About PicketLink STS Login Modules

A PicketLink Login Module is typically configured as part of the security setup of a JEE container to use a Security Token Service for authenticating users. The STS may be collocated on the same container as the Login Module or be accessed remotely through Web Service calls or another technology. PicketLink Login Modules support non-PicketLink STS implementations through standard WS-Trust calls.

A call to STS typically requires authentication. This Login Module uses credentials from one of the following sources:

Its properties file, if the useOptionsCredentials module option is set to true. Previous login module credentials if the password-stackingmodule option is set to useFirstPass.

From the configured CallbackHandler by supplying a Name and Password Callback.

Upon successful authentication, the Sam lCredential is inserted in the Subject's public credentials if one with the same Assertion is not found to be already present there.

STSValidatingLoginModule

Calls the configured STS and validates an available security token.

A call to STS typically requires authentication. This Login Module uses credentials from one of the following sources:

Its properties file, if the useOptionsCredentials module option is set to true. Previous login module credentials if the password-stacking module option is set to useFirstPass.

From the configured CallbackHandler by supplying a Name and Password Callback. Upon successful authentication, the SamlCredential is inserted in the Subject's public credentials if one with the same Assertion is not found to be already present there.

SAML2STSLoginModule

This Login Module supplies a ObjectCallback to the configured CallbackHandler and expects a Sam lCredential object back. The Assertion is validated against the configured STS. If a user ID and SAML token are shared, this Login Module bypasses validation When stacked on top of another Login Module that is successfully authenticated.

Upon successful authentication, the Sam lCredential is inspected for a Nam eID and a multi- valued role attribute that is respectively set as the ID and roles of the user.

SAML2LoginModule

This login module is used in conjunction with other components for SAML authentication and performs no authentication itself.

The SPRedirectForm Authenticator uses this login module in PicketLink's implementation of the SAML v2 HTTP Redirect Profile.

The Tomcat authenticator valve performs authentication through redirecting to the identity provider and getting a SAML assertion.

This login module is used to pass the user ID and roles to the JBoss security framework to be populated in the JAAS subject.

Report a bug

5.4. Configure STSIssuingLoginModule

The ST SIssuingLoginModule uses a user name and password to authenticate the user against an STS by retrieving a token.

Example 5.4. Configure STSIssuingLoginModule <application-policy name="saml-issue-token"> <authentication> <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required"> <module-option name="configFile">./picketlink-sts- client.properties</module-option> <module-option name="endpointURI">http://security_saml/endpoint</module-option> </login-module> </authentication> <mapping> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipal MappingProvider" type="principal" /> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMapp ingProvider" type="role" /> </mapping> </application-policy>

Most configurations can switch to the configuration sited in the above example by: changing their declared security-domain

specifying a Principal mapping provider specifying a RoleGroup mapping provider

The specified Principal mapping provider and the RoleGroup mapping provider results in an

authenticated Subject being populated that enables coarse-grained and role-based authorization. After authentication, the Security Token is available and may be used to invoke other services by Single Sign- On.

Report a bug

5.5. Configure STSValidatingLoginModule

The STSValidatingLoginModule uses a TokenCallback to ask the configured CallbackHandler an STS by retrieving a token.

Example 5.5. Configure STSValidatingLoginModule <application-policy name="saml-validate-token"> <authentication> <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModu le" flag="required"> <module-option name="configFile">./picketlink-sts- client.properties</module-option> <module-option name="endpointURI">http://security_saml/endpoint</module-option> </login-module> </authentication> <mapping> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipal MappingProvider" type="principal" /> <mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMapp ingProvider" type="role" /> </mapping> </application-policy>

The configuration cited in the example enables Single Sign-On for your applications and services. A token once issued, either by directly contacting the STS or through a token-issuing login module, can be used to authenticate against multiple applications and services by employing the setup provided in the example. Providing a Principal mapping provider and a RoleGroup mapping provider result in an authenticated Subject being populated that enables coarse-grained and role-based authorization. After authentication, the Security Token is available and can be used to invoke other services by Single Sign- On.

Report a bug