0 Replies Latest reply on Jul 30, 2013 10:55 AM by michael_s

    picketlink-as7-subsystem config : handler-parameter ignored?

    michael_s Newbie



      I'm trying to integrate an external IDP (PingFederate) into our new JBoss-Environment. It works fine with EAP 6.1.0 (PicketLink 2.1.6) and using the "traditional" configuration (->providing the picketlink.xml within WEB-INF as well as the security-domain + valve in jboss-web.xml + the module-dependency via jboss-deployment-structure).


      Now i'm moving to use the new as7-subsystem integration (picketlink-as7-extension-1.0.1.Final).


      It nearly works,  ... there's "only" one small problem left - i need to set the NameId-Format to ...entity for the SAML2AuthenticationHandler, otherwise a transient "userid" is sent back after successfull logon on the IDP which is useless for our apps. I just copied the handlers of my working picketlink.xml to the <service-provider>, like




      <service-provider alias="myapp-web.war" post-binding="true" security-domain="sp" url="http://localhost:8080/myapp/init" supportsSignatures="false" />


           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

           <handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

                <handler-parameter name="NAMEID_FORMAT" value="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>


           <handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />



      ...but it has no effect, the idp still returns a transient userid.


      After debugging & inspecting the 1.0.1.Final sources of the picketlink-as7-extension i think the problem lies in the org.picketlink.as.subsystem.service.AbstractEntityProviderService::configureHandlers()-method: It removes all the "common" handlers from the provided configuration (basically all of the handler above are "common" handlers...) - hence getting rid of my NAMEID_FORMAT parameter as well:



      private void configureHandlers() {   

           List<Handler> handlers = getPicketLinkType().getHandlers().getHandler();


           // remove the common handlers from the configuration. leaving only the user defined handlers.

           for (Class commonHandlerClass : commonHandlersList) {

                for (Handler handler : new ArrayList<Handler>(handlers)) {

                     if (handler.getClazz().equals(commonHandlerClass.getName())) {






           getPicketLinkType().setHandlers(new Handlers());




           for (Handler handler : handlers) {








      The ServiceProviderService::doAddHandlers() then add these handlers again - but only with a default-configuration.


      Did I miss something in my configuration or is this a bug ?


      Thanks in Advance,