12.5.3.4.3. The picketlink.xml configuration file
All the configuration for an especific Identity Provider goes at the WEB-INF/picketlink.xml file. This file is responsible to define the behaviour of the Authenticator. During the identity provider startup, the authenticator parses this file and configures itself.
Bellow is how the picketlink.xml file should looks like:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1">
<IdentityURL>http://localhost:8080/idp/ </IdentityURL>
<Trust>
<Domains>locahost,mycompany.com</Domains>
</Trust>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<Auth Key="KeyStorePass" Value="store123" />
<Auth Key="SigningKeyPass" Value="test123" />
<Auth Key="SigningKeyAlias" Value="servercert" />
<ValidatingAlias Key="localhost" Value="servercert" />
<ValidatingAlias Key="127.0.0.1" Value="servercert" />
</KeyProvider>
</PicketLinkIDP>
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="1000" ClockSkew="1000">
<TokenProviders>
<TokenProvider ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion" TokenElement="Assertion"
TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
Important
The schema for the picketlink.xml file is available here: https://github.com/picketlink/federation/blob/master/picketlink-core/src/main/resources/schema/config/picketlink_v2.1.xsd .
12.5.3.4.3.1. PicketLinkIDP Element
This element defines the basic configuration for the identity provider. The table bellow provides more information about the attributes supported by this element:
|
Name
|
Description
|
Value
|
|---|---|---|
|
AssertionValidity
|
Defines the timeout for the SAML assertion validity, in miliseconds.
|
Defaults to 300000 . Deprecated. Use the PicketLinkSTS element, instead.
|
|
RoleGenerator
|
Defines the name of the org.picketlink. identity.federation. core.interfaces. RoleGenerator subclass to be used to obtain user roles.
|
Defaults to org.picketlink.identity. federation.core. impl.EmptyRoleGenerator .
|
|
AttributeManager
|
Defines the name of the org.picketlink. identity.federation. core.interfaces. AttributeManager subclass to be used to obtain the SAML assertion attributes.
|
Defautls to org.picketlink. identity.federation. core.impl. EmptyAttributeManager .
|
|
StrictPostBinding
|
SAML Web Browser SSO Profile has a requirement that the IDP does not respond back in Redirect Binding. Set this to false if you want to force the IDP to respond to SPs using the Redirect Binding.
|
Values: true|false . Defaults to true, the IDP always respond via POST Binding.
|
|
SupportsSignatures
|
Indicates if digital signature/verification of SAML assertions are enabled. If this attribute is marked to true the Service Providers must support signatures too, otherwise the SAML messages will be considered as invalid.
|
Values: true|false. Defaults to false.
|
|
Encrypt
|
Indicates if SAML Assertions should be encrypted. If this attribute is marked to true the Service Providers must support signatures too, otherwise the SAML messages will be considered as invalid.
|
Values: true|false. Defaults to false
|
|
IdentityParticipantStack
|
Defines the name of the org.picketlink. identity.federation. web.core. IdentityParticipantStack subclass to be used to register and deregister participants in the identity federation.
|
Defaults to org.picketlink. identity.federation. web.core. IdentityServer.STACK.
|
12.5.3.4.3.1.1. IdentityURL Element
This element value refers to the URL of the Identity Provider.
12.5.3.4.3.1.2. Trust/Domains Elements
The Trust and Domains elements defines the hosts trusted by this Identity Provider. You just need to inform a list of comma separated domain names.
12.5.3.4.3.1.3. SAML Digital Signature Configuration (KeyProvider Element)
To enable digital signatures for the SAML assertions you need to configure:
-
Set the SupportsSignature attribute to true;
-
Add the Section 12.5.7.11, “SAML2SignatureGenerationHandler” and the Section 12.5.7.12, “SAML2SignatureValidationHandler” in the handlers chain (Handler Element).
-
Configure a Section 12.5.6, “Digital Signatures in SAML Assertions” * *element.
12.5.3.4.3.1.4. SAML Encryption Configuration
To enable encryption for SAML assertions you need to configure:
-
Set the Encrypt attribute to true;
-
Add the Section 12.5.7.8, “SAML2EncryptionHandler” and the Section 12.5.7.12, “SAML2SignatureValidationHandler” in the handlers chain (Handler Element).
-
Configure a Section 12.5.6, “Digital Signatures in SAML Assertions” * *element.
12.5.3.4.3.2. SAML Handlers Configuration (Handlers Element)
PicketLink provides some built-in Section 12.5.7, “SAML2 Handlers” to help the Identity Provider Authenticator processing the SAML requests and responses.
The handlers are configured through the Handlers element.
12.5.3.4.3.3. SecurityToken Service Configuration (PicketLinkSTS Element)
Important
When configuring the IDP, you do not need to specify the PicketLinkSTS element in the configuration. If it is ommited PicketLink will load the default configurations from a file named core-sts inside the picketlink-core-VERSION.jar.
Override this configuration only if you need to. Eg.: change the token timeout or specify a custom Security Token Provider for SAML assertions.
See the documentation at Section 12.5.3.6, “Security Token Service Configuration” .