0 Replies Latest reply on Feb 21, 2017 9:47 AM by David Kron

    Picketlink + SAML: authorize multiple applications (WAR) acting as a single service provider

    David Kron Newbie



      We are currently developing an application for a customer. The project has the restriction that we shall deliver only deployable WAR/EAR files. The customer provides the infrastructure and doesn't allow much deviation from it.

      The application will be deployed on JBoss EAP 7.0 and requires authentication with SAML. The current version is a single monolithic WAR file.

      At the moment, we are in the process of splitting this monolithic application in separate applications because of multiple reasons (maintainability, deployment, code quality, ...). Unfortunately we do not know yet how to implement authorization with these given restrictions:


      Infrastructure constraints:

      • Applications will be deployed on JBoss EAP 7.0
      • A custom Identity Provider is provided by the customer
      • Communication with IdP has to be implemented with SAML 2.0


      Customer IdP restrictions:

      • Only one SP metadata file can be provided, because it is linked to the user database. We want to share the same user database for all applications.
      • The SP metadata file can only provide one AssertionConsumerService-Location
      • The AssertionConsumerService-Location is statically defined in the metadata file and cannot be overriden in an AuthnRequest


      Problem description:

      Each application has to authorize itself with the IdP to receive roles and assertions. With the current (monolithic) deployment this is no problem as we require only a single AssertionConsumerService.


      But how can this be achieved with multiple deployments?

      I tried to implement this with PicketLink SAML using the same security domain for all deployments. This works to the extent, that only one AuthnRequest to the IdP is issued and PicketLink creates a SSO session (JSESSIONIDSSO). But only the application that receives the AuthnResponse from the IdP has access to the SAML assertions. Also I couldn't find a way to let PicketLink listen for SAML responses on a path without deployment, e.g. on /sso/saml but applications reside under /apps/*.


      Is there a way to implement this with PicketLink?