7 Replies Latest reply on Dec 24, 2011 6:43 PM by gthomas

    How to integrate Picketlink idp and database

    venkatesha k c Newbie

      I've created my own schema for users,roles and groups.

      Whenever a request redirected to IDP, i want to validate the user from database(SPI).

       

      I'm finding difficulty in integrating SPI and IDP, please provide yours thoughts.

        • 1. Re: How to integrate Picketlink idp and database
          Anil Saldanha Master

          On JBoss AS, just use the database jaas login modules.

          • 2. Re: How to integrate Picketlink idp and database
            venkatesha k c Newbie

            Thanks for the reply...

             

            my question is similar to http://community.jboss.org/message/603261#603261

             

            if you provide examples, will be more helpfull.

             

            Thanks

            • 3. Re: How to integrate Picketlink idp and database
              kenhuangus Newbie

              Did you get any response or find any solution on this question? I am facing the similar problem with LDAP as the identity store for IDP.

              • 4. Re: How to integrate Picketlink idp and database
                gthomas Newbie

                I am trying to use PicketLink Idp with OpenLdap and could not find any documentation on how to go about configuring PicketLink to use LDAP as the identity store. I have downloaded the latest version picketlink-2.0.1.final.zip and extracted the zip file under Jboss 5.1 deploy directory. How do I go about configuring PicketLink to use OpenLdap ?   I see references to configuration files, but am trying to figure out where to place these configuration files. Any help will be greatly appreciated !!

                 

                Regards,

                GT

                • 5. Re: How to integrate Picketlink idp and database
                  kenhuangus Newbie

                  The "idp" security domain is not defined in the login-config file and as such it will use the "other" which use UserRolesLoginModule. This login module use the property files. To use LDAP loging module, you can add something like the following in the login-config.xml file and make sure that your LDAP schema has the correct settings. It takes me a while to figure this out. I agree that there should be a good documentation on how to configure an IDP.

                   

                  <application-policy name="idp" >

                                      <authentication>

                                          <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                                                                                 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>

                                                <module-option name="java.naming.provider.url">ldap://yourLDAPHOST:1389/</module-option>                           

                                                       <module-option name="java.naming.security.authentication">simple</module-option>                       

                                                                      <module-option name="principalDNPrefix">cn=</module-option>    

                                                  <module-option name="principalDNSuffix">,ou=users, dc=FedEx,Dc=CGI,Dc=com</module-option> 

                                                   <module-option name="rolesCtxDN">ou=Groups,dc=FedEx,Dc=CGI,Dc=com</module-option> 

                                          <module-option name="roleFilter">(member={1})</module-option>

                                                 <module-option name="roleAttributeID">cn</module-option>

                                                      <module-option name="debug">true</module-option>              

                                                                     </login-module>

                                      </authentication>

                                  </application-policy>

                  • 6. Re: How to integrate Picketlink idp and database
                    gthomas Newbie

                    Thank you for your response. Since I could not figure out the LDAP configuration, I have used a database as the Identity store and ended up with a bunch of jbid_    tables. Hacked through some of the test cases from the source code and was able to populate the tables with a few test users. Does anyone how to retrieve the user and role information from the jbid_ tables for the idp security domain ?

                    Should I use JBossIdentityIDMLoginModule or the more generic DatabaseServerLoginModule ?

                     

                    <policy>

                    <application-policy name = "idp">

                    <authentication>

                    <login-module code = "org.jboss.identity.idm.auth.JBossIdentityIDMLoginModule" flag = "required">

                    <module-option name="identitySessionFactoryJNDIName">java:/IdentitySessionFactory</module-option>

                    <module-option name="realmName">realm://JBossIdentity</module-option>

                    <module-option name="roleGroupTypeName">GROUP</module-option>

                    <module-option name="additionalRole">Authenticated</module-option>

                    <module-option name="userEnabledAttributeName"></module-option>

                    <module-option name="associatedGroupType"></module-option>

                    <module-option name="associatedGroupName"></module-option>

                    <module-option name="validateUserNameCase"></module-option>

                    <module-option name="userNameToLowerCase"></module-option>

                    </login-module>

                    </authentication>

                    </application-policy>

                    </policy>

                     

                     

                    <policy>
                        <application-policy name="idp">
                            <authentication>
                                <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                                                 flag="required">
                                    <module-option name="dsJndiName">java:/MyDatabaseDS</module-option>
                                    <module-option name="principalsQuery">
                                       ???????                               </module-option>
                                    <module-option name="rolesQuery">
                                       ??????????????  </module-option>
                                </login-module>
                            </authentication>
                        </application-policy>
                    </policy>

                    • 7. Re: How to integrate Picketlink idp and database
                      gthomas Newbie

                      Finally got my idp configuration working using the following entry in login-config.xml.

                       

                      <application-policy name = "idp">

                             <authentication>

                                <login-module code = "org.picketlink.idm.auth.JBossIdentityIDMLoginModule"

                                   flag = "required">

                                    <module-option name="identitySessionFactoryJNDIName">java:/IdentitySessionFactory</module-option>

                                    <module-option name="realmName">realm://JBossIdentity</module-option>

                                    <module-option name="roleGroupTypeName">GROUP</module-option>

                                    <module-option name="additionalRole">Authenticated</module-option>

                                    <module-option name="transactionAware">true</module-option>

                                </login-module>

                             </authentication>

                          </application-policy>