2 Replies Latest reply on Nov 22, 2014 2:10 AM by Krishna Shiva

    Service Provider in multiple IDP's

    Krishna Shiva Newbie



        Inspiring from the quickstart "Dynamic resolution of IDP's", I am trying to access my application i.e. service provider from two different IDP's. One being "picketlink-federation-saml-idp-with-metadata" which is in my local JBoss and other IDP which is in Test environment.

      I am using sp-metadata.xml to configure IDP and SP metadata and other details as mentioned in quickstarts. Local IDP has "idp-metadata.xml" which has it's own configuration.  Currently I am giving the other IDP as default IDP in "sp-metadata.xml" and using local IDP as secondary IDP.


      The main issue is, how to configure my SP with both IDP's and have successful login from both IDP's?


      The other issue is:

      1. Navigate to local IDP through the browser. (http://localhost:8080/idp-metadata)
      2. Provide appropriate credentials.
      3. The request navigates to local IDP landing page having SP url.
      4. Click on SP url, should successfully lead to SP landing page.

      But, what actually happening is, when clicked on SP url, it is re-directing to the other IDP and landing to its login page. Hence I am not able to login to the application with local IDP even if the credentials are correct.


      I want to know if I am going in a correct path? Is there anything that I am missing that I am not able to login through secondary IDP. Is there any quickstart which can resolve my issue?




        • 1. Re: Service Provider in multiple IDP's
          Krishna Shiva Newbie



          I am able to solve this issue. The issue was with my web.xml where I am allowing specific URL's. I have modified the pattern to "/*". Now I am able to get the parameters in the DynamicIdPSAML2AuthenticationHandler java file to distinguish between the IDP's.


          I have other issues which I am working on. My application is a struts2.0 based application.


          1. In sp-metadata.xml, I have given the AssertionConsumerService Location as "http://localhost:8080/application_context/web/Home.do". In the action class where the method executes, I am not able to retrieve the parameter "SAMLResponse". It always shows null. Is there any other way to do it in Struts based application?

          2. Do you have any example which parse the SAMLResponse and retrieves the attributes.

          3. How to provide the Logout parameter "SLO" to the logout url. My logout url is "http://localhost:8080/application_context/web/Logout.do".

          4. I have tried with the following for Global Logout --> "http://localhost:8080/application_context/web/Logout.do?GLO=true", which works fine, but after logout, leads to a blank page rather than redirecting to SP.

          5. I want to externalize all the url's in the picketlink xml files to a property file. Is there any example or a way to do it?


          Let me know if I am doing the things correctly? I am using the same files attached in the previous post.




          • 2. Re: Service Provider in multiple IDP's
            Krishna Shiva Newbie



            I was able to find solution for few of them. The solutions are as follows:

            1. I needed SAMLResponse for finding the attributes sent by IDP. In picketlink.xml, place the attribute handler as below and access those attributes from your java class.

                   <Handler  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler" /> in SP Picketlink.xml

                 Map<String, List<Object>> attrMap = (Map<String, List<Object>>)sessionObj.getAttribute("SESSION_ATTRIBUTE_MAP"); -  In Java class. The attributes are set by the above handler in session.

            2. Place the "LLO" attribute in url --> http://localhost:8080/application_context/web/Logout.do/?LLO=true

            3. You can externalize the url's from picketlink.xml by placing them in Stanadlone.xml (I am using jboss).

                 In Standalone.xml --


                    <property name="picketlink.idp.domains" value="localhost,"/>


               In Picketlink.xml --