Product SiteDocumentation Site


PicketLink Reference Documentation


Legal Notice

Copyright © 2015 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. Getting Help and Giving Feedback
2.1. Do You Need Help?
1. Overview
1.1. The Top Java Application Security Problems Solved by PicketLink
1.2. What is PicketLink?
1.3. Where do I get started?
1.3.1. QuickStarts
1.3.2. API Documentation
1.4. Modules
1.4.1. Base module
1.4.2. Identity Management
1.4.3. Authorization Module
1.4.4. JSON
1.4.5. Federation
1.5. License
1.6. Maven Dependencies
1.7. PicketLink Installer
1.8. Referencing PicketLink from JBoss Modules
1.9. Help us improve the docs!
2. Authentication
2.1. Overview
2.2. Authentication API - The Identity Bean
2.2.1. Stateful or Stateless Authentication
2.2.2. Defining a Custom Scope
2.3. The Authentication Process
2.3.1. A Basic Authenticator
2.3.2. Multiple Authenticator Support
2.3.3. Credentials
2.3.4. DefaultLoginCredentials
2.4. Events
2.5. Multi-Level Authentication
2.5.1. Security Level Resolver
2.5.2. User-defined Security Level
3. Identity Management - Overview
3.1. Introduction
3.1.1. Injecting the Identity Management Objects
3.1.2. Interacting with PicketLink IDM During Application Startup
3.1.3. Configuring the Default Partition
3.2. Getting Started - The 5 Minute Guide
3.3. Identity Model
3.3.1. Which Identity Model Should My Application Use?
3.4. Stereotypes
3.4.1. Identity Stereotypes
3.4.2. Relationship Stereotypes
3.5. Creating a Custom Identity Model
3.5.1. The @AttributeProperty Annotation
3.5.2. The @Unique Annotation
3.5.3. The @InheritsPrivileges Annotation
3.6. Creating Custom Relationships
3.7. Partition Management
3.7.1. Creating Custom Partitions
4. Identity Management - Credential Validation and Management
4.1. Authentication
4.2. Managing Credentials
4.3. Credential Handlers
4.3.1. The CredentialStore interface
4.3.2. The CredentialStorage interface
4.4. Built-in Credential Handlers
4.4.1. Username/Password-based Credential Handler
4.4.2. DIGEST-based Credential Handler
4.4.3. X509-based Credential Handler
4.4.4. Time-based One Time Password Credential Handler
4.4.5. Token-based Credential Handler
4.5. Implementing a Custom CredentialHandler
4.6. Validating Credentials for Custom Account Types
5. Identity Management - Basic Identity Model
5.1. Basic Identity Model
5.1.1. Utility Class for the Basic Identity Model
5.2. Managing Users, Groups and Roles
5.2.1. Managing Users
5.2.2. Managing Groups
5.3. Managing Relationships
5.3.1. Built In Relationship Types
5.4. Realms and Tiers
6. Identity Management - Attribute Management
6.1. Overview
6.2. Formal attributes
6.3. Ad-hoc attributes
6.4. Managed attributes
7. Identity Management - Configuration
7.1. Configuration
7.1.1. Architectural Overview
7.1.2. Default Configuration
7.1.3. Providing a Custom Configuration
7.1.4. Initializing the PartitionManager
7.1.5. Programmatic Configuration Overview
7.1.6. Providing Multiple Configurations
7.1.7. Providing Multiple Stores for a Configuration
7.1.8. Configuring Credential Handlers
7.1.9. Identity Context Configuration
7.1.10. IDM configuration from XML file
8. Identity Management - Working with JPA
8.1. JPAIdentityStoreConfiguration
8.1.1. Default Database Schema
8.1.2. Configuring an EntityManager
8.1.3. Mapping IdentityType Types
8.1.4. Mapping Partition Types
8.1.5. Mapping Relationship Types
8.1.6. Mapping Attributes for AttributedType Types
8.1.7. Mapping a CredentialStorage type
8.1.8. Configuring the Mapped Entities
8.1.9. Providing a EntityManager
9. Identity Management - Working with LDAP
9.1. Overview
9.2. Configuration
9.2.1. Connecting to the LDAP Server
9.2.2. Mapping Identity Types
9.2.3. Mapping Relationship Types
9.2.4. Mapping a Type Hierarchies
9.2.5. Mapping Groups to different contexts
10. Identity Management - Permissions API and Permission Management
10.1. Overview
10.2. Checking permissions for the current user
10.3. ACL Permissions
10.3.1. The PermissionManager Bean
10.3.2. Configuring resources for ACL usage
10.3.3. Restricting resource operations
10.4. PermissionResolver SPI
11. Authorization
11.1. Overview
11.2. Configuration
11.3. Role-Based Access Control
11.4. Group-Based Access Control
11.5. Partition-Based Access Control
11.6. Security Level-Based Access Control
11.7. Restricting Access Based on the Authenticated User
11.8. Checking for Permissions
11.9. Using EL-Based Expresions
11.10. Providing Your Own Security Annotations
12. Http Security
12.1. Overview
12.2. Configuration
12.2.1. Protecting Paths
12.2.2. Grouping Paths
12.2.3. Path Rewriting
12.2.4. Path Redirection
12.2.5. Permissive vs Restrictive
12.3. Authentication
12.3.1. Form Authentication
12.3.2. Basic Authentication
12.3.3. Digest Authentication
12.3.4. X.509 Authentication
12.3.5. Token Authentication
12.3.6. Write Your Own Authentication Scheme
12.4. Authorization
12.4.1. Role-Based Authorization
12.4.2. Group-Based Authorization
12.4.3. Realm-Based Authorization
12.4.4. Expression-Based Authorization
12.4.5. Write Your Own Path Authorizer
12.5. Logout
12.6. Servlet API Integration
12.7. CORS Support
13. PicketLink Subsystem
13.1. Overview
13.2. Installation and Configuration
13.3. Configuring the PicketLink Dependencies for your Deployment
13.4. Domain Model
13.5. Identity Management
13.5.1. <code xmlns="">JPAIdentityStore</code>
13.5.2. Usage Examples
13.6. Federation
13.6.1. The Federation concept (Circle of Trust)
13.6.2. Federation Domain Model
13.6.3. Usage Examples
13.6.4. Metrics and Statistics
14. Federation
14.1. Overview
14.2. SAML SSO
14.3. SAML Web Browser Profile
14.4. PicketLink SAML Specification Support
14.5. SAML v2.0
14.5.1. Which Profiles are supported ?
14.5.2. Which Bindings are supported ?
14.5.3. PicketLink Identity Provider (PIDP)
14.5.4. PicketLink Service Provider (PSP)
14.5.5. SAML Authenticators (Tomcat,JBossAS)
14.5.6. Digital Signatures in SAML Assertions
14.5.7. SAML2 Handlers
14.5.8. Single Logout
14.5.9. SAML2 Configuration Providers
14.5.10. Metadata Support
14.5.11. Token Registry
14.5.12. Standalone vs JBossAS Distribution
14.5.13. Standalone Web Applications(All Servlet Containers)
14.6. SAML v1.1
14.6.1. SAML v1.1
14.6.2. PicketLink SAML v1.1 Support
14.7. Trust
14.7.1. Security Token Server (STS)
14.8. Extensions
14.8.1. Extensions
14.8.2. PicketLinkAuthenticator
14.9. PicketLink API
14.9.1. Working with SAML Assertions
14.10. 3rd party integration
14.10.1. Picketlink as IDP, Salesforce as SP
14.10.2. Picketlink as SP, Salesforce as IDP
14.10.3. Picketlink as IDP, Google Apps as SP
15. PicketLink Quickstarts
15.1. Overview
15.2. Available Quickstarts
15.3. PicketLink Federation Quickstarts
15.4. Contributing
16. Logging
16.1. Overview
16.2. Configuration
17. Compiler Output
Compiler Glossary
A. Revision History