Skip to end of metadata
Go to start of metadata

Download Files

You will need two jar files :  PicketLink Core Jar  as well as a Bindings jar (based on the server)

PicketLink Core Jar:

PicketLink Core 2.1.1 Jar:

Bindings Jar:

Updating the PicketLink module in JBoss AS 7

In order to use this version in JBoss AS 7 you need to update the PicketLink module. Please take a look at the Installation Guide.

PicketLink Quickstarts (Example applications)

PicketLink provides some useful examples about using some core features. Give it a try:

Release Notes


  • [PLFED-223] - SAML11AssertionTokenProvider cancel/validate uses SAML2 AssertionType
  • [PLFED-292] - PicketLink STS does not support wst:Renewing (and hangs)
  • [PLFED-299] - SAML Response Parsers should handle StatusMessage and StatusDetail gracefully
  • [PLFED-304] - Using parameter "SAMLResponse" instead of "SAMLRequest" during global logout
  • [PLFED-306] - SAML assertion with SubjectConfirmationData contains "NotBefore" attribute (breaking the specs)
  • [PLFED-307] - Error during validating signature on SP side when handling SAMLRequest
  • [PLFED-308] - PicketLink STS does not support processing wst:UseKey/ds:KeyInfo/ds:KeyValue Elements
  • [PLFED-309] - PicketLink STS should handle wst:ComputedKeyAlgorithm Element
  • [PLFED-322] - SAML Attribute Statement should not be created in the absence of attributes
  • [PLFED-323] - [SAMLConfigurationProvider] This component is not supporting the PicketLink element/type (consolidated config).
  • [PLFED-325] - Incorrect implementation of method STSClientConfiguration.validate
  • [PLFED-328] - [AssertionUtil] The validate method is not configuring the attribute IDness of the SAML Assertion
  • [PLFED-329] - The service provider authenticators needs to handle correctly the SAMLConfigurationProvider.
  • [PLFED-334] - Error response from IDP is signed two times
  • [PLFED-335] - Error response from IDP should use assertionConsumerServiceURL as destination (not issuer URL)
  • [PLFED-337] - NPE sometimes when parsing SAML Logout response
  • [PLFED-340] - SAML2IssuerTrustHandler can't handle issuers in non-URL format
  • [PLFED-344] - Method AbstractIDPValve.getIssuerPublicKey should not log error if issuer is not URL
  • [PLFED-346] - JAXP Factories should be cached to increase performance


  • [PLFED-256] - Trusted domains are checked twice during processing of SAML request at IP side
  • [PLFED-298] - Produce proper signature references to both SAML 1.0/1.1 and SAML 2 assertions
  • [PLFED-311] - Remove signature related code from valves and processors and use handlers to deal with signatures
  • [PLFED-312] - [IDPWebBroserSSOValve] Remove the attribute strictPostBinding. This configuration should be set in picketlink.xml (PicketLinkIDP element).
  • [PLFED-313] - [IDPWebBroserSSOValve] Remove the attribute validatingAliasToTokenIssuer. It always defaults to true when signatures are enabled.
  • [PLFED-314] - [IDPWebBroserSSOValve] Remove the attribute samlHandlerChainClass. All the configuration must be done in picketlink.xml.
  • [PLFED-315] - [IDPWebBroserSSOValve] Use the configurations defined in the element PicketLinkSTS from the picketlink.xml
  • [PLFED-316] - [IDPWebBroserSSOValve] Remove the assertionValidity attribute. This configuration is already done in the PicketLinkSTS element, TokenTimeout attribute.
  • [PLFED-317] - [IDPWebBroserSSOValve] Remove the attribute canonicalizationMethod. It is not being used.
  • [PLFED-318] - [IDPWebBroserSSOValve] Remove the attribute signOutgoingMessages. This configuration should me done using the PicketLinkIDP.SupportsSignature attribute.
  • [PLFED-320] - [IDPWebBroserSSOValve] Remove the attribute identityParticipantStack. All the configuration must be done in picketlink.xml.
  • [PLFED-321] - [IDPWebBroserSSOValve] Remove the attribute roleGenerator. All the configuration must be done in picketlink.xml.
  • [PLFED-332] - Removing signature related options from valves in quickstart applications
  • [PLFED-336] - Using of Issuer of SP as value of Audience
  • [PLFED-338] - Make IdentityServer.STACK to be static class
  • [PLFED-341] - Using GMT Timezone in SAML messages format
  • [PLFED-343] - Support for SP metadata on IDP side

Feature Request

  • [PLFED-201] - JPA Based Token Registry
  • [PLFED-278] - SAML Parsing should be tolerant of non-standard extensions
  • [PLFED-301] - IDPWebBroserSSOValve should use the PicketLinkSTS configuration parsed from picketlink.xml
  • [PLFED-302] - IDPWebBroserSSOValve attributes should be removed. All the configuration must be done in picketlink.xml.
  • [PLFED-303] - PicketLink STS should use the picketlink.xml file to load the configurations.
  • [PLFED-305] - PicketLink Audit
  • [PLFED-330] - SAML Authenticators that work on Apache Tomcat 7
  • [PLFED-345] - [BaseFormAuthenticator] Move the LogOutPage attribute to the SPType


  • [PLFED-347] - Release PicketLink v2.1.2.Final


  • [PLFED-161] - Verify STS login modules support password masking
  • [PLFED-214] - Integration Test for the TransformerUtil changes
  • [PLFED-300] - Programmatically register Santuario 1.5.x provider and run tests with that
  • [PLFED-333] - Convert project to use i18n logging and exceptions


  • [PLFED-331] - SAML2 AudienceRestriction should be present
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.