v2.1.2.Final - PicketLink

Download Files

You will need two jar files : PicketLink Core Jar as well as a Bindings jar (based on the server)

PicketLink Core Jar:

PicketLink Core 2.1.1 Jar: https://repository.jboss.org/nexus/content/groups/public/org/picketlink/picketlink-core/2.1.2.Final/picketlink-core-2.1.2.Final.jar

Bindings Jar:

Server	Jar File	Comments
JBoss AS 7.1.x	https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-jbas7/2.1.2.Final/picketlink-jbas7-2.1.2.Final.jar
JBoss AS 6.x or JBoss AS 5.x	https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-jbas5/2.1.2.Final/picketlink-jbas5-2.1.2.Final.jar
Apache Tomcat 6.x or 5.x	https://repository.jboss.org/nexus/content/groups/public/org/picketlink/distribution/picketlink-tomcat5/2.1.2.Final/picketlink-tomcat5-2.1.2.Final.jar

Updating the PicketLink module in JBoss AS 7

In order to use this version in JBoss AS 7 you need to update the PicketLink module. Please take a look at the Installation Guide.

PicketLink Quickstarts (Example applications)

PicketLink provides some useful examples about using some core features. Give it a try:

PicketLink Quickstarts

Release Notes

Bug

[ PLFED-223 ] - SAML11AssertionTokenProvider cancel/validate uses SAML2 AssertionType
[ PLFED-292 ] - PicketLink STS does not support wst:Renewing (and hangs)
[ PLFED-299 ] - SAML Response Parsers should handle StatusMessage and StatusDetail gracefully
[ PLFED-304 ] - Using parameter "SAMLResponse" instead of "SAMLRequest" during global logout
[ PLFED-306 ] - SAML assertion with SubjectConfirmationData contains "NotBefore" attribute (breaking the specs)
[ PLFED-307 ] - Error during validating signature on SP side when handling SAMLRequest
[ PLFED-308 ] - PicketLink STS does not support processing wst:UseKey/ds:KeyInfo/ds:KeyValue Elements
[ PLFED-309 ] - PicketLink STS should handle wst:ComputedKeyAlgorithm Element
[ PLFED-322 ] - SAML Attribute Statement should not be created in the absence of attributes
[ PLFED-323 ] - [SAMLConfigurationProvider] This component is not supporting the PicketLink element/type (consolidated config).
[ PLFED-325 ] - Incorrect implementation of method STSClientConfiguration.validate
[ PLFED-328 ] - [AssertionUtil] The validate method is not configuring the attribute IDness of the SAML Assertion
[ PLFED-329 ] - The service provider authenticators needs to handle correctly the SAMLConfigurationProvider.
[ PLFED-334 ] - Error response from IDP is signed two times
[ PLFED-335 ] - Error response from IDP should use assertionConsumerServiceURL as destination (not issuer URL)
[ PLFED-337 ] - NPE sometimes when parsing SAML Logout response
[ PLFED-340 ] - SAML2IssuerTrustHandler can't handle issuers in non-URL format
[ PLFED-344 ] - Method AbstractIDPValve.getIssuerPublicKey should not log error if issuer is not URL
[ PLFED-346 ] - JAXP Factories should be cached to increase performance

Enhancement

[ PLFED-256 ] - Trusted domains are checked twice during processing of SAML request at IP side
[ PLFED-298 ] - Produce proper signature references to both SAML 1.0/1.1 and SAML 2 assertions
[ PLFED-311 ] - Remove signature related code from valves and processors and use handlers to deal with signatures
[ PLFED-312 ] - [IDPWebBroserSSOValve] Remove the attribute strictPostBinding. This configuration should be set in picketlink.xml (PicketLinkIDP element).
[ PLFED-313 ] - [IDPWebBroserSSOValve] Remove the attribute validatingAliasToTokenIssuer. It always defaults to true when signatures are enabled.
[ PLFED-314 ] - [IDPWebBroserSSOValve] Remove the attribute samlHandlerChainClass. All the configuration must be done in picketlink.xml.
[ PLFED-315 ] - [IDPWebBroserSSOValve] Use the configurations defined in the element PicketLinkSTS from the picketlink.xml
[ PLFED-316 ] - [IDPWebBroserSSOValve] Remove the assertionValidity attribute. This configuration is already done in the PicketLinkSTS element, TokenTimeout attribute.
[ PLFED-317 ] - [IDPWebBroserSSOValve] Remove the attribute canonicalizationMethod. It is not being used.
[ PLFED-318 ] - [IDPWebBroserSSOValve] Remove the attribute signOutgoingMessages. This configuration should me done using the PicketLinkIDP.SupportsSignature attribute.
[ PLFED-320 ] - [IDPWebBroserSSOValve] Remove the attribute identityParticipantStack. All the configuration must be done in picketlink.xml.
[ PLFED-321 ] - [IDPWebBroserSSOValve] Remove the attribute roleGenerator. All the configuration must be done in picketlink.xml.
[ PLFED-332 ] - Removing signature related options from valves in quickstart applications
[ PLFED-336 ] - Using of Issuer of SP as value of Audience
[ PLFED-338 ] - Make IdentityServer.STACK to be static class
[ PLFED-341 ] - Using GMT Timezone in SAML messages format
[ PLFED-343 ] - Support for SP metadata on IDP side

Feature Request

[ PLFED-201 ] - JPA Based Token Registry
[ PLFED-278 ] - SAML Parsing should be tolerant of non-standard extensions
[ PLFED-301 ] - IDPWebBroserSSOValve should use the PicketLinkSTS configuration parsed from picketlink.xml
[ PLFED-302 ] - IDPWebBroserSSOValve attributes should be removed. All the configuration must be done in picketlink.xml.
[ PLFED-303 ] - PicketLink STS should use the picketlink.xml file to load the configurations.
[ PLFED-305 ] - PicketLink Audit
[ PLFED-330 ] - SAML Authenticators that work on Apache Tomcat 7
[ PLFED-345 ] - [BaseFormAuthenticator] Move the LogOutPage attribute to the SPType

Release

[ PLFED-347 ] - Release PicketLink v2.1.2.Final

Task

[ PLFED-161 ] - Verify STS login modules support password masking
[ PLFED-214 ] - Integration Test for the TransformerUtil changes
[ PLFED-300 ] - Programmatically register Santuario 1.5.x provider and run tests with that
[ PLFED-333 ] - Convert project to use i18n logging and exceptions

task

[ PLFED-331 ] - SAML2 AudienceRestriction should be present