Skip to end of metadata
Go to start of metadata

This guide will help you getting started using some examples provided by PicketLink. 

Before continue, make sure you have configured properly PicketLink in your JBoss AS 7 distribution. For more information about how to install/configure PicketLink using JBoss AS 7 see this section.

About the Quickstarts

The PicketLink Quickstarts provides some useful examples using PicketLink Federation. The examples are organized per federation protocol. PicketLink currently supports the following:

  • Security Assertion Markup Language v2 (SAML)
  • WS-Trust
  • eXtensible Access Control Markup Language (XACML)

SAML Examples

The SAML examples helps you to understand how to configure and run a Identity Provider or Service Provider. These examples can be used for you to construct your own implementations.

The table bellow lists the Identity Providers examples provided:

Name Description URL
idp Simple Identity Provider implementation http://\[server\]:\[port\]/idp
idp-sig Identity Provider with digital signature support for SAML assertions. All the comunication between IDP and
SPs are digitally signed
idp-enc Identity Provider with digital signature  and encryption support for SAML assertions. http://\[server\]:\[port\]/idp-enc\\
idp-metadata Identity Provider using with SAML Metadata Support http://\[server\]:\[port\]/idp-metadata\\\\

The table bellow lists the Service Providers examples provided:

Name Description URL
sales-post Service Provider using HTTP POST Binding http://\[server\]:\[port\]/sales-post\\
sales-post-sig Service Provider using HTTP POST Binding with digital signature support for SAML assertions http://\[server\]:\[port\]/sales-post-sig\\
sales-metadata Service Provider using SAML Metadata Support http://\[server\]:\[port\]/sales-metadata\\\\
employee Service Provider using HTTP REDIRECT Binding http://\[server\]:\[port\]/employee\\
employee-sig Service Provider using HTTP REDIRECT Binding with digital signature support for SAML assertions http://\[server\]:\[port\]/employee-sig\\
Which examples should I use ?

You can use any of these examples, according with your needs. If you just want to understand how PicketLink SAML Support works you should start using the examples using HTTP Redirect Binding. They can help you a lot understanding how works the communication between IDP and SPs.

These examples are very simple and helps only to demonstrate how you can configure your own implementation of Identity Providers and Service Providers.

It is important to have in mind that choosing a example with digital signature support, both IDP and SP must have this feature enabled.
Eg.: idp-sig and employee-sig/sales-post-sig.

WS-Trust Security Token Service

Actually, the WS-Trust Security Token Service implementation is more than a quickstart is a fully compliant WS-Trust implementation using SAML tokens.

The table bellow lists the Service Providers examples provided:

Name Description URL
picketlink-sts Fully compliant WS-Trust Security Token Service implementation http://\[server\]:\[port\]/picketlink-sts/PicketLinkSTS?wsdl\\

You can use the PicketLink STS to leverage your federation to your service layer: Web Service and EJBs, for example.


XACML Policy Decision Point (PDP)

PicketLink provides a default implementation for a XACML PDP. It is responsible to evaluates and issues authorization decisions.

The table bellow lists the Service Providers examples provided:

Name Description URL
pdp Fully compliant XACML Web Service http://\[server\]:\[port\]/pdp/SOAPSAMLXACMLPDP?wsdl

How to get the Quickstarts ?

PicketLink needs to get running in different servers/containers:

  • JBoss Application Server 5
  • JBoss Application Server 7
  • Apache Tomcat 6

To achieve that the PicketLink project is organized in bindings where each binding refers to a specific target server or container.

Download from JBoss Nexus Repository

The link above allows you to download all the available distribution packages with all the examples provided. The distribution package is specific for each binding or target server.

Name Description
All the examples configured for JBoss AS5
All the examples configured for JBoss AS7
All the examples configured for Apache Tomcat 6

Building the PicketLink Quickstarts Project

If you want to build the upstream version (SNAPSHOT) you need to clone and build first the PicketLink Federaton workspace. You can clone this repo from:

The quickstarts are provided as a project in github:

Follow these steps to get the quickstarts locally:

     1. Clone the project from github.

     2. Enter in the directory picketlink-quickstarts and execute a maven build:

     3. If your build was successful you should have a zip file with all examples packaged in a file called picketlink-quickstarts/target/

As default, the quickstarts are configured and packaged for JBoss AS 7. For more information about how to package the quickstarts for different containers/bindings see the next section.

The master branch is our development branch. If you are looking for a specific version we recommend to checkout a specific tag.

For example, if you want the 2.1.4.Final version you can use the tag.

To switch to a tag use the following git command:

See the section Deploying the Quickstarts to know how to deploy the packaged applications.
Building for different containers/bindings

The quickstarts can be used in any of the available bindings/target servers, you just need to change the parameter -Dbinding and -Dbinding-version according to your needs.

The table above lists all possible combinations and supported values for both parameters:

binding binding-version Description
as5 mvn -Dbinding=jboss -Dbinding-version=as5 clean install, to build for JBoss AS 5
jboss as7 mvn -Dbinding=jboss -Dbinding-version=as7 clean install, to build for JBoss AS 7
tomcat 6 mvn -Dbinding=tomcat -Dbinding-version=6 clean install, to build for Apache Tomcat 6

To build the quickstarts for one of the supported bindings use the following mvn command:

The command above will configure and package the quickstarts for deployment in JBoss AS 5. Use the values from the table above to change the parameters -Dbinding and -Dbinding-version.

Deploying and Running

JBoss AS v7 Configuration

Configuring the Security Domains

Before running the examples, you must add the following security-domain configurations to your standalone.xml:

<subsystem xmlns="urn:jboss:domain:security:1.0">


        <security-domain name="idp" cache-type="default">
                <login-module code="UsersRoles" flag="required">
                     <module-option name="usersProperties" value="" />
                     <module-option name="rolesProperties" value="" />

        <security-domain name="picketlink-sts" cache-type="default">
                 <login-module code="UsersRoles" flag="required">
                     <module-option name="usersProperties" value="" />
                     <module-option name="rolesProperties" value="" />

        <security-domain name="sp" cache-type="default">
                  <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>



These are very important configurations given that they define how both IDP, STS and SP should authenticate users. Usually you would configure your own configuration for the security domains to load users and roles from a LDAP or database, for example. The configurations above are only useful to show what do you need to configure in order to authenticate users.

You may notice that the security domain configuration for the IDP and STS references two properties files: and Both files are inside the WAR of the deployed IDP. These files are used to authenticate users and load the roles.
Deploying the Quickstarts

All you need to deploy the quickstarts is unzip the distribution package (generated during the build, as described before) to the [jboss.server.base.dir]/standalone/deployments.

Running the Quickstarts

To run the quickstarts start your JBoss Application Server 7 instance. Open your browser and enter the URL of the application do you want to use.

For a complete list of the URLs for each example application take a look at the table for the SAML, WS-Trust and XAML sections.

Using the Eclipse IDE

//TODO: Show how to setup a workspace using Eclipse for the quickstarts.

s s Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Jul 17, 2012

    Downloaded picketlink-quickstarts-2.1.3.Final-webapps-jboss-as7 from;quick~picketlink-quickstarts.

    Configured  security domains in jboss-eap-6.0\standalone\configuration\standalone.xml as shown above.

    Failed to deploy idp.war on eap6 with exception

    15:21:30,005 ERROR [org.apache.catalina.core.StandardContext] (MSC service thread 1-4) Context [/idp] startup failed due to previous errors: LifecycleException:  PL00092: Null
    Value:Key Provider is null for context=/idp
            at org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve.start( [picketlink-jbas7-2.1.1.Final-redhat-1.jar:2.1.1.
            at org.apache.catalina.core.StandardPipeline.start( [jbossweb-7.0.16.Final-redhat-1.jar:]
            at org.apache.catalina.core.StandardContext.start( [jbossweb-7.0.16.Final-redhat-1.jar:]
            at [jboss-as-web-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
            at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(
            at org.jboss.msc.service.ServiceControllerImpl$
            at java.util.concurrent.ThreadPoolExecutor$Worker.runTask( [rt.jar:1.6.0_20]
            at java.util.concurrent.ThreadPoolExecutor$ [rt.jar:1.6.0_20]
            at [rt.jar:1.6.0_20]

    Has anyone seen it?


    1. Jul 18, 2012

      Not sure, but i think the EAP version is forcing signatures. Please, try to add a KeyProvider element as documented in Digital Signatures in SAML Assertions.

      You can also try to use the latest PL version (now 2.1.3.Final) to workaround this problem.

      This may be an issue.

      Btw, can we move this discussion to the User Forum ? :)


      Pedro Igor

  2. Aug 22, 2012

    Moved to the forum

  3. Aug 22, 2012

    I'm having a similar problem with EAP 5.1, getting the same error message.  However, I know my version of EAP does not require as key, as I was previously using PicketLink 2.0.1 and this was not a requirement.  Was this potentially added to Picketlink?

  4. Jan 10, 2013

    Hi Everyone ,

    I am new to picketlink. Just I want to develop an authentication with saml.I tried to deploy sample application which is given in the jboss quick start.Can any one help me to clear my error.Give me some tutorial for picketlink

    18:05:52,519 ERROR [] (MSC service thread 1-5) MSC00001: Failed to start service jboss.module.service."deployment.sales.war".main: org.jboss.msc.service.StartExcep
    ion in service jboss.module.service."deployment.sales.war".main: Failed to load module: deployment.sales.war:main
            at [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
            at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService( [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
            at org.jboss.msc.service.ServiceControllerImpl$ [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
            at java.util.concurrent.ThreadPoolExecutor$Worker.runTask( [rt.jar:1.6.0_06]
            at java.util.concurrent.ThreadPoolExecutor$ [rt.jar:1.6.0_06]
            at [rt.jar:1.6.0_06]
    Caused by: org.jboss.modules.ModuleNotFoundException: org.picketlink:main
            at org.jboss.modules.ModuleLoader$FutureModule.getModule( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.ModuleLoader.loadModuleLocal( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.ModuleLoader.preloadModule( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.LocalModuleLoader.preloadModule( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.ModuleLoader.preloadExportedModule( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.ModuleLoader.preloadModule( [jboss-modules.jar:1.1.1.GA]
            at [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
            at org.jboss.modules.Module.addPaths( [jboss-modules.jar:1.1.1.GA]
            at [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.Module.relinkIfNecessary( [jboss-modules.jar:1.1.1.GA]
            at org.jboss.modules.ModuleLoader.loadModule( [jboss-modules.jar:1.1.1.GA]
            at [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
            ... 5 more

  5. Jan 24, 2013

    Hi All,

    I have successfully deployed idp-1.0.3.SP1 in my machine with URL http://localhost:8080/idp-1.0.3.SP1/. Could you let me know the name and password I can use to login?

    Thanks in advance


  6. Jan 24, 2013

    Hi Shyam,

    UserName:tomcat password:tomcat which is in  role and user properties file ...U can change this username and password.

    1. Jan 24, 2013

      Hi Luther,

      Thanks a lot for the reply. I got it working now.

      In between, I am facing another issue now. When I am trying to deploy IDP-sig, I am getting following exception. D:\server\appserver\jboss-as-7.1.1.Final\bin\WEB-INF\wsdl\PicketLinkSTS.wsdl

      Any hint on this? I am really sorry to trouble you. I am very new to this technology.



      1. Jan 24, 2013

        Hi Shyam,

               No shyam I am really happy to answer ur question.Me too new to this technology.

         First I need to know about what you are trying..So that I can help u .

        1. Jan 25, 2013

          Hi Luther,

          Thanks a lot for your kindness.

          Here is the domain which I am working on.


          We are working with a cross-technology stack where UI is being developed with and business is using Spring.

          We want to let the UI & Business use Single Sign-On for security purpose. We have finalized JBoss for our production deployment.

          As the picketLink is the best and fit option for this scenario, I wanted to go ahead with that.

          So here, I have to develop a Single Sign-On solution with which UI can do the authentication and do the token exchange with service. Service should be capable to validate this token using the same solution.

          UI is using

          Business is using Spring.

          Hope this would give you a clear picture.


  7. Feb 21, 2013

    Hi, I couldn't find the examples of using metadata (idp-metadata and sales-metadata) in Quickstarts. Please help. Thanks.


  8. Mar 19, 2013

    I am fairly new to JBoss and Picketlink. I want to use Picketlink security token service to provide the security tokens to my non-JBoss web service. I was able to install picketlink-sts. I can see the WSDL http://localhost:8080/picketlink-sts/PicketLinkSTS?wsdl. Also JBoss admin console shows that the sts is up and running. Can I consume this WSDL in SOAP-UI and try to test whether I can get the SAML tokens?

    I tried invoking the service but I am always getting PLFED000110: Security Token Service Exception back. How do I interpret these errors?

    1. Apr 15, 2013


      I was trying to access the picket link STS and the wsdl was accessible if i provide the default credentials as admin/admin but no response when i try to use the credentiails used during creation by the add users batch file.

      Any idea.

    2. Apr 15, 2013

      Hi Yogesh,

          It is possible to use SOAP-UI to test the STS.
          Regarding the PLFED00001110, I would suggest looking at the server logs for more info.


      Pedro Igor

  9. Apr 07, 2013


    Is the git repository moved at this address ?

    1. Apr 15, 2013

      Hi Gianfranco,

          The code related with PicketLink v2 was moved to

          We're currently working on PicketLink v3, so the is only for the v3 code. I`m going to update the docs and add some info about that.

      Pedro Igor

  10. Apr 15, 2013


    I am getting the below exception when i try to setup this.

    17:25:09,618 FATAL [] JBAS015957: Server boot has failed in a
    n unrecoverable manner; exiting. See previous messages for details.
    17:25:09,642 INFO  [] JBAS015950: JBoss AS 7.1.1.Final "Brontes" sto
    pped in 2ms
    Press any key to continue . . .