Product SiteDocumentation Site

13.6. Federation

All the configuration is external from applications where there is no need to add or change configuration files inside the application being deployed. The subsystem is responsible for configure the applications being deployed accordingly with the configurations defined in the domain model:
  • The configuration in picketlink.xml is automatically created. No need to have this file inside your deployment.
  • The PicketLink Authenticators for Identity Providers and Service Providers are automatically registered. No need to have a jboss-web.xml file inside your deployment.
  • The PicketLink dependencies are automatically configured. No need to have a META-INF/jboss-deployment-structure.xml inside your deployment defining the org.picketlink module as a dependency.
  • The Security Domain is automatically configured using the configurations defined in the domain model. No need to have a WEB-INF/jboss-web.xml file inside your deployment.
The table bellow summarizes the main differences between the traditional configuration and the subsystem configuration for PicketLink applications:
Old Configuration
Subsystem Configuration
Not required. If present, the configuration from the domain model is going to be used instead.
Not required. The PicketLink Authenticators and the Security Domain is read from the domain model.
Not required. When the PicketLink Extension/Subsystem is enabled, the dependency to the org.picketlink module is automatically configured.

13.6.1. The Federation concept (Circle of Trust)

When using the PicketLink subsystem to configure and deploy your identity providers and service providers, all of them are grouped in a Federation.
A Federation can be understood as a Circle of Trust (CoT) from which applications share common configurations (certificates, saml specific configurations, etc) and where each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials.
Each federation has one Identity Provider and many Service Providers. You do not need to specify for each SP the IDP that it trusts, because this is defined by the federation.