CODEWITHSUNDEEP
jbosssamlpicketlink
Richard Sand
Richard Sand

Reputation: 674

SAML Service Provider on JBoss EAP 7.0

I am trying to use JBoss EAP 7.0 as a SAML Service Provider, have it "mostly" configured but am having problems at the last step when the application I've deployed as the SP is throwing a 403. I'm having trouble getting debug logs out of JBoss/PicketLink to further troubleshoot.

The federation flow works mostly - I start at my SP application. The signed authnRequest is going to my IDP (which is not JBoss). The IDP is accepting the request, challenging me to log in, and then generating the signed assertion and POST'ing it back to my SP application on JBoss. At this point I receive the 403.

So I know that the PicketLink subsystem (which I configured via the JBoss console) is deployed and working, otherwise I'd never get the signed authnRequest in the first place.

Now I'm trying to squeeze some debugging out so I can troubleshoot further. I've found some older documentation that references an attribute EnableAuditing in picketlink.xml, but this obviously predates the subsystem configuration method.

I've tried creating a log file for PicketLink, and the log file contains messages from org.picketlink.common, but that's it. No messages are created from the actual federation activity, even the authnRequest creation.

My standalone.xml fle contains the following new elements (all created via the console, except the logging portion):

       <periodic-rotating-file-handler name="PICKETLINK" autoflush="true">
            <formatter>
                <named-formatter name="PATTERN"/>
            </formatter>
            <file relative-to="jboss.server.log.dir" path="picketlink.log"/>
            <suffix value=".yyyy-MM-dd"/>
            <append value="true"/>
        </periodic-rotating-file-handler>
        <logger category="org.picketlink">
            <level name="DEBUG"/>
            <handlers>
                <handler name="PICKETLINK"/>
             </handlers>
          </logger>

and the PickeLink subsystem:

    <subsystem xmlns="urn:jboss:domain:picketlink-federation:2.0">
        <federation name="jboss-sp">
            <identity-provider name="my-idp" url="https://********" security-domain="sp" external="true" support-signatures="true">
                <trust>
                    <trust-domain name="***"/>
                    <trust-domain name="***:18080"/>
                    <trust-domain name="***:18443"/>
                </trust>
            </identity-provider>
            <service-providers>
                <service-provider name="testapp-war-0.0.5-SNAPSHOT-default.war" security-domain="sp" url="http://***:18080/testapp/protected"/>
                <service-provider name="testapp-war-0.0.5-SNAPSHOT-secured.war" security-domain="sp" url="http://***:18080/testapp/protected" support-signatures="true"/>
            </service-providers>
            <key-store file="D:\\JBoss\\SSL\\samplepartner.jks" password="password" sign-key-alias="samplepartner" sign-key-password="password">
                <keys>
                    <key name="***" host="***"/>
                </keys>
            </key-store>
        </federation>
    </subsystem>

Any advice appreciated, thanks!

Upvotes: 3

Views: 1993

Answers (1)

Alex Pi
Alex Pi

Reputation: 826

I'd recommend to take a look to the keycloak saml adapter instead as pickelink has been deprecated.

Some useful links: https://www.keycloak.org/docs/latest/securing_apps/#_saml-general-config

How to map third party IdP SAML attributes to my local application roles using keycloak-saml adapter

You will get much better logging activity also, just add a logger like this:

        <logger category="org.keycloak.saml">
            <level name="DEBUG"/>
        </logger>

Now, back to picketlink and your original problem.

About the 403 error, make sure you are getting the correct roles in the session. I never could logging those out of the picketlink subsystem, actually, if you check the code in github you won't see much logging statements... kind of disappointing I know.

You can use a non-secured JSP to see what roles you have.

<p>Is in role XXXX <%= request.isUserInRole("XXXX") %> </p>

If you still want to explore the solution with picketlink, which I would not recommend, I'm leaving here a configuration that used to work for me.

Note that: 1) Declares an audit provider in the security-domain section. 2) It makes use of roles mapper which is handy if you don't control the roles comming from the IdP server.

Hope it helps.

     <extension module="org.wildfly.extension.picketlink"/>

    <subsystem xmlns="urn:jboss:domain:picketlink-federation:1.1">
        <federation name="my-federation">
            <key-store file="./keyStore.jks" relative-to="java.home" password="pass123" sign-key-alias="sp" sign-key-password="pass123">
                <keys>
                    <key name="idp" host="idpdomain.com"/>
                </keys>
            </key-store>
            <identity-provider name="anyname" url="url to the sso endpoint" external="true" encrypt="false" support-signatures="true" strict-post-binding="true" ssl-authentication="false" support-metadata="true"/>
            <service-providers>
                <service-provider name="myapp.war" security-domain="saml-realm" url="https://spdomain.com/myapp/" post-binding="true" support-signatures="true" support-metadata="true" strict-post-binding="true" logout-page="/logout.jsp">
                    <handlers>
                        <handler name="SAML2LogOutHandler" class-name="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
                        <handler name="SAML2AuthenticationHandler" class-name="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
                            <handler-parameter name="CLOCK_SKEW_MILIS" value="120000"/>
                            <handler-parameter name="NAMEID_FORMAT" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
                        </handler>
                        <handler name="RolesGenerationHandler" class-name="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
                        <handler name="SAML2SignatureGenerationHandler" class-name="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
                        <handler name="SAML2SignatureValidationHandler" class-name="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
                    </handlers>
                </service-provider>
            </service-providers>
        </federation>
    </subsystem>

    <security-domain name="saml-realm">
        <authentication>
            <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required">
                <module-option name="password-stacking" value="useFirstPass"/>
            </login-module>
            <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="required">
                <module-option name="password-stacking" value="useFirstPass"/>
                <module-option name="rolesProperties" value="${jboss.server.config.dir}/rolesMapping-roles.properties"/>
                <module-option name="replaceRole" value="true"/>
            </login-module>
        </authentication>
        <audit>
            <provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
        </audit>
    </security-domain>

Upvotes: 1

Related Questions