2 Replies Latest reply on Apr 13, 2010 3:41 AM by Srividhya K

    need help with security_saml quickstart

    Srividhya K Newbie

      I am trying to configure the PicketLink STS based authentication in JBoss SOA Platform 5.0.0

      using the security_saml quickstart example


      using the help/steps provided in here http://community.jboss.org/wiki/JBossESBSAMLSupport


      I send a request to issueTokenService and get the following error.

           org.picketlink.identity.federation.core.wstrust.WSTrustException: Unable to find a token provider for the token request


      I have configured the saml-issue-token application policy as given in the quickstart. Can anyone help me figure out the issue ?


      Also, the readme of this quickstart says that  this quickstart only works with AS 5.1.0.GA or higher.  Could this be the issue ?


      This is my login-config. Can you please point if there is an issue with this configuration ?


      <application-policy name="saml-issue-token">
                  <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
                      <module-option name="configFile">META-INF/picketlink-sts.properties</module-option>
                      <module-option name="endpointURI">http://localhost:9888</module-option>
                      <module-option name="password-stacking">true</module-option>
                  <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                      <module-option name="configFile">META-INF/picketlink-sts.properties</module-option>
                      <module-option name="password-stacking">useFirstPass</module-option>




        • 1. Re: need help with security_saml quickstart
          Daniel Bevenius Master



          please try this with AS 5.1.0.GA which was the version used when testing. Make sure that you have the quickstart working as is and then modify it or use it as a reference for configuring your version.



          org.picketlink.identity.federation.core.wstrust.WSTrustException: Unable to find a token provider for the token request

          This exception would be thrown if PicketLinkSTS cannot find a token provider matching the token being sent to it. You can see the configuration of the STS in the picketlink-sts.war:


          $ unzip -p picketlink-sts.war WEB-INF/classes/picketlink-sts.xml
          <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0"
          STSName="PicketLinkSTS" TokenTimeout="7200" EncryptToken="false">
          <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
          <Auth Key="KeyStoreURL" Value="sts_keystore.jks"/>
                      <Auth Key="KeyStorePass" Value="testpass"/>
                      <Auth Key="SigningKeyAlias" Value="sts"/>
                      <Auth Key="SigningKeyPass" Value="keypass"/>
                      <ValidatingAlias Key="http://services.testcorp.org/provider1" Value="service1"/>
                  <TokenProvider ProviderClass="org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider"




          If you still have an issue please modify the quickstart to reproduce this issue and I'll take a look at it.





          • 2. Re: need help with security_saml quickstart
            Srividhya K Newbie



            Thank you very much.


            I ran the quickstart as is and it worked fine.

            For my example, I had a different Service-Provider endpoint.


            Added the service-provider entry to picketlink-sts.xml


            <ServiceProvider Endpoint="http://localhost:8090/myserviceprovider" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"


            After this change, my esb application also worked fine.



            After adding the ServiceProvider entry to picketlink-sts.xml, I built the picketlink-sts.war again and deployed it.

            Is there any other mechanism to add the new service-provider entry ?