-
1. Re: Where does Role information come from in SSO scenario?
anil.saldhana Feb 4, 2014 11:23 PM (in response to rareddy)PicketLink IDP on authentication can send the SAML assertion plus optionally send roles as SAML attributes to the SP. By default, a PicketLink SP can be configured to pick up the roles from the IDP's response. But if the SP web.xml does not contain the same roles as what the IDP sent, then you will get 403 at the SP.
Alternatively, the SP can always augment the roles sent by the IDP by using Role Mapping modules in JBoss or using the historic JAAS login modules stacked to construct the local roles at the SP.
-
2. Re: Where does Role information come from in SSO scenario?
joaomartins Feb 24, 2014 12:16 PM (in response to anil.saldhana)In this same context (web browser SSO), when you're using the SPFilter class to integrate with a 3rd party app. server (like websphere, for example), do these roles that come from the IDP become attached to the principal, so that I can use declarative security on my servlets / EJBs?
And if not, how can I do it? Only through the JAAS modules?
-
3. Re: Where does Role information come from in SSO scenario?
anil.saldhana Feb 24, 2014 3:07 PM (in response to joaomartins)João Martins wrote:
In this same context (web browser SSO), when you're using the SPFilter class to integrate with a 3rd party app. server (like websphere, for example), do these roles that come from the IDP become attached to the principal, so that I can use declarative security on my servlets / EJBs?
And if not, how can I do it? Only through the JAAS modules?
That is going to be difficult because you will need deeper integration into the security system of the 3rd party app server.