We are currently running an IdP using PicketLInk 2.1.6, on JBoss AS 7.2, along with several applications running as SP's on a variety of technologies.  We've successfully leveraged several other extension points within PicketLink in the past, including custom AttributeManagers, and most recently, a replacement Authenticator Valve which implements 2 Factor Authentication with integration to Entrust APIs.  Now, a new application we are looking to incorporate as another SP is requiring that we also support the SAML Asynchronous Single Log Out extension, the specification for which can be referenced here:

SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0

In order to use this specification, the LogoutRequest must include an XML element in the Extensions element, which comes from an additional schema beyond that used by core SAML.  Unfortunately, including this extension appears to break the parsing within PicketLink, as the referenced schema isn't included in the JAXP parsing context.  I've traced through to locate the code where the schema sources are initialized, hoping to locate an extension point, but it appears these schemas are defined in static code, in the class org.picketlink.identity.federation.core.util.SchemaManagerUtil.

I believe that, if I could get the additional schema loaded into the JAXP context to allow the SAML to be parsed correctly, the rest of the necessary support could be done by implementing a new Handler class, which would replace the org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler class, but it appears that altering the parsing with additional schema references will end up being significantly more invasive.

Is there a recommended approach for this?  Am I missing an extension point I could leverage?  I wasn't able to locate anything about including extension schema in the documentation.  I had hoped the code would lead me to it, but it looks like a dead end. 

Tim Kutz

Principal Software Architect

Boston Children's Hospital