14.5.4.3.3. The picketlink.xml configuration file
All the configuration for an especific Service Providers goes at the WEB-INF/picketlink.xml file. This file is responsible to define the behaviour of the Authenticator. During the service provider startup, the authenticator parses this file and configures itself.
Bellow is how the picketlink.xml file should looks like:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" BindingType="REDIRECT" RelayState="someURL" ErrorPage="/someerror.jsp" LogOutPage="/customLogout.jsp" IDPUsesPostBinding="true" SupportsSignatures="true"> <IdentityURL>http://localhost:8080/idp/ </IdentityURL> <ServiceURL>http://localhost:8080/employee/ </ServiceURL> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <ValidatingAlias Key="localhost" Value="servercert" /> <ValidatingAlias Key="127.0.0.1" Value="servercert" /> </KeyProvider> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> </PicketLink>
Important
The schema for the picketlink.xml file is available here: https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/resources/schema/config/picketlink_v2.1.xsd .
14.5.4.3.3.1. PicketLinkSP Element
This element defines the basic configuration for the service provider. The table bellow provides more information about the attributes supported by this element:
Name
|
Description
|
Value
|
---|---|---|
BindingType
|
Defines which SAML binding should be used: SAML HTTP POST or Redirect bindings.
|
POST|REDIRECT. Defaults to POST if no specified.
|
ErrorPage
|
Defines a custom error page to be displayed when some error occurs during the request processing.
|
Defaults to /error.jsp.
|
LogOutPage
|
Defines a custom logout page to be displayed after the logout.
|
Defaults to /logout.jsp.
|
IDPUsesPostBinding
|
Indicates if the Identity Provider configured for this Service Provider is always using POST for SAML responses.
|
true|false. Defaults to true if no specified.
|
SupportsSignatures
|
Indicates if digital signature/verification of SAML assertions are enabled. If this attribute is marked to true the Identity Provider configured for this Service Provider must support signatures too, otherwise the SAML messages will be considered as invalid.
|
true|false. Defaults to false if no specified.
|
14.5.4.3.3.1.1. IdentityURL Element
This element value refers to the URL of the Identity Provider used by this Service Provider.
14.5.4.3.3.1.2. ServiceURL Element
This element value refers to the URL of the Service Provider.
14.5.4.3.3.2. SAML Digital Signature Configuration (KeyProvider Element)
To enable digital signatures for the SAML assertions you need to configure:
-
Set the SupportsSignature attribute to true;
-
Add the Section 14.5.7.11, “SAML2SignatureGenerationHandler” and the Section 14.5.7.12, “SAML2SignatureValidationHandler” in the handlers chain (Handler Element).
-
Configure a Section 14.5.6, “Digital Signatures in SAML Assertions” * *element.
14.5.4.3.3.3. SAML Handlers Configuration (Handlers Element)
PicketLink provides some built-in Section 14.5.7, “SAML2 Handlers” to help the Service Provider Authenticator processing the SAML requests and responses.
The handlers are configured through the Handlers element.