Search code examples
jboss-eap-6picketlink

Enable SAML2 SSO on a multi-tenant JBoss Application to multiple IPs

I have an existing JBoss Application that I want to enable as a SAML2 SP. Easy enough, but this is a multi-tenant application where the host name is used to determine which IP "if any" to redirect to. If no IP is configured, it should fall through to a form login. The configuration below does not do what I want (the second "PicketLinkSP" hides the first one).

This is a low-volume application with dozens of tenants, so we would prefer not to deploy a war file for each tenant. Currently, only a few clients have expressed interest in hosting a SAML2 IP so if we had to we could deploy dedicated instances for these few, but if there is a better solution, that would be sweet.

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
      ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
    <IdentityURL>${idp.url::http://bip.archxm/idp/}</IdentityURL>
    <ServiceURL>${sample.url::http://bip.archxm/sample}</ServiceURL>
    <Trust>
      <Domains>bip.archxm</Domains>
    </Trust>        
  </PicketLinkSP>
  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
      ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
    <IdentityURL>${idp.url::http://ccm.archxm/idp/}</IdentityURL>
    <ServiceURL>${sample.url::http://ccm.archxm/sample/}</ServiceURL>
    <Trust>
      <Domains>ccm.archxm</Domains>
    </Trust>        
  </PicketLinkSP>
  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
      <Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
    </Handler>
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
    <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
  </Handlers>
</PicketLink>
Solution

  • I solicited some help from Red Hat and they provided me with some sample code. Here's the sample.

    In my case I needed to extend more than just the AuthenticationHandler; I needed to extend all of the SP handlers in the same way , as well as a custom KeyManager and ConfigurationProvider. For the handlers I was able to do it generically using a generic/delegating SAML2Handler with the following type.

    public abstract class MyDelegatingSAML2Handler<DH extends SAML2Handler> implements SAML2Handler