2 Replies Latest reply on Apr 8, 2014 9:55 AM by Ad van Ommen

    IdAM as IdP: how to configure?

    Ad van Ommen Newbie

      We are faced with configuring PicketLink (JBoss 7.1.1. Final, after replacement of 2.1.8 PicketLink module) with IdAM as an IdP.

      Basic assumption is that it supports SAML2, that PicketLink supports SAML2 making it easy.....


      This does however not work as I expected. First thing is that the IdP url is expected to have some query parameters, so I understand from someone . Let me give an example

      . ?wa=wsignin1.0&whr=...&wtrealm=urn:....-test:urn&wctx=https:..
      Can someone refer to some PicketLink documentation on how to configure this best?

      For now I set the complete URL in picketlink.xml.

       

      The response is then received from IdAM by the browser and forwarded to the SP application. There it seems that the SAMLToken is not processed. Maybe this has a connection to how the SAMLToken is delivered in a FORM parameter named wresult?

       

      To make it concrete I append part of the response in the wresult form field:

       

      Regards,

      Ad

       

      <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">

        ....

        <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">

        <wsa:Address>.....</wsa:Address>

        </wsa:EndpointReference>

        </wsp:AppliesTo>

        <t:RequestedSecurityToken>

        <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_972fcca6-e348-49a5-a380-e713d8d294d7" Issuer="...." IssueInstant="2014-04-08T06:09:50.158Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

        <saml:Conditions NotBefore="2014-04-08T06:09:50.158Z" NotOnOrAfter="2014-04-08T14:09:50.158Z">

        <saml:AudienceRestrictionCondition>

        <saml:Audience>.....</saml:Audience>

        </saml:AudienceRestrictionCondition>

        </saml:Conditions>

        <saml:AttributeStatement>

        <saml:Subject>

        ...

        </saml:Subject>

        <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">

        ....

        </saml:Attribute>

        ...

        </saml:AttributeStatement>

        <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-04-08T06:09:49.612Z">

        <saml:Subject>

        <saml:SubjectConfirmation>

        <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>

        </saml:SubjectConfirmation>

        </saml:Subject>

        </saml:AuthenticationStatement>

        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        ...

        </ds:Signature>

        </saml:Assertion>

        </t:RequestedSecurityToken>

        <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>

        <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>

        <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>

      </t:RequestSecurityTokenResponse>