Service Provider Authenticators

Introduction

PicketLink Service Providers Authenticators are important components responsible for the authentication of users using the SAML Assertion previously issued by an Identity Provider.

They are responsible for intercepting each request made to an application, checking if a SAML assertion is present in the request, validating its signature and executing SAML specific validations and creating a security context for the user in the requested application.

images/author/download/attachments/24838548/sso.png

Configuring an Authenthicator for a Service Provider

The PicketLink Authenticator is basically a Tomcat Valve (org.apache.catalina.authenticator.FormAuthenticator). The only thing you need to do is change the valves configuration for your application.

This configuration changes for each supported binding.

JBoss Application Server v7

In JBoss Application Server v7 the valves configuration are located inside the WEB-INF/jboss-web.xml file. Bellow is a example of how this file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
	<security-domain>sp</security-domain>
	<context-root>employee</context-root>
	<valve>
	    <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
	</valve>
</jboss-web>

The valve configuration is done using the <valve> element.

JBoss Application Server v5 or v6

In JBoss Application Server v5 or v6, the valves configuration are located inside the WEB-INF/context.xml file. Bellow is a example of how this file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />
</Context>

The valve configuration is done using the <Valve> element.

Apache Tomcat 6

In Apache Tomcat 6 the valves configuration are located inside the META-INF/context.xml file. Bellow is a example of how this file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator" />
</Context>

The valve configuration is done using the <Valve> element.

Built-in Authenticators

PicketLink provides default implementations for Service Provider Authenticators. The list bellow shows all the available implementations:

Name	Description
org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator	Preferred service provider authenticator. Supports both SAML HTTP Redirect and POST bindings.
org.picketlink.identity.federation.bindings.tomcat.sp.SPPostFormAuthenticator	Deprecated. Supports only HTTP POST Binding without signature of SAML assertions.
org.picketlink.identity.federation.bindings.tomcat.sp.SPPostSignatureFormAuthenticator	Deprecated. Supports only HTTP POST Binding with signature of SAML assertions.
org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator	Deprecated. Supports only HTTP Redirect Binding without signature of SAML assertions.
org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator	Deprecated. Supports only HTTP Redirect Binding with signature of SAML assertions.

Prefer using the ServiceProviderAuthenticator authenticator if you are using PicketLink v.2.1 or above. The others authenticators are DEPRECATED.