SAML 2.0 , SSO, Issue with Attributes Release
vpv83 Jun 3, 2014 4:47 AMHello to everybody,
Some days ago I started to investigate and analyse Picket Link framework as an solution for system with SSO feature.
I tried to setup SSO based on SAML 2.0 protocol with the following environment :
IDP side :
- JBoss-eap-6.2 as an Application Server
- Picket Link 2.6.0.CR2 as a SSO identity provider(idP)
- AD as an authentication manager
SP side :
Liferay 6.2-ee (SP)
In short it should work in the following classic scenario:
- SP send authentication SAML 2.0 request to the idP.
- idP handle SAML request and asks user to authenticate using HTML form
- When authentication is passed successfully idP builds SAML response and sends it back to the SP with user information.
Issue that i can't resolve:
Issue that I can't resolve is occurred on step 3 in the previous scenario. I can't make idP to send additional attributes.
The third-party SP that I use requires some attributes in SAML response to pass authentication (e.g. given name, email).
Some configuration details:
JBoss AS configuration. Security domain configuration with LDAP login module && mapping sections in standalone.xml file.
<security-domain name="idp" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://ldapserver:389"/> <module-option name="bindDN" value="binduser@ldapserver.com"/> <module-option name="bindCredential" value="password"/> <module-option name="baseCtxDN" value="OU=Users,OU=etr-ru,DC=etr,DC=eastbanctech,DC=ru"/> <module-option name="baseFilter" value="(mail={0})"/> <module-option name="rolesCtxDN" value="OU=Groups_Old,OU=ETR-RU,DC=etr,DC=eastbanctech,DC=ru"/> <module-option name="roleFilter" value="(member={0})"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="allowEmptyPasswords" value="false"/> <module-option name="Context.REFERRAL" value="follow"/> <module-option name="throwValidateError" value="true"/> </login-module> </authentication> <mapping> <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute"> <module-option name="bindDN" value="binduser@ldapserver.com"/> <module-option name="bindCredential" value="password"/> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://ldapserver:389"/> <module-option name="baseCtxDN" value="OU=Users,OU=etr-ru,DC=etr,DC=eastbanctech,DC=ru"/> <module-option name="baseFilter" value="(mail={0})"/> <module-option name="attributeList" value="mail,name"/> </mapping-module> </mapping> <audit> <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/> </audit> </security-domain>
SAML2AttributeHandler with JBossAppServerAttributeManager ATTRIBUTE_MANAGER configuration:
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler"> <Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/> <Option Key="DISABLE_ROLE_PICKING" Value="true"/> <Option Key="ATTRIBUTE_KEYS" Value="mail,name,sessionID"/> </Handler>
I used Picket Link metadata but I don't think that it is essential for this issue as well as additional Picket Link configuration. I can attach it if it is important to resolve the problem.
NOTE:
When I debug the handling process (AbstractIDPValve class) I see that required attributes are added to requestOptions and to saml2HandlerRequest options object.
But I can't find place in the source where they are releases to the SAML response object.
Thanks for any help in advance!