3 Replies Latest reply on Feb 24, 2014 3:07 PM by Anil Saldanha

    Where does Role information come from in SSO scenario?

    Ramesh Reddy Master

      Hi,

       

      I am trying to use Shibboleth IDP and Picketlink as SP for SSO solution. In this case I can verify that the IDP is sending the correct SAML token back to SP and it flows through all the handlers on Picketlink SP successfully (logs and I watched in debug). Yet I get a 403 exception at the end to access the resource. I realized that it was due to configured role in my "web.xml" file, for example as "manger". When I changed the role to "*" in web.xml of my SP, then I could access the resource fine.

       

      Now, I am not able to figure out if SAML token should have the "role" information that is coming into SP or is there a way I can configure Picketlink for "role" information on successful SAML authentication token. Or SAML does not deal with roles at all, and I should use "*" as role?

       

      Thanks.

       

      Ramesh..

        • 1. Re: Where does Role information come from in SSO scenario?
          Anil Saldanha Master

          PicketLink IDP on authentication can send the SAML assertion plus optionally send roles as SAML attributes to the SP.  By default, a PicketLink SP can be configured to pick up the roles from the IDP's response.  But if the SP web.xml does not contain the same roles as what the IDP sent, then you will get 403 at the SP.

           

          Alternatively, the SP can always augment the roles sent by the IDP by using Role Mapping modules in JBoss or using the historic JAAS login modules stacked to construct the local roles at the SP.

          • 2. Re: Where does Role information come from in SSO scenario?
            João Martins Newbie

            In this same context (web browser SSO), when you're using the SPFilter class to integrate with a 3rd party app. server (like websphere, for example), do these roles that come from the IDP become attached to the principal, so that I can use declarative security on my servlets / EJBs?

            And if not, how can I do it? Only through the JAAS modules?

            • 3. Re: Where does Role information come from in SSO scenario?
              Anil Saldanha Master

              João Martins wrote:

               

              In this same context (web browser SSO), when you're using the SPFilter class to integrate with a 3rd party app. server (like websphere, for example), do these roles that come from the IDP become attached to the principal, so that I can use declarative security on my servlets / EJBs?

              And if not, how can I do it? Only through the JAAS modules?

              That is going to be difficult because you will need deeper integration into the security system of the 3rd party app server.