My request is related to using PicketLink as an SP.
It would also be helpful to use the resource's original requested URL used as the ACS URL if you don't specify the ASSERTION_CONSUMER_URL as an option for the org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler in the config (picketlink.xml).
So if I don't specify a ASSERTION_CONSUMER_URL option, then I hoping PicketLink would see URL of the resource I originally requested. For example, if I request a protected resource (https://localhost:8443/webapp/proctedResource.jsp) from a WAR that uses PicketLink as an SP with no ASSERTION_CONSUMER_URL defined in the picketlink.xml config, the generated AsserstionConsumerURL in the SAML request to the IdP should be "https://localhost:8443/webapp/proctedResource.jsp". The reason for this is because the org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator valve doesn't ever get called unless the resource requested is protected. So unless the ACS URL is a protected resource itself, the SAML Response will never be read and the user will not be logged in. I hope this helps. If not, let me know and I can try to better explain it. Or perhaps I can be made a contributor to the project and make the change myself? I discussed this at one point with Anil...
|