2 Replies Latest reply on Feb 3, 2014 10:41 AM by Marius Gherghief

    JBPM6 SSO integration with PicketLink 2.5.2

    Marius Gherghief Newbie

      Hi all,

       

      I am using JBPM6 on server1 and another solution and server 2 and 3. I have SSO setup with PicketLink 2.5.2 on the applications deployed on servers 2 and 3.

      I use the kie workbench to access jbpm.

       

      On the SSO, I use teh IDP configured on a custom database for users.

       

      How can I have JBPM integrate with the SSO, so it would make use of the users from my IDP and the session started from the central login page?

       

      Thank you in advance,

      Marius

        • 1. Re: JBPM6 SSO integration with PicketLink 2.5.2
          Maciej Swiderski Master

          you need to make sure that proper (one used by your other servers/applications) configuration of security is present on the server that hosts kie-wb and then alter security domain configuration in kie-wb/WEB-INF/jboss-web.xml

           

          Then enable SSO for the web subsystem and you should be ready to go with SSO for all these applications. If you use the BAM application next to kie-wb you need to modify it's security domain same way as for kie-wb.

           

          HTH

          • 2. Re: JBPM6 SSO integration with PicketLink 2.5.2
            Marius Gherghief Newbie

            If i enable the integration, I get the following error:

            ERROR [org.picketlink.common] (http-/0.0.0.0:8080-1) Service Provider could not handle the request.: java.io.IOException: JBWEB002035: Buffer length 4096 overflow with limit 4096 and no sink

              at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:448) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:351) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.catalina.authenticator.FormAuthenticator.saveRequest(FormAuthenticator.java:591) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.generalUserRequest(AbstractSPFormAuthenticator.java:626) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:328) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

              at org.picketlink.identity.federation.bindings.tomcat.sp.AbstractSPFormAuthenticator.authenticate(AbstractSPFormAuthenticator.java:261) [picketlink-jbas7-2.5.2.Final.jar:2.5.2.Final]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]

             

            This is the jboss-web.xml content:

              <security-domain>java:/jaas/QFPSecurityProvider</security-domain>

              <valve>

                <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>

              </valve>

             

            This is the picketlink.xml content:

            <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

              <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"  ServerEnvironment="tomcat"   BindingType="REDIRECT"   RelayState="someURL">

              <IdentityURL>${idp.url::http://xxxxxx.com:8083/QFPIdentityProvider/}</IdentityURL>

              <ServiceURL>${qfp-web.url::http://xxxxxx.com:8087/QFPBPMConsole/}</ServiceURL>

              </PicketLinkSP>

              <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

              <Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>

              </Handler>

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

              </Handlers>

            </PicketLink>

             

            And this is the security domain configuration:

                           <security-domain name="QFPSecurityProvider" cache-type="default">

                                <authentication>

                                    <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>

                                </authentication>

                            </security-domain>

             

             

            this configuration works for all other servers.