0 Replies Latest reply on Jun 8, 2012 3:51 AM by Stan Svec

    ESB project secured with SAML + roles

    Stan Svec Newbie

      Hi,

       

      I use SAML based authentication for an ESB service on the JBoss SOA-P 5.2 product:

       

      jboss-esb.xml

      <service category="ami" description="WS-TRUST example" invmScope="GLOBAL" name="name">
         <security callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSTokenCallbackHandler"
                 moduleName="saml-validate-token" rolesAllowed="STSClient">
          <property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
         </security>
      
      

       

      Authentication (SAML validation) works fine unless I use rolesAllowed attribute. I tried following settings but still it doesn't work:

       

      login-config.xml

       

      <application-policy name="saml-validate-token">
          <authentication>
              <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                  <module-option name="configFile">/props/picketlink-sts-client.properties</module-option>
                  <!--<module-option name="password-stacking">useFirstPass</module-option>-->
                  <!--<module-option name="useOptionsCredentials">true</module-option>-->
                  <!--<module-option name="endpointURI">http://security_saml/endpoint</module-option>-->
              </login-module>
          </authentication>
          <mapping>
              <mapping-module
                  code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider"
                  type="principal" />
              <mapping-module
                  code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider"
                  type="role" />
          </mapping>
        </application-policy>
      

       

      Settings in the mapping element are ignored:

       

      org.jboss.soa.esb.services.security.SecurityServiceException: Caller did not belong to any of the rolesAllowed [STSClient]
           at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:558)
           at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433)
           at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:550)
           at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      

       

      SAML token containes required role:

       

      <saml:Attribute Name='role'>
        <saml:AttributeValue>STSClient</saml:AttributeValue>
      </saml:Attribute>
      

       

      I also tried use different versions of Picketlink libraries without success.

       

      Does anyone have any idea why roles in SAML token are ignored? Thank you!