SAML2 scenario with REST callback

In this section, you set up a SAML2 scenario with eXo Platform performing SP role and Identity Store as well. IDP receives authentication request and callback to eXo Platform (as Identity Store) so eXo Platform users will be authenticated. This callback is carried out by idp-sig.war which can be deployed in plain JBoss AS. However, it requires some additional modules which are packed inside eXo Platform package, so you will deploy idp-sig.war against an eXo Platform package.

Before you start steps below, let's see the interconnecting configurations:

  1. Configure eXo Platform SP as described in eXo Platform as SAML2 SP. Note gatein.sso.idp.url=http://${gatein.sso.idp.host}:8080/idp-sig/.

  2. Start SP.

  3. Deploy idp-sig.war into another eXo Platform package. Do not confuse this package with eXo Platform IDP described previously. This package is used to run idp-sig.war and eXo Platform would not be deployed as you will see. Here are details of this step:

    • Copy idp-sig.war (from $GATEIN_SSO_HOME/saml/) to standalone/deployments.

    • Create an empty file named idp-sig.war.dodeploy under standalone/deployments.

    • Remove standalone/deployments/platform.ear.dodeploy, so that platform.ear will not be deployed.

  4. Configure additional modules for idp-sig.war as follows:

    • Create a folder named modules/org/picketlink/gatein.

    • Copy 2 files, including picketlink-core.jar and picketlink-jbas7.jar, from standalone/deployments/platform.ear/lib to modules/org/picketlink/gatein.

    • Create the module.xml with the following content under modules/org/picketlink/gatein:

      <?xml version='1.0' encoding='UTF-8'?>
      <module xmlns="urn:jboss:module:1.0" name="org.picketlink" slot="gatein">
          <resource-root path="picketlink-core.jar"/>
              <resource-root path="picketlink-jbas7.jar"/>
          <module name="javax.security.auth.message.api"/>
          <module name="javax.security.jacc.api"/>
          <module name="javax.transaction.api"/>
          <module name="javax.xml.bind.api"/>
          <module name="javax.xml.stream.api"/>
          <module name="javax.servlet.api"/>
          <module name="org.jboss.common-core"/>
          <module name="org.jboss.logging"/>
          <module name="org.jboss.as.web"/>
          <module name="org.jboss.security.xacml"/>
          <module name="org.picketbox"/>
          <module name="javax.xml.ws.api"/>
          <module name="org.apache.log4j"/>
          <module name="javax.api"/>
  5. Add the following security domain to the standalone/configuration/standalone.xml file:

    <security-domain name="idp" cache-type="default">
          <login-module code="org.gatein.sso.saml.plugin.SAML2IdpLoginModule" flag="required">
             <module-option name="rolesProcessing" value="STATIC"/>
             <module-option name="staticRolesList" value="manager,employee,sales"/>
             <module-option name="gateInURL" value="http://www.sp.com:8080/portal"/>
  6. Start the IDP with options as follows:

    ./standalone.sh -c standalone.xml -Dsp.host=www.sp.com -Dsp.domains=sp.com -Dpicketlink.keystore=/jbid_test_keystore.jks

    Note that, in JBoss package, the standalone.sh (or .bat) file is modified to use standalone-exo.xml as default configuration file so the -c standalone.xml option is needed.

    -Dsp.host accepts only one value. For multiple hosts, you need to edit the WEB-INF/picketlink.xml file inside idp-sig.war, similarly as instructed in eXo Platform as SAML2 IDP.

Now you can test the scenario as follows:

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus