0 Replies Latest reply on Jul 30, 2013 10:55 AM by michael_s

    picketlink-as7-subsystem config : handler-parameter ignored?

    michael_s Newbie

      Hi,

       

      I'm trying to integrate an external IDP (PingFederate) into our new JBoss-Environment. It works fine with EAP 6.1.0 (PicketLink 2.1.6) and using the "traditional" configuration (->providing the picketlink.xml within WEB-INF as well as the security-domain + valve in jboss-web.xml + the module-dependency via jboss-deployment-structure).

       

      Now i'm moving to use the new as7-subsystem integration (picketlink-as7-extension-1.0.1.Final).

       

      It nearly works,  ... there's "only" one small problem left - i need to set the NameId-Format to ...entity for the SAML2AuthenticationHandler, otherwise a transient "userid" is sent back after successfull logon on the IDP which is useless for our apps. I just copied the handlers of my working picketlink.xml to the <service-provider>, like

       

       

      {code:xml}

      <service-provider alias="myapp-web.war" post-binding="true" security-domain="sp" url="http://localhost:8080/myapp/init" supportsSignatures="false" />

      <handlers>

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

                <handler-parameter name="NAMEID_FORMAT" value="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>

           </handler>

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

      {code}

       

      ...but it has no effect, the idp still returns a transient userid.

       

      After debugging & inspecting the 1.0.1.Final sources of the picketlink-as7-extension i think the problem lies in the org.picketlink.as.subsystem.service.AbstractEntityProviderService::configureHandlers()-method: It removes all the "common" handlers from the provided configuration (basically all of the handler above are "common" handlers...) - hence getting rid of my NAMEID_FORMAT parameter as well:

       

      {code:java}

      private void configureHandlers() {   

           List<Handler> handlers = getPicketLinkType().getHandlers().getHandler();

       

           // remove the common handlers from the configuration. leaving only the user defined handlers.

           for (Class commonHandlerClass : commonHandlersList) {

                for (Handler handler : new ArrayList<Handler>(handlers)) {

                     if (handler.getClazz().equals(commonHandlerClass.getName())) {

                          getPicketLinkType().getHandlers().remove(handler);

                     }

                }

           }

       

           getPicketLinkType().setHandlers(new Handlers());

       

           doAddHandlers();

       

           for (Handler handler : handlers) {

                getPicketLinkType().getHandlers().add(handler);

           }

       

      }

      {code}

       

       

      The ServiceProviderService::doAddHandlers() then add these handlers again - but only with a default-configuration.

       

      Did I miss something in my configuration or is this a bug ?

       

      Thanks in Advance,

      Michael