From snhp20524 at gmail.com Tue Nov 4 15:25:18 2014 From: snhp20524 at gmail.com (Snhp) Date: Tue, 4 Nov 2014 15:25:18 -0500 Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> Message-ID: <83ED86D5-B2A6-41BF-B59F-859C271CF076@gmail.com> Iam able to connect to our own identity store but getting the below error Warning : No default partition was created you may want to create one before starting your identity types. Ldap error code 50 insufficient 'add' privilege to add entry 'cn=...... Sent from my iPhone > On Oct 30, 2014, at 3:00 PM, Pedro Igor Silva wrote: > > We don't have any example for that, yet. > > But I think you can create a LoginModule that uses PL IDM to connect to rht idp or ipa. In the next EAP release you'll be able to configure PL IDM using a subsystem and get a reference to the PartitionManager from your LoginModule. > > But for now, I think you can try to build the partition manager inside your LM with all the necessary configuration to communicate with rht idm or ipa. Take a look at [1] about how to configure a LDAP identity store. > > [1] https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authorization-idm-ldap. > > ----- Original Message ----- > From: "Snhp" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 4:49:18 PM > Subject: Re: [security-dev] Picketlink integration with IDM > > Iam new to Picketlink idm .. Can you someone guide me the design approach for the below requirement > > 1) user login through web app using login page. > > 2) web app should invoke picket link idm API's to connect to red hat idm or IPA server for validating user identities > > Appreciate your comments and sample code if available > > > > Sent from my iPhone > >> On Oct 30, 2014, at 11:39 AM, Pedro Igor Silva wrote: >> >> I think you can get some guidance from our IT team. >> >> ----- Original Message ----- >> From: "Snhp" >> To: "Pedro Igor Silva" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 30, 2014 12:10:59 PM >> Subject: Re: [security-dev] Picketlink integration with IDM >> >> My requirement is to authenticate users from red hat idm or Ipa >> >> Sent from my iPhone >> >>> On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: >>> >>> Do you mean using PL IDM to authenticate users from your PL IDP ? >>> >>> ----- Original Message ----- >>> From: "Snhp" >>> To: security-dev at lists.jboss.org >>> Sent: Thursday, October 30, 2014 10:17:04 AM >>> Subject: [security-dev] Picketlink integration with IDM >>> >>> Hi All, >>> >>> Can someone share examples on Picketlink integration with IDM (red hat) ? >>> >>> Iam trying to configure IDM instead LDAP/Database.. >>> >>> Sent from my iPad >>> _______________________________________________ >>> security-dev mailing list >>> security-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Tue Nov 4 19:13:49 2014 From: adamdong at vidder.com (Adam Dong) Date: Wed, 5 Nov 2014 00:13:49 +0000 Subject: [security-dev] How to config SP to talk to multiple IDPs Message-ID: A related question, could ServiceProviderAuthenticator be configured to load multiple IDP metadata files (I do see the quick start example of loading one IDP's metadata in one file) ? Or multiple IDPs' metadata in one file ? Thanks, Adam -----Original Message----- From: Adam Dong Sent: Friday, October 31, 2014 12:40 PM To: 'security-dev at lists.jboss.org' Subject: How to config SP to talk to multiple IDPs Hi, How to configure ServiceProviderAuthenticator to multiplex among multiple IDPs depending on some request parameter (a flag to indicate which IDP to talk to) ? Note that I am NOT talking about IDP discovery where I have to set up a common domain. When can we expect SPFilter to be updated up to the level of ServiceProviderAuthenticator ? Thanks, Adam From psilva at redhat.com Wed Nov 5 05:09:37 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 5 Nov 2014 05:09:37 -0500 (EST) Subject: [security-dev] How to config SP to talk to multiple IDPs In-Reply-To: References: Message-ID: <333138418.6793323.1415182177946.JavaMail.zimbra@redhat.com> You can have only a single idp metadata file. And inside this file a single IdP descriptor. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Tuesday, November 4, 2014 10:13:49 PM Subject: Re: [security-dev] How to config SP to talk to multiple IDPs A related question, could ServiceProviderAuthenticator be configured to load multiple IDP metadata files (I do see the quick start example of loading one IDP's metadata in one file) ? Or multiple IDPs' metadata in one file ? Thanks, Adam -----Original Message----- From: Adam Dong Sent: Friday, October 31, 2014 12:40 PM To: 'security-dev at lists.jboss.org' Subject: How to config SP to talk to multiple IDPs Hi, How to configure ServiceProviderAuthenticator to multiplex among multiple IDPs depending on some request parameter (a flag to indicate which IDP to talk to) ? Note that I am NOT talking about IDP discovery where I have to set up a common domain. When can we expect SPFilter to be updated up to the level of ServiceProviderAuthenticator ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Wed Nov 5 05:42:09 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 5 Nov 2014 05:42:09 -0500 (EST) Subject: [security-dev] Picketlink integration with IDM In-Reply-To: <83ED86D5-B2A6-41BF-B59F-859C271CF076@gmail.com> References: <8B47BD04-E2E1-4B13-9956-A38F5DDC873B@gmail.com> <998811273.3152066.1414676444406.JavaMail.zimbra@redhat.com> <1118311522.3329906.1414683585363.JavaMail.zimbra@redhat.com> <4115B564-42E3-4CFB-AA7C-6896A575570D@gmail.com> <1531266737.3503248.1414695635324.JavaMail.zimbra@redhat.com> <83ED86D5-B2A6-41BF-B59F-859C271CF076@gmail.com> Message-ID: <900089677.6801612.1415184129494.JavaMail.zimbra@redhat.com> You can discard the warning message. The LDAP store does not support partitions at all. Regarding your error message, make sure you have permissions to write to your ldap tree. ----- Original Message ----- From: "Snhp" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Tuesday, November 4, 2014 6:25:18 PM Subject: Re: [security-dev] Picketlink integration with IDM Iam able to connect to our own identity store but getting the below error Warning : No default partition was created you may want to create one before starting your identity types. Ldap error code 50 insufficient 'add' privilege to add entry 'cn=...... Sent from my iPhone > On Oct 30, 2014, at 3:00 PM, Pedro Igor Silva wrote: > > We don't have any example for that, yet. > > But I think you can create a LoginModule that uses PL IDM to connect to rht idp or ipa. In the next EAP release you'll be able to configure PL IDM using a subsystem and get a reference to the PartitionManager from your LoginModule. > > But for now, I think you can try to build the partition manager inside your LM with all the necessary configuration to communicate with rht idm or ipa. Take a look at [1] about how to configure a LDAP identity store. > > [1] https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-authorization-idm-ldap. > > ----- Original Message ----- > From: "Snhp" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Thursday, October 30, 2014 4:49:18 PM > Subject: Re: [security-dev] Picketlink integration with IDM > > Iam new to Picketlink idm .. Can you someone guide me the design approach for the below requirement > > 1) user login through web app using login page. > > 2) web app should invoke picket link idm API's to connect to red hat idm or IPA server for validating user identities > > Appreciate your comments and sample code if available > > > > Sent from my iPhone > >> On Oct 30, 2014, at 11:39 AM, Pedro Igor Silva wrote: >> >> I think you can get some guidance from our IT team. >> >> ----- Original Message ----- >> From: "Snhp" >> To: "Pedro Igor Silva" >> Cc: security-dev at lists.jboss.org >> Sent: Thursday, October 30, 2014 12:10:59 PM >> Subject: Re: [security-dev] Picketlink integration with IDM >> >> My requirement is to authenticate users from red hat idm or Ipa >> >> Sent from my iPhone >> >>> On Oct 30, 2014, at 9:40 AM, Pedro Igor Silva wrote: >>> >>> Do you mean using PL IDM to authenticate users from your PL IDP ? >>> >>> ----- Original Message ----- >>> From: "Snhp" >>> To: security-dev at lists.jboss.org >>> Sent: Thursday, October 30, 2014 10:17:04 AM >>> Subject: [security-dev] Picketlink integration with IDM >>> >>> Hi All, >>> >>> Can someone share examples on Picketlink integration with IDM (red hat) ? >>> >>> Iam trying to configure IDM instead LDAP/Database.. >>> >>> Sent from my iPad >>> _______________________________________________ >>> security-dev mailing list >>> security-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/security-dev From jason.greene at redhat.com Mon Nov 10 18:15:54 2014 From: jason.greene at redhat.com (Jason Greene) Date: Mon, 10 Nov 2014 17:15:54 -0600 Subject: [security-dev] Need PB 4.0.21.Final for 8.2 Message-ID: Hey guys, Can you do a 4.0.21.Final at your earliest convenience? We need final versions before we can release 8.2. Thanks! -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat From sguilhen at redhat.com Tue Nov 11 09:31:42 2014 From: sguilhen at redhat.com (Stefan Guilhen) Date: Tue, 11 Nov 2014 12:31:42 -0200 Subject: [security-dev] Need PB 4.0.21.Final for 8.2 In-Reply-To: References: Message-ID: <54621DCE.7020307@redhat.com> Hi Jason, I'll cut a release today. Cheers, Stefan On 11/10/2014 09:15 PM, Jason Greene wrote: > Hey guys, > > Can you do a 4.0.21.Final at your earliest convenience? We need final versions before we can release 8.2. Thanks! > > -- > Jason T. Greene > WildFly Lead / JBoss EAP Platform Architect > JBoss, a division of Red Hat > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Fri Nov 21 02:12:51 2014 From: adamdong at vidder.com (Adam Dong) Date: Fri, 21 Nov 2014 07:12:51 +0000 Subject: [security-dev] The relationship between sp-metadata.xml and picketlink.xml Message-ID: <29308bc2500b4e45ab64269621b0a0d6@CY1PR0401MB0939.namprd04.prod.outlook.com> Hi, In the quickstart example on SP with metadata, the sp-metadata.xml didn't include signing key info for SP/IDP. If the signing key info is included in sp-metadata.xml for SP and IDP entity descriptiors, could picketlink code recognize that ? If yes, could I then do away with and under in picketlink.xml ? In other words, could we use picketlink.xml just for specifying handlers, and not for key info, at least not for validating key because validating key would be included under IDPEntityDescriptor in sp-metadata.xml ? Is there any document to describe the relationship of these two files ? What if these two files have conflicting info, then which one takes precedence ? Normally a standard-based IDP metadata is delivered in a file to SP side (and a standard-based SP metadata is delivered to IDP side), we prefer to take that file as a whole for SP to feed on it, instead of having to manually modify picketlink.xml. Please shed some light on picketlink's capability with standard metadata and how to reconcile metadata and picketlink.xml. Thanks, Adam From adamdong at vidder.com Tue Nov 25 19:46:13 2014 From: adamdong at vidder.com (Adam Dong) Date: Wed, 26 Nov 2014 00:46:13 +0000 Subject: [security-dev] The relationship between sp-metadata.xml and picketlink.xml Message-ID: Any comments on my questions ? -----Original Message----- From: Adam Dong Sent: Thursday, November 20, 2014 11:12 PM To: 'security-dev at lists.jboss.org' Subject: The relationship between sp-metadata.xml and picketlink.xml Hi, In the quickstart example on SP with metadata, the sp-metadata.xml didn't include signing key info for SP/IDP. If the signing key info is included in sp-metadata.xml for SP and IDP entity descriptiors, could picketlink code recognize that ? If yes, could I then do away with and under in picketlink.xml ? In other words, could we use picketlink.xml just for specifying handlers, and not for key info, at least not for validating key because validating key would be included under IDPEntityDescriptor in sp-metadata.xml ? Is there any document to describe the relationship of these two files ? What if these two files have conflicting info, then which one takes precedence ? Normally a standard-based IDP metadata is delivered in a file to SP side (and a standard-based SP metadata is delivered to IDP side), we prefer to take that file as a whole for SP to feed on it, instead of having to manually modify picketlink.xml. Please shed some light on picketlink's capability with standard metadata and how to reconcile metadata and picketlink.xml. Thanks, Adam From adamdong at vidder.com Tue Nov 25 19:53:00 2014 From: adamdong at vidder.com (Adam Dong) Date: Wed, 26 Nov 2014 00:53:00 +0000 Subject: [security-dev] SP side Http session time-out period Message-ID: Hi, If I used ServiceProviderAuthenticator as my SP side, once a valid assertion comes back from IDP, and SP checked the assertion and created the local HttpSession (it is an HttpSession, right ?), what is that session's time-out period ? Is it configurable ? Thanks, Adam From mcirioli at redhat.com Tue Nov 25 20:02:23 2014 From: mcirioli at redhat.com (Michael Cirioli) Date: Tue, 25 Nov 2014 20:02:23 -0500 (EST) Subject: [security-dev] SP side Http session time-out period In-Reply-To: References: Message-ID: <649459909.4320848.1416963743455.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> I believe you can configure sp session lifetimes in your apps web.xml ? ??????? 15 ??? -mike cirioli Hi, If I used ServiceProviderAuthenticator as my SP side, once a valid assertion comes back from IDP, and SP checked the assertion and created the local HttpSession (it is an HttpSession, right ?), what is that session's time-out period ? Is it configurable ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev