Picketlink integration with IDM
by Snhp
Hi All,
Can someone share examples on Picketlink integration with IDM (red hat) ?
Iam trying to configure IDM instead LDAP/Database..
Sent from my iPad
10 years
How to config SP to talk to multiple IDPs
by Adam Dong
Hi,
How to configure ServiceProviderAuthenticator to multiplex among multiple IDPs depending on some request parameter (a flag to indicate which IDP to talk to) ? Note that I am NOT talking about IDP discovery where I have to set up a common domain.
When can we expect SPFilter to be updated up to the level of ServiceProviderAuthenticator ?
Thanks,
Adam
10 years
SPFilter should check principal in POST calls
by Claudio Miranda
Hi, related to PLINK2-20, our application cannot use SP valve, as
there are two authentication mechanism (DatabaseServerLoginModule and
SAML2LoginModule). So we use SPFilter and it the alternative
authentication mechanism is working, except for the jsf requests,
SPFilter intercepts it as POST requests and redirects to IDP, but the
user is already authenticated.
So, there is the following issue.
https://issues.jboss.org/browse/PLINK2-20
Would you allow a contribution to add a servlet filter init param to
optionally add the allowed request methods ?
<init-param>
<param-name>ALLOWED_METHODS</param-name>
<param-value>GET,POST</param-value>
</init-param>
And change the below code to allow it ?
boolean postMethod = "POST".equalsIgnoreCase(request.getMethod());
Defaults to POST to maintain compatibility.
Comments ?
Kind regards
--
Claudio Miranda
claudio(a)claudius.com.br
http://www.claudius.com.br
10 years
Error deploying Picketlink-authorization-idm-ldap
by Haritha
Hi Team ,
I have downloaded the quick starts
Picketlink-authorization-idm-ldap and modified my own ldap server and tried deploying in jboss eap 6 but Iam getting following error
Component.securityinitializer.create is missing
[jboss.ejb3.singletondefaulttimeout
Sent from my iPhone
10 years
question about setting NameIDPolicy format
by Adam Dong
Hi,
On SP side, how to configure/set the NameIDPolicy format that is used to construct AuthnRequest ?
Does the configuration mechanism exist ? In picketlink.xml ?
Thanks,
Adam
10 years
Implementing CORS filter to Picketlink HTTP Security API
by Giriraj Sharma
Hi,
In order to implement the first cut of CORS (Cross-Origin Resource Sharing)
<https://tools.ietf.org/html/rfc6454>filter in Picketlink Http Security
API, I have wrapped up with following two initial ideas as providing CORS
Configuration which can be then loaded and parsed using
CORSConfigurationLoader and handled by CORSRequestHandler and
CORSResponseWrapper,
*#1. We can have a configuration file such as* *cors-sample.configuration
<https://gist.github.com/girirajsharma/cd7c60b1dcd38345b069#file-cors-samp...>*
cors.allowGenericHttpRequests=true
cors.allowOrigin=https://www.example.org:9000, http://example.com:8008
cors.allowSubdomains=false
cors.supportedMethods=GET, PUT, HEAD, POST, DELETE, OPTIONS
cors.supportedHeaders=Origin, X-Requested-With, Content-Type, Accept,
Authorization
cors.exposedHeaders=
cors.supportsCredentials=true
cors.maxAge=3600
*#2*. *We can have a servlet CORS filter in web.xml such as* *CORS.xml
<https://gist.github.com/girirajsharma/059bcde20fc28e6cd0db#file-cors-xml>*
Either configuration could be used for making(implementing) use of
CORS requests in any application.
If this looks fine, I will go forward with its implementation ?
Regards,
--
Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India
10 years
How to configure ServiceProviderAuthenticator do HTTP Post or HTTP Redirect ?
by Adam Dong
Hi,
Instead of having to choose SPPostSignatureFromAuthenticator or SPRedirectSignaturFormAuthenticator, can I just use ServiceProviderAuthenticator and somehow configure it (in picketlink.xml or metadata config file) to do post or redirect ?
Another question, on SP side, I understand I need to have IDP's cert in my SP cert store to be able to validate assertion
signature, but do I need to have IDP cert's root CA in my trust store ? In other words, does SP side code (picketlink library)
check IDP cert's issuer against SP's trust store ?
Thanks,
Adam
10 years, 1 month
How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
by Adam Dong
Hi, guys,
Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have <security-constraint>, <login-config> (with FORM being auth method) etc, and the whole thing worked as expected against my IDP.
Now I have a special need to either let the SAML auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work:
public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator
{
@Override
public boolean authenticate(Request req, Response res, LoginConfig loginconfig)
throws IOException
{
if ("true".equals(req.getParamter("bypass"))) { // bypass SAML authentication
return true;
}
return super.authenticate(req, res, loginconfig);
}
}
When that flag was not set, SAML interaction happened, everything worked.
When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser.
Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed.
Thanks a lot in advance for any clue.
Adam
10 years, 1 month
