-
15. PingFederate integration
The build is almost ready. I need to write some wiki articles before I can give it out. expect soon.
-
16. PingFederate integration
Update - I've updated to the most recent 2.0 build (3/1/2011). The only remaining issue we have is that the PingFederate IdP is returning the subject as follows:
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://fedtst.xyz.com" SPNameQualifier="https://000.000.000.00/gctxyz/">wIz39SpwbRJ7znEhfVQLywVk24q</saml:NameID>
...
</saml:Subject>
This is because of the default in the authn request:
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient/>
I've seen the comment on the thread that this may be configurable in the future, but would this behavior be considered typical (i.e. the transient id returned is a one time id meant for entry only)?
-
17. PingFederate integration
Todd, please pick the build from 2nd March.
Also in your use case,
* You need to disable role picking at the SP from the IDP. Configure SAML2AuthenticationHandler in WEB-INF/picketlink-handlers.xml
https://issues.jboss.org/browse/PLFED-141
* You will need to configure an additional login module at the SP side that will generate the roles for the user id that came from the IDP.
Look inside picketlink-sp-jboss-beans.xml where the additional login module goes with the roles generated. (Please ask some JBossAS expert on this one).
* You will need to set the nameid format to persistent on the SP side by configuring the SAML2AuthenticationHandler.
https://issues.jboss.org/browse/PLFED-156
Good luck!!!
Don't hesitate to ask questions.
-
18. PingFederate integration
It looks like PLFED-156 isn't in the 3-Mar build. I've made the necessary changes to picketlink-handlers.xml:
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="DISABLE_ROLE_PICKING" Value="true"/>
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
</Handler>
and the request is still sending 'transient':
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="https://0.000.000.00/xycontext/"
Destination="https://x.y.com/idp/SSO.saml2" ID="ID_90897d95-ddbd-44d1-9999-d8dfcf8dae95"
IssueInstant="2011-03-03T06:59:34.250-06:00"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<Issuer>https://0.000.000.00/xycontext/</Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
Otherwise, the login process is working correctly, just getting back a random userid for the subject (e.g. 'GOPB2K29C0427AS0ESk2fgphIdG').
-
19. PingFederate integration
Pick the latest build (3mar2011) and check it out. Report if there is still issue.
-
20. PingFederate integration
Todd, I am assuming that you made sufficient progress.
Please do not forget the guide for our wiki as contribution. Many souls in the future will thank you.
-
21. Re: PingFederate integration
Absolutely - after the latest build, authentication works flawlessly. Thanks for your significant support with this.
The only item that we're not sure of how to handle are the attributes that are included in the SAML Response. You alluded earlier that we'll have to configure a login module to access those. Is that accurate or is there something standard that could be done? I have read that the attribute handling is limited. Best Regards.
-
22. Re: PingFederate integration
What you got from the IDP is a "username". So you took care of authenticating the user.
Now your service provider has a certain roles configured for the application in web.xml.
Now you need to configure something like the following on the service provider side (in JBoss AS).
<application-policy name="sp">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="db/ldap login module" flag="sufficient">
</login-module>
</authentication>
</application-policy>
The db/ldap login module should be one of the standard JBoss login modules to get the roles from DB/ldap.
-
23. Re: PingFederate integration
Actually what I meant was the additional attributes about the user such as email address, department, organization, etc. in the response. These attributes are necessary for driving additional business logic. Currently they don't have the capability to send any roles (that would have any meaning in the new system). They look like the following in the response:
<saml:AuthnStatement AuthnInstant="2011-03-14T14:53:16.343Z" SessionIndex="G9nBKKvEjGgjqLjIcKiilVYuigC">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="zipcode">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_zipcode</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="street">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_street</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="state">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_state</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="lastname">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_lastname</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="firstname">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_firstname</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="telephonenumber">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_telephonenumber</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="billtoid">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_billtoid</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="city">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_city</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="email">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_email@xyz.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="contractnumber">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">asptest_contractnumber</saml:AttributeValue>
</saml:Attribute>
-
24. Re: PingFederate integration
In that case, you have to write a handler (very similar to the SAML2AuthenticationHandler etc) that peeks into the SAML message and plucks out all these attributes and puts it on the http session. Then your business logic can pick it up from the session.
I have a feature request on this one:
https://issues.jboss.org/browse/PLFED-159
Maybe next week...
-
-
26. PingFederate integration
Ok. Pick the latest build from today and on the SP side, configure the SAML2AttributeHandler after the auth handler. You will get a session map for use in your business app as outlined in https://issues.jboss.org/browse/PLFED-159
Good luck and come back with a guide for the wiki.
-
27. Re: PingFederate integration
Does the response (showing the attributes several replies above) look like what's expected?
I put the attribute handler in (after auth handler):
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" />
In a JSP, after I logged in, I see only the last attribute value:
This (in JSP):
<%
Map<String, List<Object>> sessionMap = (Map<String, List<Object>>)
request.getSession().getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP);
%>
<%= sessionMap.toString() %>
outputs:
{null=[asptest_contractnumber]}
which happens to be the last attribute. I want to make sure there's nothing obvious I'm missing.
I just looked at the code in SAML2AttributeHandler#handleIDPResponse(). Could it be that it's dependent on friendlyName (which our response doesn't have)?
-
28. PingFederate integration
I will beef up my test cases and see if there is a bug. Should have a build tomorrow. Quite close.
-
29. PingFederate integration
I edited my earlier response after posting. This is probably it:
I just looked at the code in SAML2AttributeHandler#handleIDPResponse(). Could it be that it's dependent on friendlyName (which our response doesn't have)?