Hi,
for the Login Module, is there any specific configuration required to handle comma separated values in a role specification? Using JBoss EAP 6.4 and Picketlink 2.7.1.Final I managed to integrate into the OAM using SAML. However, the Roles in the Assertion are a CSV list instead of a set of XML nodes. Users with just one role, e.g. 'ROLE_A" are able to log in as expected. However, users with more than one role, e.g. ROLE_A,ROLE_B cannot log in.
From the Assertion:
...
<saml:AttributeStatement>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
</saml:Attribute>
</saml:AttributeStatement>
...
Parsing error:
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) Checking roles GenericPrincipal[some_user_x(ROLE_A,ROLE_B,)]
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) JBWEB000016: User [some_user_x] does not have role [ROLE_A]
14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) No role found: ROLE_A
The configuration in my web.xml is:
<!-- BEGIN SAML Config -->
Security Constraint for all resources
<web-resource-collection>
<web-resource-name>IdP SSO</web-resource-name>
<url-pattern>Navigator</url-pattern>
</web-resource-collection>
<role-name>ROLE_A</role-name>
<auth-method>FORM</auth-method>
<form-login-page>/login</form-login-page>
<form-error-page>/login?error=true</form-error-page>
<description>The role that is required to log in</description>
<role-name>ROLE_A</role-name>
...
JBoss EAP is running as standalone - here is the configuration for the login modules:
<security-domain name="SP" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
Thanks