5 Replies Latest reply on Aug 26, 2014 12:05 AM by Pedro Igor

    How to configure SAML2AttributeHandler

    jezelinside Newbie

      Hi All !

       

      I have a strange issue with SAML2AttributeHandler. Here is my custom manager :

      {code:java}

      public class MyCustomAttributeManager implements AttributeManager {

          @Override

                public Map<String, Object> getAttributes(final Principal userPrincipal, final List<String> attributeKeys) {

                          final Map<String, Object> res = new HashMap<String, Object>();

       

       

                          for (String s : attributeKeys) {

                                    System.err.println(s);

                          }

       

       

                          System.err.println("Hello, world !");

                          res.put("HELLO", "WORLD");

                          res.put("WORLD", "HELLO");

                          return res;

                }

      }

      {code}

       

      This manager is configured in my picketlink.xml (IDP-side) like this :

       

      {code:xml}

      <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

                <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

                     <Option Key="ATTRIBUTE_MANAGER" Value="some.package.MyCustomAttributeManager" />

                     <Option Key="ATTRIBUTE_KEYS" Value="HELLO,WORLD" />

            </Handler>

      </Handlers>

      {code}

       

      On the SP-side, I tried to decode these custom attributes using session.getAttribute(GeneralConstants.SESSION_ATTRIBUTES_MAP); but the only thing I got was the last role of the current user :

      *SESSION_ATTRIBUTE_MAP={Role=[VISAS]}*

       

      If I decode the SAML message, this is what I got so far :

       

      {code:xml}

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                Destination="http://localhost:8080/my-service-provider/"

                ID="ID_d4c2de93-7336-403a-9902-de3886e61afa"

                InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865"

                IssueInstant="2013-02-13T07:02:06.423Z"

                Version="2.0">

                <saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>

                <samlp:Status>

                          <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

                </samlp:Status>

                <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_95a254f3-e447-4e9b-8091-5082182e8337" IssueInstant="2013-02-13T07:02:06.422Z" Version="2.0">

                          <saml:Issuer>http://localhost:8080/my-identity-provider/</saml:Issuer>

                          <saml:Subject>

                                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">JEZELINSIDE</saml:NameID>

                                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                                              <saml:SubjectConfirmationData InResponseTo="ID_58df5b38-2025-4de9-89ff-6364ea9ff865" NotOnOrAfter="2013-02-13T07:02:11.422Z" Recipient="http://localhost:8080/my-service-provider/"/>

                                    </saml:SubjectConfirmation>

                          </saml:Subject>

                          <saml:Conditions NotBefore="2013-02-13T07:02:06.422Z" NotOnOrAfter="2013-02-13T07:02:11.422Z">

                                    <saml:AudienceRestriction>

                                              <saml:Audience>http://localhost:8080/my-service-provider/</saml:Audience>

                                    </saml:AudienceRestriction>

                          </saml:Conditions>

                          <saml:AuthnStatement AuthnInstant="2013-02-13T07:02:06.423Z">

                                    <saml:AuthnContext>

                                              <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                                    </saml:AuthnContext>

                          </saml:AuthnStatement>

                          <saml:AttributeStatement>

                                    <saml:Attribute Name="Role">

                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOME</saml:AttributeValue>

                                    </saml:Attribute>

                                    <saml:Attribute Name="Role">

                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ACCREDITED</saml:AttributeValue>

                                    </saml:Attribute>

                                    <saml:Attribute Name="Role">

                                              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VISAS</saml:AttributeValue>

                                    </saml:Attribute>

                          </saml:AttributeStatement>

                </saml:Assertion>

      </samlp:Response>

      {code}

       

      As you can see, the SAML message doesn't contain the custom attributes (that is, "HELLO" and "WORLD" with corresponding values). Moreover, the SESSION_ATTRIBUTE_MAP seems to be polluted by the roles (but only the last one).

      Has anyone already experienced such behaviour ? Any clue about what might be wrong ?

       

      Regards, Julien