April 14, 2014

How to configure PicketLink Identity Provider (PIDP)?

Identity Provider

What is Identity Provider?
The Identity Provider or IDP, also known as Identity Assertion Provider is the authoritative entity responsible for authenticating an end user and asserting an identity for that user in a trusted fashion to trusted partners.

What is Authentication Module?
An IDP is responsible for issuing identification information for all providers looking to interact or service with the system in any possible way, this is achieved via an authentication module which verifies a security token as an alternative to explicitly authenticating a user within a security realm.

Settings to run PicketLink Federation component to achieve SAML based Single Sign On (SSO) for a generic web container...

1). Download these jars:-
  • picketlink-bindings-2.0.3.Final.jar
  • picketlink-bindings-jboss-2.0.3.Final.jar
  • picketlink-fed-2.0.3.Final.jar
  • picketlink-trust-jbossws-2.0.3.Final.jar
 2). Configure picketlink-handlers.xml : Below code will declare various Picketlink handlers.
  1. <Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">  
  2.   <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>  
  3.   <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>  
  4.   <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>  
  5. </Handlers> 
3). Generate Keystore (testing_keystore.jks)

4). Create and configure a file named WEB-INF/picketlink.xml : This xml file declares the configuration settings for the IDP and is responsible to define the behaviour of the Authenticator. During the identity provider startup, the authenticator parses this file and configures itself.
  1. <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:1.0" >  
  2. <IdentityURL>http://localhost:8080/idp-standalone/</IdentityURL>  
  3. <Trust>  
  4.    <Domains>localhost,127.0.0.1, jboss.com,jboss.org</Domains>  
  5. </Trust>  
  6. <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">  
  7.   <Auth Key="KeyStoreURL" Value="testing_keystore.jks" />  
  8.   <Auth Key="KeyStorePass" Value="store123" />  
  9.   <Auth Key="SigningKeyPass" Value="test123" />  
  10.   <Auth Key="SigningKeyAlias" Value="testing" />  
  11.   <ValidatingAlias Key="localhost" Value="testing"/>  
  12.   <ValidatingAlias Key="127.0.0.1" Value="testing"/>  
  13. </KeyProvider>  
  14.  </PicketLinkIDP>
  • PicketLinkIDP Element defines the basic configuration for the identity provider.
  • IdentityURL Element value refers to the URL of the Identity Provider. 
  • Trust/Domains Elements, defines the hosts trusted by this Identity Provider. You just need to inform a list of comma separated domain names.
  • KeyProvider Element is used for SAML Digital Signature Configuration.
5). web.xml configuration.

<?xml version="1.0" encoding="ISO-8859-1"?> 
<web-app xmlns="http://java.sun.com/xml/ns/javaee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
version="2.5">  
 
<display-name>Standalone IDP</display-name> 
<description> 
IDP Standalone Application 
</description> 

<listener> 
<listener-class>org.picketlink.identity.federation.web.core.IdentityServer</listener-class> 
</listener> 

<filter>
<description>
The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.
</description>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>ROLES</param-name>
<param-value>sales,manager</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/login</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
 
<servlet> 
<servlet-name>IDPLoginServlet</servlet-name> 
<servlet-class>org.picketlink.identity.federation.web.servlets.IDPLoginServlet</servlet-class> 
</servlet>
<servlet-mapping> 
<servlet-name>IDPLoginServlet</servlet-name> 
<url-pattern>/</url-pattern> 
</servlet-mapping>  

<servlet> 
<servlet-name>IDPServlet</servlet-name> 
<servlet-class>org.picketlink.identity.federation.web.servlets.IDPServlet</servlet-class> 
</servlet>
<servlet-mapping> 
<servlet-name>IDPServlet</servlet-name> 
<url-pattern>/IDPServlet</url-pattern> 
</servlet-mapping>   
</web-app> 

-K Himaanshu Shukla...

No comments:

Post a Comment