Oracle Authentication Management Assertion Role attribute parsing in the service provider
Hi,
for the Login Module, is there any specific configuration required to handle comma separated values in a role specification? Using JBoss EAP 6.4 and Picketlink 2.7.1.Final I managed to integrate into the OAM using SAML. However, the Roles in the Assertion are a CSV list instead of a set of XML nodes. Users with just one role, e.g. 'ROLE_A" are able to log in as expected. However, users with more than one role, e.g. ROLE_A,ROLE_B cannot log in. [Apologies for cross posting in picketlink - I think this topic is better suited to this forum]
From the Assertion:
...
<saml:AttributeStatement> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ROLE_A,ROLE_B</saml:AttributeValue>
</saml:Attribute> </saml:AttributeStatement>
...
Parsing error:
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) Checking roles GenericPrincipal[some_user_x(ROLE_A,ROLE_B,)]
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) JBWEB000016: User [some_user_x] does not have role [ROLE_A]
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) No role found: ROLE_A ....
The configuration in my web.xml is:
<!-- BEGIN SAML Config -->
<security-constraint>
<display-name>Security Constraint for all resources</display-name>
<web-resource-collection>
<web-resource-name>IdP SSO</web-resource-name>
<url-pattern>Navigator</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_A</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>The role that is required to log in</description>
<role-name>ROLE_A</role-name>
</security-role>
<!-- END SAML Config -->
...
JBoss EAP is running as standalone - here is the configuration for the login modules:
<security-domain name="SP" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
And the picketlink configuration is
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="POST">
<MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
<Option Key="FileName" Value="/WEB-INF/classes/idp-metadata.xml"/>
</MetaDataProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</Handler>
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>
Thanks