<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
AttributeManager="org.picketlink.identity.federation.web.managers.EmptyAttributeManager"
RoleGenerator="org.picketlink.identity.federation.bindings.jetty.idp.JettyRoleGenerator">
<IdentityURL>${idp.url::http://localhost:8080/idp/}</IdentityURL>
<Trust>
<Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
<!--
The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.
This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.
-->
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:2.1" TokenTimeout="36000" ClockSkew="0">
<TokenProviders>
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
</PicketLink>
-
Why the Service Provider is not being called after the login at the IDP
-
Exception: Class Not Found Exception: _redirected/_DatatypeFactory
How do I change the SAML TimeOut at the IDP?
Here is an example of picketlink.xml used at the IDP. You specify the Token Time Out (in miliseconds) on the PicketLinkSTS element. You can also define a ClockSkew when your machines are slightly off sync.
Provide Information on Tomcat Encoding Issues
http://wiki.apache.org/tomcat/FAQ/CharacterEncoding
You can try the character encoding on the authenticator.
<valve> <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator/class-name> <param> <param-name>characterEncoding</param-name> <param-value>UTF-8</param-value> </param> </valve>
Why the Service Provider is not being called after the login at the IDP
This problem may happen given the following reasons:
Your IDP do not have the Service Provider in its trusted domains list.
Check the picketlink-idfed.xml of your IDP for a entry like this one:
<Trust> <Domains>localhost</Domains></Trust>
Make sure the server name or IP address of your service provider is configured, otherwise the IDP will refuse messages from it. The above configuration configures the IDP to trust all Service Providers deployed in localhost.
Usually, when this problem happens you get a org.picketlink.identity.federation.core.saml.v2.exceptions.IssuerNotTrustedException. Check your logs.
Your keystore is not configure properly with an alias for the Service Provider
If you are using digital signature of SAML Assertions, you have to make sure that your keystore is configure with aliases for your service providers, otherwise the IDP will refuse messages. Also you need to have in the picketlink-idfed.xml entries for each alias, like this one:
<KeyProvider ...>
<ValidatingAlias Key="localhost" Value="localhost" /> <!- You must have in your keystore a alias for localhost, in this case. ->
</KeyProvider>
Usually, when this problem happens you get a PL00058: KeyStoreKeyManager : Domain Alias missing for :localhost message. Check your logs.
java.security.InvalidKeyException: Key is too long for unwrapping
This error happens because your JDK or Java installation does not have the unlimited strength crypto files installed. You will need to go to the JDK vendor's site and download the unlimited strength crypto files.
How do I add Service Providers dynamically?
The SAML2IssuerTrustHandler is used to configure the domains that the IDP or SP trusts. By domain, we are referring to host names in the Identity Provider URL or Service Provider URL.
You can always have new SPs sharing the same domain added anytime. As long as the SPs have a domain validated certificate for them, the certficate validation logic also works. Certificate Authorities (CA) do issue domain validated certificates.
Each time, you want to add a new SP domain, then you will need to restart the IDP web application via the PicketLink management console or restart the server (for manual changes).
Additionally take a look at Digital Signatures in SAML. https://docs.jboss.org/author/display/PLINK/Digital+Signatures+in+SAML+Assertions
If you really want to customize the trust validation beyond what is provided by PicketLink, you can write a custom PicketLink SAML2 Handler.
Exception: Cannot forward after response has been committed
Usually this happens if you do not have a "return;" statement right after
-
the requestDispatcher.forward call.
-
the chain.doFilter call
Exception: Class Not Found Exception: _redirected/_DatatypeFactory
Set the system property
picketlink.jaxp.tccl
to true.
Reference: https://issues.jboss.org/browse/PLINK-429