0

After some some struggling I configured my wildfly's standalone.xml to authenticate agains an LDAP-Server:

               <security-domain name="LDAPAuth" cache-type="default">
                <authentication>
                    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                        <module-option name="java.naming.provider.url" value="ldap://URL:389"/>
                        <module-option name="bindDN" value="username"/>
                        <module-option name="bindCredential" value="password"/>
                        <module-option name="baseCtxDN" value="OU=UsersDC=domain,DC=com"/>
                        <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                        <module-option name="allowEmptyPasswords" value="false"/>
                    </login-module>
                </authentication>
            </security-domain>

I also configured my jboss-web:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns:cr="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
  http://www.jboss.com/xml/ns/javaee
  http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
    <cr:context-root>/projectName</cr:context-root>
    <security-domain>LDAPAuth</security-domain>
    <use-jboss-authorization>true</use-jboss-authorization>
</jboss-web>

and my web.xml:

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>LDAPAuth realm</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>
...

and everything works fine.

The next step is to use PicketLink. But I can't find out how to configure PicketLink to use my security-domain.

I can find examples and tutorials for establish the LDAP connection programmatically and how I can set up PicketLink to work with Identity and Service Providers. But as I know my use case contains the Identity Provider and the Service Provider?!? So there is no dedicated server I want to connect with. The LDAP query is handled by my wildfly server. In every example I can find both servers are seperated machines. Did I understand something wrong? After hours of 'googleing' I'm getting more and more confused.

I added

<valve>
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
</valve>

But I don't know how to configurate the picketlink.xml. What's the URL of my Identity Provider? I believe there's just one part I understand wrong. Can someone help me? :-D

Roman B
  • 81
  • 7

1 Answers1

0

What's the URL of my Identity Provider?

The URL will be the application which you have choosen to be the portal/IDP to manage the SAML SSO responses and requests and send them to the Applications. The IDP will contain a picketlink.xml file and each Application (in picketlink named SP) will also a picketlink.xml file (placed in WEB-INF-Folder).

Look at the getting started projects for picketlink here: https://github.com/jboss-developer/jboss-picketlink-quickstarts

There are so many examples for picketlink...

Picketlink Documentation (if you read through the chapters you will get the understanding of IDP and SP definition and config files): https://docs.jboss.org/author/display/PLINK/Identity+Provider+Configuration

Picketlink IDP - Simple Config:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
        <IdentityURL>http://localhost:8080/idp/</IdentityURL>
        <Trust>
            <Domains>locahost,mycompany.com</Domains>
        </Trust>
    </PicketLinkIDP>
    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
         <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
     </Handlers>
</PicketLink>

For your project(s) you will have:

  • IDP /Portal App (war, ...)

    • WEB-INF picketlink.xml
    • WEB-INF jboss-web.xml with IDP valve
    • On the IDP you can use every login-module which you want (default the one specified in jboss-web.xml)

  • SP / Some SSO enabled application

    • WEB-INF picketlink.xml
    • WEB-INF jboss-web.xml with SP valve
    • On the SP side you have to use the security domain with the login module (org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule)
Greasy Fox
  • 41
  • 3
  • Just one issue with your answer: The OP is using WildFly, so there are no "valves" in jboss-web.xml. I have found in my own work that this makes the implementation significantly more difficult. Most of the documentation references valve configuration with parameters, and then does not mention any corresponding handler implementation for WildFly. For example, it is not clear at all how to configure a picketlink implementation on WildFly using standard SAML metadata files -- there is a valve you can add to reference the metadata files, but that does not apply for WildFly. – Kingand Mar 01 '18 at 21:03