0 Replies Latest reply on May 24, 2012 1:36 PM by Markus Plangg

    SAML2AttributeHandler configuration and Roles

    Markus Plangg Newbie

      Hi,

       

      I'm using DatabaseServerLoginModule on the IDP side of picketlink and I try to provide some Attributes to the SP (Firstname, Lastname, email).

       

      The SAML2AttributeHandler shows some strange behaviour.

       

      When I add it to the configuration of the IDP

       

      {code:xml}

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

                <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">

                          <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>

                          <Trust>

                                    <Domains>localhost</Domains>

                          </Trust>

                </PicketLinkIDP>

                <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

                          <Handler

                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

                          <Handler

                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

                          <Handler

                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

                                    <Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" />

                                    <Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />

                          </Handler>

                          <Handler

                                    class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

                </Handlers>

      </PicketLink>

      {code}

      the AttributeManager is not called at all. But when I add it as an attribute to the PicketLinkIDP element it is called twice.

       

      {code:xml}

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

                <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"

                          AttributeManager="eu.myproject.idp.UserAttributeManager">

                          <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>

      ...

      {code}

       

      - First from DelegatedAttributeManager.getAttributes(Principal, List<String>) with the logged in user principal and a lot of attributes I did not specify: [username, firstName, lastName, email, userRoles, mail, cn, commonname, givenname, surname, employeeType, employeeNumber, facsimileTelephoneNumber]

      - Then from SAML2AttributeHandler.handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse) with userPrincipal == null and only the attributes I specifed.

       

       

       

      Also on the SP side, when I try to get the roles from the PolicyContext

       

      {code}

      Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");

      Set<Principal> principals = caller.getPrincipals();

      {code}

      I get a Principal called "Roles" that contains all roles plus all attributes.

       

      I my configuration wrong or is this expected or a bug?

       

      Cheers,

      Markus