Why does the PicketLink SAMLTokenCertValidatingLoginModule login module not work on JBoss EAP 7

Solution Unverified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform
    • 7.0.x

Issue

We have been using SAMLTokenCertValidatingLoginModule for some time in EAP6. I am attempting to configure it in EAP7 but am having difficulties.

The document here:
This content is not included.How To Set Up SSO with SAML v2

Points out a lot of changes since EAP6, but I cannot get it working with the attached configuration. Initially I was hung up by the change from SECURITY_DOMAIN to FORM in the web.xml, but now with the web.xml using FORM and a series of other configs made to match the suggestions, I'm not sure what handlers should be configured in the picketlink.xml file when using SAMLTokenCertValidatingLoginModule.

Every attempt to hit the secured area of the server ends up redirecting me to IDP like so:

<HTML><HEAD><TITLE>HTTP Post Binding (Request)</TITLE></HEAD><BODY Onload="document.forms[0].submit()"><FORM METHOD="POST" ACTION="https://test.host/IDP"><INPUT TYPE="HIDDEN" NAME="SAMLRequest" VALUE="P...=="/><NOSCRIPT><P>JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue.</P><INPUT TYPE="SUBMIT" VALUE="CONTINUE" /></NOSCRIPT></FORM></BODY></HTML>

The documentation is all over the place for this and I've sunk a day into just trying to make it work. I have verified with the undertow request dumper that I am sending in a valid SAML assertion

For example, I've found this handler documentation that doesn't tell me much:
[Content from docs.jboss.org is not included.https://docs.jboss.org/author/display/PLINK/SAML2SignatureValidationHandler(https://docs.jboss.org/author/display/PLINK/SAML2SignatureValidationHandler)

I also noticed no reference to the SAMLTokenCertValidatingLoginModule here, but found the class in several wildfly sources
Content from developer.jboss.org is not included.Content from developer.jboss.org is not included.https://developer.jboss.org/wiki/PicketLinkSTSLoginModules

Root Cause

Content from issues.jboss.org is not included.JBEAP-15384 - PicketLinkAuthenticator returns null in sendChallenge method

The problem here seems to be that there is not a Wildfly/EAP 7 port of the PicketLinkAuthenticator.

The PicketLink SPServletExtension only configures the SPFormAuthenticationMechanism. This authentication mechanism works to redirect the unauthenticated access to the IDP, however, as you have discovered, it does not know how to handle the request that has the Assertion in a HTTP Header. As a result, it denies access.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.