0 Replies Latest reply on Jul 25, 2017 6:01 PM by Ralf Hack

    Oracle Authentication Management Assertion Role attribute parsing in the service provider

    Ralf Hack Newbie

      Hi,

       

      for the Login Module, is there any specific configuration required to handle comma separated values in a role specification? Using JBoss EAP 6.4 and Picketlink 2.7.1.Final I managed to integrate into the OAM using SAML. However, the Roles in the Assertion are a CSV list instead of a set of XML nodes. Users with just one role, e.g. 'ROLE_A" are able to log in as expected. However, users with more than one role, e.g. ROLE_A,ROLE_B cannot log in.

       

      From the Assertion:

      ...

          <saml:AttributeStatement>
            <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ROLE_A,ROLE_B</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>

       

      ...

       

      Parsing error:

      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743))   Checking roles GenericPrincipal[some_user_x(ROLE_A,ROLE_B,)]
      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) JBWEB000016: User [some_user_x] does not have role [ROLE_A]
      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) No role found:  ROLE_A
        The configuration in my web.xml is:

       

      ....

       

       

      <!-- BEGIN SAML Config -->

       

       

      <security-constraint>

       

       

              <display-name>

       

       

                      Security Constraint for all resources

       

       

              </display-name>

       

       

              <web-resource-collection>

       

       

                      <web-resource-name>IdP SSO</web-resource-name>

       

       

                      <url-pattern>Navigator</url-pattern>

       

       

              </web-resource-collection>

       

       

              <auth-constraint>

       

       

                      <role-name>ROLE_A</role-name>

       

       

              </auth-constraint>

       

       

      </security-constraint>

       

       

      <login-config>

       

       

              <auth-method>FORM</auth-method>

       

       

              <form-login-config>

       

       

                      <form-login-page>/login</form-login-page>

       

       

                      <form-error-page>/login?error=true</form-error-page>

       

       

              </form-login-config>

       

       

      </login-config>

       

       

      <security-role>

       

       

              <description>The role that is required to log in</description>

       

       

              <role-name>ROLE_A</role-name>

       

       

      </security-role>

       

       

      <!-- END SAML Config -->

       

      ...
      JBoss EAP is running as standalone - here is the configuration for the login modules:

      <security-domain name="SP" cache-type="default">

      <authentication>

        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>

      </authentication>

      </security-domain>

      Thanks