
I have a strange issue with SAML2AttributeHandler. Here is my custom manager :
{code:java}
public class MyCustomAttributeManager implements AttributeManager {
@Override
public Map<String, Object> getAttributes(final Principal userPrincipal, final List<String> attributeKeys) {
final Map<String, Object> res = new HashMap<String, Object>();
for (String s : attributeKeys) {
System.err.println(s);
}
System.err.println("Hello, world !");
res.put("HELLO", "WORLD");
res.put("WORLD", "HELLO");
return res;
}
}
{code}
This manager is configured in my picketlink.xml (IDP-side) like this :
{code:xml}
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_MANAGER" Value="some.package.MyCustomAttributeManager" />
<Option Key="ATTRIBUTE_KEYS" Value="HELLO,WORLD" />
</Handler>
</Handlers>
{code}
On the SP-side, I tried to decode these custom attributes using session.getAttribute(GeneralConstants.SESSION_ATTRIBUTES_MAP); but the only thing I got was the last role of the current user :
*SESSION_ATTRIBUTE_MAP={Role=[VISAS]}*
If I decode the SAML message, this is what I got so far :
{code:xml}
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://localhost:8080/my-service-provider/"
ID="ID_d4c2de93-7336-403a-9902-de3886e61afa"
InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865"
IssueInstant="2013-02-13T07:02:06.423Z"
Version="2.0">
<saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_95a254f3-e447-4e9b-8091-5082182e8337" IssueInstant="2013-02-13T07:02:06.422Z" Version="2.0">
<saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">JEZELINSIDE</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865" NotOnOrAfter="2013-02-13T07:02:11.422Z" Recipient="http://localhost:8080/my-service-provider/"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-02-13T07:02:06.422Z" NotOnOrAfter="2013-02-13T07:02:11.422Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost:8080/my-service-provider/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-02-13T07:02:06.423Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOME</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ACCREDITED</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VISAS</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
{code}
As you can see, the SAML message doesn't contain the custom attributes (that is, "HELLO" and "WORLD" with corresponding values). Moreover, the SESSION_ATTRIBUTE_MAP seems to be polluted by the roles (but only the last one).
Has anyone already experienced such behaviour ? Any clue about what might be wrong ?
Regards, Julien