I have put in place a samlWebSso20 config using the Liberty Buildpack on Bluemix and the ADFS idp from my customer.
I have a single web application deployed on the Liberty instance.
I am using the Server Directory option to push on Bluemix as explained here
Here is my server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<server description="johan">
<featureManager>
<feature>webProfile-7.0</feature>
<feature>samlWeb-2.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<samlWebSso20 id="defaultSP" nameIDFormat="unspecified"
spCookieName="my_cookie"
idpMetadata="${server.config.dir}/resources/security/FederationMetadata.xml"
userIdentifier="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
sessionNotOnOrAfter="2h">
</samlWebSso20>
<keyStore id="defaultKeyStore" password="***" />
<webApplication context-root="/" location="MySampleApp.war" name="MySampleApp" type="war">
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
<security-role name="administrators">
<user name="user1@customer.com" />
<user name="user2@customer.com" />
</security-role>
</webApplication>
And here is the web.xml of the app deployed on Liberty
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<display-name>SampleAppServicesConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppServices</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>SampleAppAdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>SampleAppAdmin</web-resource-name>
<url-pattern>/admin</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrators</role-name>
</auth-constraint>
</security-constraint>
<display-name>SampleApp</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
When I hit the /admin route of the SampleApp, I get redirected to the ADFS login page. I then log in with user1@customer.com and get redirected to my app. However, I get a 403 even though the user is in the 'administrators' role. Below is the error message in the logs:
[AUDIT ] CWWKS9104A: Authorization failed for user user1@customer.com while invoking MySampleApp on /admin. The user is not granted access to any of the required roles: [administrators].
Note that if I change the AuthConstraint role from administrators to any_authenticated for the /admin route, user1@customer.com can then access the admin page.
Could someone please share some experience and explain what I am doing wrong.
Thanks
