Product SiteDocumentation Site


PicketLink Reference Documentation


Legal Notice

Copyright © 2014 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. Getting Help and Giving Feedback
2.1. Do You Need Help?
1. Overview
1.1. The Top 8 Java Application Security Problems Solved by PicketLink
1.2. What is PicketLink?
1.3. Where do I get started?
1.3.1. QuickStarts
1.3.2. API Documentation
1.4. Modules
1.4.1. Base module
1.4.2. Identity Management
1.4.3. Authorization Module
1.4.4. JSON
1.4.5. Federation
1.5. License
1.6. Maven Dependencies
1.7. PicketLink Installer
1.8. Referencing PicketLink from JBoss Modules
1.9. Help us improve the docs!
2. Authentication
2.1. Overview
2.2. Authentication API - the Identity bean
2.2.1. Stateful or Stateless Authentication
2.3. The Authentication Process
2.3.1. A Basic Authenticator
2.3.2. Multiple Authenticator Support
2.3.3. Credentials
2.3.4. DefaultLoginCredentials
2.4. Events
2.5. HTTP Authentication
2.5.1. Authentication Filter
2.5.2. Form Authentication
2.5.3. Basic Authentication
2.5.4. Digest Authentication
2.5.5. Client Cert Authentication
2.5.6. Token Authentication
3. Identity Management - Overview
3.1. Introduction
3.1.1. Injecting the Identity Management Objects
3.1.2. Interacting with PicketLink IDM During Application Startup
3.1.3. Configuring the Default Partition
3.2. Getting Started - The 5 Minute Guide
3.3. Identity Model
3.3.1. Which Identity Model Should My Application Use?
3.4. Stereotypes
3.4.1. Identity Stereotypes
3.4.2. Relationship Stereotypes
3.5. Creating a Custom Identity Model
3.5.1. The @AttributeProperty Annotation
3.5.2. The @Unique Annotation
3.5.3. The @InheritsPrivileges Annotation
3.6. Creating Custom Relationships
3.7. Partition Management
3.7.1. Creating Custom Partitions
4. Identity Management - Credential Validation and Management
4.1. Authentication
4.2. Managing Credentials
4.3. Credential Handlers
4.3.1. The CredentialStore interface
4.3.2. The CredentialStorage interface
4.4. Built-in Credential Handlers
4.4.1. Username/Password-based Credential Handler
4.4.2. DIGEST-based Credential Handler
4.4.3. X509-based Credential Handler
4.4.4. Time-based One Time Password Credential Handler
4.5. Implementing a Custom CredentialHandler
4.6. Validating Credentials for Custom Account Types
5. Identity Management - Basic Identity Model
5.1. Basic Identity Model
5.1.1. Utility Class for the Basic Identity Model
5.2. Managing Users, Groups and Roles
5.2.1. Managing Users
5.2.2. Managing Groups
5.3. Managing Relationships
5.3.1. Built In Relationship Types
5.4. Realms and Tiers
6. Identity Management - Attribute Management
6.1. Overview
6.2. Formal attributes
6.3. Ad-hoc attributes
7. Identity Management - Configuration
7.1. Configuration
7.1.1. Architectural Overview
7.1.2. Default Configuration
7.1.3. Providing a Custom Configuration
7.1.4. Initializing the PartitionManager
7.1.5. Programmatic Configuration Overview
7.1.6. Providing Multiple Configurations
7.1.7. Providing Multiple Stores for a Configuration
7.1.8. Configuring Credential Handlers
7.1.9. Identity Context Configuration
7.1.10. IDM configuration from XML file
8. Identity Management - Working with JPA
8.1. JPAIdentityStoreConfiguration
8.1.1. Default Database Schema
8.1.2. Configuring an EntityManager
8.1.3. Mapping IdentityType Types
8.1.4. Mapping Partition Types
8.1.5. Mapping Relationship Types
8.1.6. Mapping Attributes for AttributedType Types
8.1.7. Mapping a CredentialStorage type
8.1.8. Configuring the Mapped Entities
8.1.9. Providing a EntityManager
9. Identity Management - Working with LDAP
9.1. Overview
9.2. Configuration
9.2.1. Connecting to the LDAP Server
9.2.2. Mapping Identity Types
9.2.3. Mapping Relationship Types
9.2.4. Mapping a Type Hierarchies
9.2.5. Mapping Groups to different contexts
10. Identity Management - Permissions API and Permission Management
10.1. Overview
10.2. Checking permissions for the current user
10.3. ACL Permissions
10.3.1. Managing ACLs
10.3.2. Configuring resources for ACL usage
10.3.3. Restricting resource operations
10.4. PermissionResolver SPI
11. Authorization
11.1. Overview
11.2. Configuration
11.3. Role-Based Access Control
11.4. Group-Based Access Control
11.5. Partition-Based Access Control
11.6. Restricting Access Based on the Authenticated User
11.7. Checking for Permissions
11.8. Using EL-Based Expresions
11.9. Providing Your Own Security Annotations
12. PicketLink Subsystem
12.1. Overview
12.2. Installation and Configuration
12.3. Configuring the PicketLink Dependencies for your Deployment
12.4. Domain Model
12.5. Identity Management
12.5.1. JPAIdentityStore
12.5.2. Usage Examples
12.6. Federation
12.6.1. The Federation concept (Circle of Trust)
12.6.2. Federation Domain Model
12.6.3. Usage Examples
12.6.4. Metrics and Statistics
13. Federation
13.1. Overview
13.2. SAML SSO
13.3. SAML Web Browser Profile
13.4. PicketLink SAML Specification Support
13.5. SAML v2.0
13.5.1. Which Profiles are supported ?
13.5.2. Which Bindings are supported ?
13.5.3. PicketLink Identity Provider (PIDP)
13.5.4. PicketLink Service Provider (PSP)
13.5.5. SAML Authenticators (Tomcat,JBossAS)
13.5.6. Digital Signatures in SAML Assertions
13.5.7. SAML2 Handlers
13.5.8. Single Logout
13.5.9. SAML2 Configuration Providers
13.5.10. Metadata Support
13.5.11. Token Registry
13.5.12. Standalone vs JBossAS Distribution
13.5.13. Standalone Web Applications(All Servlet Containers)
13.6. SAML v1.1
13.6.1. SAML v1.1
13.6.2. PicketLink SAML v1.1 Support
13.7. Trust
13.7.1. Security Token Server (STS)
13.8. Extensions
13.8.1. Extensions
13.8.2. PicketLinkAuthenticator
13.9. PicketLink API
13.9.1. Working with SAML Assertions
13.10. 3rd party integration
13.10.1. Picketlink as IDP, Salesforce as SP
13.10.2. Picketlink as SP, Salesforce as IDP
13.10.3. Picketlink as IDP, Google Apps as SP
14. PicketLink Quickstarts
14.1. Overview
14.2. Available Quickstarts
14.3. PicketLink Federation Quickstarts
14.4. Contributing
15. Compiler Output
Compiler Glossary
A. Revision History