Posted by

Configuring SAML SSO in Wildfly10 using PicketLink


This post shows the steps to configure SP initiated Single Sign On(SSO) mode along with enabling HTTPS on the Wildfly server.

 Pre-Requisite:

 1. Keystore generated
2. ADFS server up and running
3. Configuration at the ADFS(Active Directory Federation Service) server level

 Below are the steps to configure SAML(Security Assertion Markup Language) SSO in Wildfly10

 1. PicketLink Library

Picketlink is already installed in the Wildfly just need to include in the dependency of the application or include it in the global module in standalone-full.xml it will be available to all the applications deployed on the server

Method 1
<module name="org.picketlink" slot="main"/>

Method 2
In the jboss-deployment-structure.xml

 <dependencies>
     <module name="org.picketlink"/>
</dependencies>

 Method 3
In manifest.mf file

2. Configure Service Provider (SP)
Security Constraints and Security Role in Web deployment Descriptor(web.xml)

Add role in the web.xml
<security-role> <description>security role</description> <role-name>*</role-name> </security-role>

The same should be mapped in the security constraint in web.xml
<security-constraint> <display-name>excluded</display-name> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>*</url-pattern> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>DELETE</http-method> <http-method>CONNECT</http-method> <http-method>PATCH</http-method> <http-method>PROPFIND</http-method> <http-method>PROPPATCH</http-method> <http-method>MKCOL</http-method> <http-method>COPY</http-method> <http-method>MOVE</http-method> <http-method>LOCK</http-method> <http-method>UNLOCK</http-method> <http-method>TRACE</http-method> </web-resource-collection> <web-resource-collection> <web-resource-name>Restricted</web-resource-name> <url-pattern>/MySecureURL</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>


<login-config>
<auth-method>FORM</auth-method> </login-config>

Note:
<login-config> this should be added in spite of it is not used

3. Configure security domain in jboss-web.xml ({Wildfly-Home}\standalone\deployments\MyApp.war\WEB-INF)

<security-domain>sp</security-domain>

4.  Same security domains definition should be configured in JAAS login module standalone-full.xml

<security-domain name="sp" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required" /> </authentication> </security-domain>

5. Add picketlink.xml in
{Wildfly-Home}\standalone\deployments\MyApp.war\WEB-INF

This file is responsible to configure Identity provider(Idp) configuration

<?xml version="1.0" encoding="UTF-8"?> <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLinkSP BindingType="POST" SupportsSignatures="true"> <IdentityURL>https://mydom.adfs.local/adfs/ls/</IdentityURL> <ServiceURL>https://192.168.10.123:8443/myapp/MySecureURL</ServiceURL>
<!-- Only trust IDP SAML Responses from the following IDP domains --> <Trust> <Domains>mydom.adfs.local,192.168.10.123</Domains> </Trust> <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager"> <!-- Path to keystore of certificates --> <Auth Key="KeyStoreURL" Value="{Wildfly-Home}/standalone/deployments/MyApp.war/WEB-INF/server.keystore" /> <Auth Key="KeyStorePass" Value="changeit" /> <!-- Which certificate in the Keystore do we use ourselves for signing the SAML AuthnRequest to the IDP? --> <Auth Key="SigningKeyAlias" Value="jbosskey" /> <Auth Key="SigningKeyPass" Value="changeit" /> <!-- Every SAML Response from the IDP is/must be signed and the the signing must be checked to make use the IDP can be trusted Key=Domain name for which this certificate can be used to check the signing Value=Aliasname in Keystore --> <ValidatingAlias Key="192.168.10.123" Value="digite" /> <ValidatingAlias Key="mydom.adfs.local" Value="digite" /> </KeyProvider> </PicketLinkSP> <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1"> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" /> <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" /> </Handlers> </PicketLink>


Note:
1. Need to add adfs server domain and the application url domain and its alias
mydom.adfs.local : ADFS server
192.168.10.123 : Application server
2. above details are the same which are used for generating keystore

6. Create Security Realm

<security-realm name="SslRealm"> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="jbosskey" key-password="changeit" generate-self-signed-certificate-host="192.168.10.123" /> </ssl> </server-identities> </security-realm>

Note:
above details are the same which are used for generating Keystore

7. Update realm in HTTPS tag 

<https-listener name="https" socket-binding="https" security-realm="SslRealm" enable-http2="true" />

Note: SslRealm is the security realm created in the previous step

8. Create folders classes\META-INF\services 

in {WILDFLY-HOME}\standalone\deployments\MyApp.war\WEB-INF\classes\META-INF\service

Create file named io.undertow.servlet.ServletExtension
With below content

org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

This will configure undertow Servlet Extension as a service definition to process SAML messages.

9. Restart the server.

10. Access the URL it should prompt you for the user name and password for the first time.

Email Post

Comments

Post a Comment

Popular Posts