Skip to end of metadata
Go to start of metadata

Configuring a Service Provider

To configure an application as a PicketLink Service Provider you need to follow this steps:

  1. Configuring the web.xml.
  2. Configure an Authenticator.
  3. Configure a Security Domain for your application.
  4. Configure PicketLink JBoss Module as a dependency.
  5. Create and configure a file named WEB-INF/picketlink.xml.

Configuring the web.xml

Before configuring your application as an Service Provider you need to add some configurations to your web.xml.

Let's start by defining a security-constraint element to restrict access to resources from unauthenticated users:

As you can see above, we define that only users with a role named manager are allowed to access the protected resources. Make sure to give your users the same role you defined here, otherwise they will get a 403 HTTP status code.

During the logout process, PicketLink will try to redirect the user to a logout.jsp page located at the root directory of your application. Please, make sure to create it.

Please, make sure you have a welcome file page in your application. You can define it in your web.xml or simply create an index.jsp at the root directory of your application.

The picketlink.xml configuration file

All the configuration for an especific Service Providers goes at the WEB-INF/picketlink.xml file. This file is responsible to define the behaviour of the Authenticator. During the service provider startup, the authenticator parses this file and configures itself.

Bellow is how the picketlink.xml file should looks like:

PicketLinkSP Element

This element defines the basic configuration for the service provider. The table bellow provides more information about the attributes supported by this element:

Name Description Value
EntityID Defines the entity ID for this provider, as defined by the specs. Usually an URI. No default value.
BindingType Defines which SAML binding should be used: SAML HTTP POST or Redirect bindings. POST|REDIRECT. Defaults to POST if not specified.
ErrorPage Defines a custom error page to be displayed when some error occurs during the request processing. Defaults to /error.jsp.
LogOutPage Defines a custom logout page to be displayed after the logout. Defaults to /logout.jsp.
IDPUsesPostBinding
Indicates if the Identity Provider configured for this Service Provider is always using POST for SAML responses. true|false. Defaults to true if not specified.
SupportsSignature
Indicates if digital signature/verification of SAML assertions are enabled. If this attribute is marked to true the Identity Provider configured for this Service Provider must support signatures too, otherwise the SAML messages will be considered as invalid. true|false. Defaults to false if not specified.
LogOutUrl An URL that will be used to send logout requests to the IdP. If not specified, defaults to the URL specified in the IdentityURL. Defaults to IdentityURL, if not specified.
LogOutResponseLocation An URL that will be used to send logout responses to the IdP. If not specified, defaults to the issuer of the incoming logout request*.* Defaults to the issuer of the logout request.

IdentityURL Element

This element value refers to the URL of the Identity Provider used by this Service Provider.

Eg.: http://localhost:8080/idp/

ServiceURL Element

This element value refers to the URL of the Service Provider.

Eg.: http://localhost:8080/sales/

SAML Digital Signature Configuration (KeyProvider Element)

To enable digital signatures for the SAML assertions you need to configure:

  1. Set the SupportsSignature attribute to true;
  2. Add the SAML2SignatureGenerationHandler and the SAML2SignatureValidationHandler in the handlers chain (Handler Element).
  3. Configure a KeyProvider* *element.

SAML Handlers Configuration (Handlers Element)

PicketLink provides some built-in Handlers to help the Service Provider Authenticator processing the SAML requests and responses.

The handlers are configured through the Handlers element.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.