Configuring SAML SSO in Wildfly10 using PicketLink
This post shows the steps to configure SP initiated Single Sign On(SSO) mode along with enabling HTTPS on the Wildfly server.
Pre-Requisite:
1. Keystore generated
2. ADFS server up and running
3. Configuration at the ADFS(Active Directory Federation Service) server level
Below are the steps to configure SAML(Security Assertion Markup Language) SSO in Wildfly10
1. PicketLink Library
Picketlink is already installed in the Wildfly just need to include in the dependency of the application or include it in the global module in standalone-full.xml it will be available to all the applications deployed on the server
Method 1
<module name="org.picketlink" slot="main"/>
Method 2
In the jboss-deployment-structure.xml
<dependencies>
<module name="org.picketlink"/>
</dependencies>
Method 3
In manifest.mf file
In the jboss-deployment-structure.xml
<dependencies>
<module name="org.picketlink"/>
</dependencies>
Method 3
In manifest.mf file
2. Configure Service Provider (SP)
Security Constraints and Security Role in Web deployment Descriptor(web.xml)
Add role in the web.xml
<security-role>
<description>security role</description>
<role-name>*</role-name>
</security-role>
The same should be mapped in the security constraint in web.xml
<security-constraint>
<display-name>excluded</display-name>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
<http-method>CONNECT</http-method>
<http-method>PATCH</http-method>
<http-method>PROPFIND</http-method>
<http-method>PROPPATCH</http-method>
<http-method>MKCOL</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/MySecureURL</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
</login-config>
Note:
<login-config> this should be added in spite of it is not used
3. Configure security domain in jboss-web.xml ({Wildfly-Home}\standalone\deployments\MyApp.war\WEB-INF)
<security-domain>sp</security-domain>
4. Same security domains definition should be configured in JAAS login module standalone-full.xml
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required" />
</authentication>
</security-domain>
5. Add picketlink.xml in
{Wildfly-Home}\standalone\deployments\MyApp.war\WEB-INF
This file is responsible to configure Identity provider(Idp) configuration
xml version="1.0" encoding="UTF-8"
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP BindingType="POST" SupportsSignatures="true">
<IdentityURL>https://mydom.adfs.local/adfs/ls/</IdentityURL>
<ServiceURL>https://192.168.10.123:8443/myapp/MySecureURL</ServiceURL>
<!--
Only trust IDP SAML Responses from the following IDP
domains
-->
<Trust>
<Domains>mydom.adfs.local,192.168.10.123</Domains>
</Trust>
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<!-- Path to keystore of certificates -->
<Auth Key="KeyStoreURL" Value="{Wildfly-Home}/standalone/deployments/MyApp.war/WEB-INF/server.keystore" />
<Auth Key="KeyStorePass" Value="changeit" />
<!--
Which certificate in the Keystore do we use ourselves for
signing the SAML AuthnRequest to the IDP?
-->
<Auth Key="SigningKeyAlias" Value="jbosskey" />
<Auth Key="SigningKeyPass" Value="changeit" />
<!--
Every SAML Response from the IDP is/must be signed and the
the signing must be checked to make use the IDP can be
trusted
Key=Domain name for which this certificate can be
used to check the signing
Value=Aliasname in Keystore
-->
<ValidatingAlias Key="192.168.10.123" Value="digite" />
<ValidatingAlias Key="mydom.adfs.local" Value="digite" />
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>
Note:
1. Need to add adfs server domain and the application url domain and its alias
mydom.adfs.local : ADFS server
192.168.10.123 : Application server
2. above details are the same which are used for generating keystore
6. Create Security Realm
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="jbosskey" key-password="changeit" generate-self-signed-certificate-host="192.168.10.123" />
</ssl>
</server-identities>
</security-realm>
Note:
above details are the same which are used for generating Keystore
7. Update realm in HTTPS tag
<https-listener name="https" socket-binding="https" security-realm="SslRealm" enable-http2="true" />
Note: SslRealm is the security realm created in the previous step
8. Create folders classes\META-INF\services
in {WILDFLY-HOME}\standalone\deployments\MyApp.war\WEB-INF\classes\META-INF\service
Create file named io.undertow.servlet.ServletExtension
With below content
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension
This will configure undertow Servlet Extension as a service definition to process SAML messages.
9. Restart the server.
10. Access the URL it should prompt you for the user name and password for the first time.
Comments
Post a Comment