1 Reply Latest reply on Jun 17, 2014 12:53 PM by Anil Saldanha

    Struggling with how IDP and STS work together.

    Scott Lopez Newbie

      Someone out there with more experience in picketlink can hopefully help me.


      I have the IDP set up and it's authenticating as expected and allowing access to the web resource.  I also have an STS configured for application to application communication, this works fine.


      I also understand that the IDP has an STS built into it for generating tokens.


      When using the STS, a call is made against a URL to validate the SAML token.  In the case of a web app, the IDP generates the SAML token, not the STS.  I can't find anything on the net that shows how the client should contact the STS in the IDP to authenticate a token.  Is there a URL or something that I'm missing.


      I have the IDP storing information via JPA but the STS does not seem to be able to use that for validation.


      So, I guess the question that I'm asking is how do these two work together.  Should I have the WSTrustClient call the IDP?  If so, where is the WSDL and URL for making the call?


      Any help is very much appreciated.

        • 1. Re: Struggling with how IDP and STS work together.
          Anil Saldanha Master

          One Use Case :-


          When a PicketLink SP receives a SAML assertion from the IDP, we do save the assertion in the httpsession.


          Now in your application code, you can call EJBs using this SAML assertion (from httpsession) as token.  At the receiving end, the STS login modules that are configured for the EJB can validate this token via

          a) Check for issuer

          b) Check for expiration

          c) Validate the signature of the token