0 Replies Latest reply: May 24, 2012 1:36 PM by Markus Plangg RSS

    SAML2AttributeHandler configuration and Roles

    Markus Plangg Newbie

      Hi,

       

      I'm using DatabaseServerLoginModule on the IDP side of picketlink and I try to provide some Attributes to the SP (Firstname, Lastname, email).

       

      The SAML2AttributeHandler shows some strange behaviour.

       

      When I add it to the configuration of the IDP

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
                <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
                          <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
                          <Trust>
                                    <Domains>localhost</Domains>
                          </Trust>
                </PicketLinkIDP>
                <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
                          <Handler
                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
                          <Handler
                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
                          <Handler
                                    class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
                                    <Option Key="ATTRIBUTE_KEYS" Value="username,firstName,lastName,email,userRoles" />
                                    <Option Key="ATTRIBUTE_MANAGER" Value="eu.myproject.idp.UserAttributeManager" />
                          </Handler>
                          <Handler
                                    class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
                </Handlers>
      </PicketLink>
      

       

      the AttributeManager is not called at all. But when I add it as an attribute to the PicketLinkIDP element it is called twice.

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
                <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
                          AttributeManager="eu.myproject.idp.UserAttributeManager">
                          <IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
      ...
      

       

       

      - First from DelegatedAttributeManager.getAttributes(Principal, List<String>) with the logged in user principal and a lot of attributes I did not specify: [username, firstName, lastName, email, userRoles, mail, cn, commonname, givenname, surname, employeeType, employeeNumber, facsimileTelephoneNumber]

      - Then from SAML2AttributeHandler.handleRequestType(SAML2HandlerRequest, SAML2HandlerResponse) with userPrincipal == null and only the attributes I specifed.

       

       

       

      Also on the SP side, when I try to get the roles from the PolicyContext

       

      Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
      Set<Principal> principals = caller.getPrincipals();
      

       

      I get a Principal called "Roles" that contains all roles plus all attributes.

       

      I my configuration wrong or is this expected or a bug?

       

      Cheers,

      Markus