To configure an application as a PicketLink Service Provider you need to follow this steps:
- Configuring the web.xml.
- Configure an Authenticator.
- Configure a Security Domain for your application.
- Configure PicketLink JBoss Module as a dependency.
- Create and configure a file named WEB-INF/picketlink.xml.
Before configuring your application as an Service Provider you need to add some configurations to your web.xml.
Let's start by defining a security-constraint element to restrict access to resources from unauthenticated users:
As you can see above, we define that only users with a role named manager are allowed to access the protected resources. Make sure to give your users the same role you defined here, otherwise they will get a 403 HTTP status code.
During the logout process, PicketLink will try to redirect the user to a logout.jsp page located at the root directory of your application. Please, make sure to create it.
|Please, make sure you have a welcome file page in your application. You can define it in your web.xml or simply create an index.jsp at the root directory of your application.|
All the configuration for an especific Service Providers goes at the WEB-INF/picketlink.xml file. This file is responsible to define the behaviour of the Authenticator. During the service provider startup, the authenticator parses this file and configures itself.
Bellow is how the picketlink.xml file should looks like:
|The schema for the picketlink.xml file is available here: https://github.com/picketlink/federation/blob/master/picketlink-core/src/main/resources/schema/config/picketlink_v2.1.xsd.|
This element defines the basic configuration for the service provider. The table bellow provides more information about the attributes supported by this element:
|EntityID||Defines the entity ID for this provider, as defined by the specs.||Usually an URI. No default value.|
|BindingType||Defines which SAML binding should be used: SAML HTTP POST or Redirect bindings.||POST|REDIRECT. Defaults to POST if not specified.|
|ErrorPage||Defines a custom error page to be displayed when some error occurs during the request processing.|| Defaults to /error.jsp.
|LogOutPage||Defines a custom logout page to be displayed after the logout.||Defaults to /logout.jsp.|
||Indicates if the Identity Provider configured for this Service Provider is always using POST for SAML responses.||true|false. Defaults to true if not specified.|
||Indicates if digital signature/verification of SAML assertions are enabled. If this attribute is marked to true the Identity Provider configured for this Service Provider must support signatures too, otherwise the SAML messages will be considered as invalid.||true|false. Defaults to false if not specified.|
|LogOutUrl||An URL that will be used to send logout requests to the IdP. If not specified, defaults to the URL specified in the IdentityURL.||Defaults to IdentityURL, if not specified.|
|LogOutResponseLocation||An URL that will be used to send logout responses to the IdP. If not specified, defaults to the issuer of the incoming logout request*.*||Defaults to the issuer of the logout request.|
This element value refers to the URL of the Identity Provider used by this Service Provider.
This element value refers to the URL of the Service Provider.
To enable digital signatures for the SAML assertions you need to configure:
- Set the SupportsSignature attribute to true;
- Add the SAML2SignatureGenerationHandler and the SAML2SignatureValidationHandler in the handlers chain (Handler Element).
- Configure a KeyProvider* *element.
PicketLink provides some built-in Handlers to help the Service Provider Authenticator processing the SAML requests and responses.
The handlers are configured through the Handlers element.