| Potential fix: diff --git picketlink-wildfly-common/src/main/java/org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java picketlink-wildfly-common/src/main/java/org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java
index 015a152..a13a620 100644
— picketlink-wildfly-common/src/main/java/org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java
+++ picketlink-wildfly-common/src/main/java/org/picketlink/identity/federation/bindings/wildfly/sp/SPFormAuthenticationMechanism.java
@@ -267,8 +267,16 @@ public class SPFormAuthenticationMechanism extends ServletFormAuthenticationMech
try {
// If we have already authenticated the user and there is no request from IDP or logout from user
if (principal != null
- && !(serviceProviderSAMLWorkflow.isLocalLogoutRequest(request) || isGlobalLogout(request) || isNotNull(samlRequest) || isNotNull(samlResponse)))
+ && !(serviceProviderSAMLWorkflow.isLocalLogoutRequest(request) || isGlobalLogout(request) || isNotNull(samlRequest) || isNotNull(samlResponse))) { + + IdentityManager identityManager = securityContext.getIdentityManager(); + + // Call back into the security subsystem to establish the security context + Account account = new AccountImpl(principal, new HashSet<String>(), EMPTY_PASSWORD); + account = identityManager.verify(account); + return AuthenticationMechanismOutcome.AUTHENTICATED; + }
// Handle a SAML Response from IDP
if (isNotNull(samlResponse)) {
@@ -1125,4 +1133,4 @@ public class SPFormAuthenticationMechanism extends ServletFormAuthenticationMech
public String getIdentityURL() { return this.spConfiguration.getIdentityURL(); } -}
\ No newline at end of file
+} I'm not sure about how to handle the roles. Passing the roles into the Account class as an empty set appears to work. |
