2 Replies Latest reply: Jun 29, 2012 12:20 PM by Régis Ramillien RSS

    Picketlink as SP and Portwise as IDP + SAML: Cannot get roles

    Régis Ramillien Newbie

      Hello,

       

      I'm new to Identity Federation, SAML, etc. So excuse me if this is a newbie question, but...

       

      I try to make a federation identity between a JBOSS AS 5 as SP using Picketlink and a Portwise as an IDP.

       

      I followed the documentation to configure the Jboss and everything works fine (good job on the doc !) except that I always get a 403...

       

      I think (but not sure) that's because the roles are not returned correctly by the Portwise or not read correctly by Picketlink or because a configuration is missing somewhere (but where ?).

       

      I configured Portwise to send me the roles as an attribute. This give me something like this in its SAML response:

      <saml:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myRole</saml:AttributeValue>

      </saml:Attribute>

       

      My picketlink.xml file is very simple:

      <?xml version="1.0" encoding="UTF-8"?>

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0">

              <IdentityURL>https://......./</IdentityURL>

              <ServiceURL>http://........./</ServiceURL>

          </PicketLinkSP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

          </Handlers>

      </PicketLink>

       

      And the context.xml is even simpler:

      <?xml version="1.0" encoding="UTF-8"?>

      <Context>

          <Valve

              className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />

      </Context>

       

      Of course, I configured the web.xml to handle the security role

      <security-role>

              <role-name>myRole</role-name>

          </security-role>

       

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>Restricted Area</web-resource-name>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>myRole</role-name>

              </auth-constraint>

          </security-constraint>

       

          <login-config>

              <auth-method>FORM</auth-method>

              <realm-name>Portwise SAML v2 Test</realm-name>

              <form-login-config>

                  <form-login-page>/login.jsp</form-login-page>

                  <form-error-page>/loginFailed.jsp</form-error-page>

              </form-login-config>

          </login-config>

       

      To sumarize, when I connect to my web page, the request is done by Picketlink to the Portwise, there is an exchange which seems ok, and Portwise send the saml to the server, then the server try to display the restricted page but display instead a 403.

       

      I'm searching for a while now, but can't find where is the issue...

       

      Does someone have an idea !?

       

      I've seen in the picketlink that the NameFormat of the <saml:attribute> in the saml response have the value "urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE:groups". perhaps is it because of this ? But if it is, I cannot configure portwise to use this...

       

      Thanks !!!