Hi all-

I am trying to use EAP 7.0 as a SAML Service Provider, have it "mostly" configured but am having problems at the last step when the application I've deployed as the SP is throwing a 403. I'm having trouble getting debug logs out of JBoss/PicketLink to further troubleshoot.

The federation flow works mostly - I start at my SP application. The signed authnRequest is going to my IDP (which is not JBoss). The IDP is accepting the request, challenging me to log in, and then generating the signed assertion and POST'ing it back to my SP application on JBoss. At this point I receive the 403.

So I know that the PicketLink subsystem (which I configured via the JBoss console) is deployed and working, otherwise I'd never get the signed authnRequest in the first place.

Now I'm trying to squeeze some debugging out so I can troubleshoot further. I've found some older documentation that references an attribute EnableAuditing in picketlink.xml, but this obviously predates the subsystem configuration method.

I've tried creating a log file for PicketLink, and the log file contains messages from org.picketlink.common, but that's it. No messages are created from the actual federation activity, even the authnRequest creation.

My standalone.xml fle contains the following new elements (all created via the console, except the logging portion):

           <periodic-rotating-file-handler name="PICKETLINK" autoflush="true">

                <formatter>

                    <named-formatter name="PATTERN"/>

                </formatter>

                <file relative-to="jboss.server.log.dir" path="picketlink.log"/>

                <suffix value=".yyyy-MM-dd"/>

                <append value="true"/>

            </periodic-rotating-file-handler>

            <logger category="org.picketlink">

                <level name="DEBUG"/>

                <handlers>

                    <handler name="PICKETLINK"/>

                 </handlers>

              </logger>

and the PickeLink subsystem:

        <subsystem xmlns="urn:jboss:domain:picketlink-federation:2.0">

            <federation name="jboss-sp">

                <identity-provider name="my-idp" url="https://********" security-domain="sp" external="true" support-signatures="true">

                    <trust>

                        <trust-domain name="***"/>

                        <trust-domain name="***:18080"/>

                        <trust-domain name="***:18443"/>

                    </trust>

                </identity-provider>

                <service-providers>

                    <service-provider name="testapp-war-0.0.5-SNAPSHOT-default.war" security-domain="sp" url="http://***:18080/testapp/protected"/>

                    <service-provider name="testapp-war-0.0.5-SNAPSHOT-secured.war" security-domain="sp" url="http://***:18080/testapp/protected" support-signatures="true"/>

                </service-providers>

                <key-store file="D:\\JBoss\\SSL\\samplepartner.jks" password="password" sign-key-alias="samplepartner" sign-key-password="password">

                    <keys>

                        <key name="***" host="***"/>

                    </keys>

                </key-store>

            </federation>

        </subsystem>

Any advice appreciated, thanks!