0 Replies Latest reply on Jul 25, 2017 6:41 PM by Ralf Hack

    Oracle Authentication Management Assertion Role attribute parsing in the service provider

    Ralf Hack Newbie

      Hi,

      for the Login Module, is there any specific configuration required to handle comma separated values in a role specification? Using JBoss EAP 6.4 and Picketlink 2.7.1.Final I managed to integrate into the OAM using SAML. However, the Roles in the Assertion are a CSV list instead of a set of XML nodes. Users with just one role, e.g. 'ROLE_A" are able to log in as expected. However, users with more than one role, e.g. ROLE_A,ROLE_B cannot log in. [Apologies for cross posting in picketlink - I think this topic is better suited to this forum]

       

      From the Assertion:

       

      ...

      <saml:AttributeStatement> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ROLE_A,ROLE_B</saml:AttributeValue>

      </saml:Attribute> </saml:AttributeStatement>

      ...

       

      Parsing error:

       

      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) Checking roles GenericPrincipal[some_user_x(ROLE_A,ROLE_B,)]

      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) JBWEB000016: User [some_user_x] does not have role [ROLE_A]

      14:48:13,452 DEBUG [org.apache.catalina.realm] (8 (8743)) No role found: ROLE_A ....

       

      The configuration in my web.xml is:

       

      <!-- BEGIN SAML Config -->

      <security-constraint>

      <display-name>Security Constraint for all resources</display-name>

      <web-resource-collection>

        <web-resource-name>IdP SSO</web-resource-name>

        <url-pattern>Navigator</url-pattern>

      </web-resource-collection>

      <auth-constraint>

        <role-name>ROLE_A</role-name>

      </auth-constraint>

      </security-constraint>

       

      <login-config>

      <auth-method>FORM</auth-method>

      <form-login-config>

      <form-login-page>/login</form-login-page>

      <form-error-page>/login?error=true</form-error-page>

      </form-login-config>

      </login-config>

       

      <security-role>

      <description>The role that is required to log in</description>

      <role-name>ROLE_A</role-name>

      </security-role>

      <!-- END SAML Config -->

      ...

       

      JBoss EAP is running as standalone - here is the configuration for the login modules:

       

      <security-domain name="SP" cache-type="default">

      <authentication>

      <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>

      </authentication>

      </security-domain>

       

      And the picketlink configuration is

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="POST">

              <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">

                  <Option Key="FileName" Value="/WEB-INF/classes/idp-metadata.xml"/>

              </MetaDataProvider>

          </PicketLinkSP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

             <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

             <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

               <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

             </Handler>

             <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

             <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />

             <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />

          </Handlers>

      </PicketLink>

       

       

      Thanks