Service provider configuration under Tomcat for picketlink?
whennemuth Sep 22, 2014 8:47 PMI have set up my IDP under JBoss.
It is working fine.
I now want to set up my SP under tomcat running separately.
I haven't been able to find any examples on how to do this, so I started to wing it.
I have been trying to adapt the following two links for tomcat:
- PicketLink getting started SAML/SSO
- Service Provider Authenticators - PicketLink - Project Documentation Editor
The steps I have taken are as follows:
1) Placed picketlink.xml in my WEB-INF dir with the following content:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="POST">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
<ServiceURL>${portal2.url::http://localhost:8181/portal2/}</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
2) Put a security constraint in my web.xml file as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/services/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>
3) Put all of the picketlink jars and their javax/javaee6 dependencies on the classpath
4) Placed the appropriate valve in my context.xml file:
<?xml version='1.0' encoding='utf-8'?>
<Context
displayName="abbdevportal2"
docBase="C:/whennemuth/workspaces/abb_workspace/ABBWeb2/ABBWeb-TRUNK/target/abbdevportal2"
reloadable="true"
path="">
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"/>
<!--
<Valve className="org.apache.catalina.authenticator.FormAuthenticator" disablingProxyCaching="false"/>
-->
</Context>
I'm wasn't sure how to put in the SAML2LoginModule called for because this app is running under tomcat, not jboss, and there is no jboss-web.xml
<
security-domain
name
=
"sp"
cache-type
=
"default"
>
<
authentication
>
<
login-module
code
=
"org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule"
flag
=
"required"
/>
</
authentication
>
</
security-domain
>
So, I tried to run the app to see what would happen.
The result is a "java.lang.ClassNotFoundException: org.apache.catalina.authenticator.FormAuthenticator" due to the ServiceProviderAuthenticator conflicting with it.
Anyway, I'm kinda stuck on this and was hoping someone might know how to proceed or where the relevant documentation is.
Thanks
Warren