1 Reply Latest reply on Jun 4, 2014 9:19 AM by Pavel Vasilenko

    SAML 2.0 , SSO, Issue with Attributes Release

    Pavel Vasilenko Newbie

      Hello to everybody,

       

      Some days ago I started to investigate and analyse Picket Link framework as an solution for system with SSO feature.


      I tried to setup SSO based on SAML 2.0 protocol with the following environment :

      IDP side :

        1. JBoss-eap-6.2 as an Application Server
        2. Picket Link 2.6.0.CR2 as a SSO identity provider(idP)
        3. AD as an authentication manager

      SP side  :

      Liferay 6.2-ee (SP)


      In short it should work in the following classic scenario:

      1. SP send authentication SAML 2.0 request to the idP.
      2. idP handle SAML request and asks user to authenticate using HTML form
      3. When authentication is passed successfully idP builds SAML response and sends it back to the SP with user information.

       

      Issue that i can't resolve:

      Issue that I can't resolve is occurred on step 3 in the previous scenario. I can't make idP to send additional attributes.

      The third-party SP that I use requires some attributes in SAML response to pass authentication (e.g. given name, email).


      Some configuration details:

      JBoss AS configuration. Security domain configuration with LDAP login module && mapping sections in standalone.xml file.


       <security-domain name="idp" cache-type="default">
                          <authentication>
                              <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                  <module-option name="java.naming.provider.url" value="ldap://ldapserver:389"/>
                                  <module-option name="bindDN" value="binduser@ldapserver.com"/>
                                  <module-option name="bindCredential" value="password"/>
                                  <module-option name="baseCtxDN" value="OU=Users,OU=etr-ru,DC=etr,DC=eastbanctech,DC=ru"/>
                                  <module-option name="baseFilter" value="(mail={0})"/>
                                  <module-option name="rolesCtxDN" value="OU=Groups_Old,OU=ETR-RU,DC=etr,DC=eastbanctech,DC=ru"/>
                                  <module-option name="roleFilter" value="(member={0})"/>
                                  <module-option name="roleNameAttributeID" value="cn"/>
                                  <module-option name="roleAttributeIsDN" value="true"/>
                                  <module-option name="allowEmptyPasswords" value="false"/>
                                  <module-option name="Context.REFERRAL" value="follow"/>
                                  <module-option name="throwValidateError" value="true"/>
                              </login-module>
                          </authentication>
                          <mapping>
                              <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
                                  <module-option name="bindDN" value="binduser@ldapserver.com"/>
                                  <module-option name="bindCredential" value="password"/>
                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                  <module-option name="java.naming.provider.url" value="ldap://ldapserver:389"/>
                                  <module-option name="baseCtxDN" value="OU=Users,OU=etr-ru,DC=etr,DC=eastbanctech,DC=ru"/>
                                  <module-option name="baseFilter" value="(mail={0})"/>
                                  <module-option name="attributeList" value="mail,name"/>
                              </mapping-module>
                          </mapping>
                          <audit>
                              <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
                          </audit>
                      </security-domain>
      


      SAML2AttributeHandler with JBossAppServerAttributeManager ATTRIBUTE_MANAGER configuration:

          

      <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
      <Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>  
          <Option Key="DISABLE_ROLE_PICKING" Value="true"/>
         <Option Key="ATTRIBUTE_KEYS" Value="mail,name,sessionID"/>
      </Handler>
      

       

      I used Picket Link metadata but I don't think that it is essential for this issue as well as additional Picket Link configuration. I can attach it if it is important to resolve the problem.


      NOTE:

      When I debug the handling process (AbstractIDPValve class) I see that required attributes are added to requestOptions and to saml2HandlerRequest options object.

      But I can't find place in the source where they are releases to the SAML response object.


      Thanks for any help in advance!


        • 1. Re: SAML 2.0 , SSO, Issue with Attributes Release
          Pavel Vasilenko Newbie

          Finally, I understood the reason of the Issue:

          Wnen I configured PicketLink idP , I put SAML2AttributeHandler handler definition  after SAML2AuthenticationHandler.

           

          SAML2AuthenticationHandler creates SAML response for Authn requests. It uses session object to fetch attributes.

          SAML2AttributeHandler fetches attributes using configured Attribute Manager and put them into session object.

          =>

          That's why we need to define SAML2AttributeHandler handler before SAML2AuthenticationHandler one!

          1 of 1 people found this helpful