Table of Contents
It is possible to use different Configuration Providers at the IDP and SP. The configuration providers will then be the sole configuration leaders (instead of picketlink.xml) or provide additional configuration.
PicketLink SAML Metadata Support is provided and configured by the following configuration providers implementations:
|
Name |
Description |
Provider Type |
|
org.picketlink.identity.federation.web.config.IDPMetadataConfigurationProvider |
For Identity Providers |
IDP |
|
org.picketlink.identity.federation.web.config.SPPostMetadataConfigurationProvider |
For Service Providers using HTTP-POST Binding |
SP |
|
org.picketlink.identity.federation.web.config.SPRedirectMetadataConfigurationProvider |
For Service Providers using HTTP-REDIRECT Binding |
SP |
These providers allows you to define some additional configuration to your IDP or SP using a SAML Metadata XML Schema instance, merging them with the ones provided in your WEB-INF/picketlink.xml.
To configure the SAML Metadata Configuration Providers you need to follow these steps:
Define the PicketLink Authenticator (SP or IDP valves) and provide the configuration provider class name as an attribute
Depending if you're configuring an IDP or SP, provide a metadata file and put it on the classpath:
- For Identity Providers : WEB-INF/classes/idp-metadata.xml
- For Service Providers : WEB-INF/classes/sp-metadata.xml
To configure one of the provided SAML Metadata configuration providers you just need to configure the PicketLink Authenticator with the configProvider parameter/attribute.
For Identity Providers you should have a configuration as follow:
<jboss-web>
<security-domain>idp</security-domain>
<context-root>idp-metadata</context-root>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
<param>
<param-name>configProvider</param-name>
<param-value>org.picketlink.identity.federation.web.config.IDPMetadataConfigurationProvider</param-value>
</param>
</valve>
</jboss-web>
For Service Providers you should have a configuration as follow:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>sp</security-domain>
<context-root>sales-metadata</context-root>
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
<param>
<param-name>configProvider</param-name>
<param-value>org.picketlink.identity.federation.web.config.SPPostMetadataConfigurationProvider</param-value>
</param>
</valve>
</jboss-web>
When providing metadata for a service provider you must also provide the metadata for the identity provider. You can do this in two ways:
Using a single sp-metadata.xml file, specifying a IDPSSODescriptor with all information about the identity provider.
Using a idp-metadata.xml file, which all information about the identity provider.
If you go with a single sp-metadata.xml file, your file would like this:
<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="https://idp.picketlink.org/">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
...
</IDPSSODescriptor>
</EntityDescriptor>
<EntityDescriptor entityID="https://sp.picketlink.org/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
...
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
You may notice that the configuration above is using the EntitiesDescriptor element to specify metadata for both IdP and SP from a single file.
Now, if you have a different file with your IdP metadata, your sp-metadata.xml will look like:
<EntityDescriptor entityID="https://sp.picketlink.org/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
...
</SPSSODescriptor>
</EntityDescriptor>
And your idp-metadata.xml as follows:
<EntityDescriptor entityID="https://idp.picketlink.org/">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
...
</IDPSSODescriptor>
</EntityDescriptor>
The latter solution allows you to import metadata from any IdP and have it isolated in its own file inside your application. Leaving the sp-metadata.xml with only the metadata related with the SP.
Both the IDP and SP applications when provided with the saml configuration provider will be given a parsed representation of the WEB-INF/picketlink.xml, which implies that the IDPType and SPType coming out finally will be a merger of the configuration provider and the settings from picketlink.xml
The PicketLink Quickstarts provide some examples for the SAML Metadata Support. Please check the following provided quickstarts: