How to map SAML assertion attribute values onto roles in SP with PicketLink?

2.5k views Asked by At

We're implementing a SAML2-Based SSO solution and use PicketLink on the SP side.

On the IDP side we have a different implementation which is configured to output the multivalued memberOf attribute (these are actually LDAP/AD-group memberships. So we get basically get something like this in the assertion:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... >
    ...
    <saml:Assertion ...>
        ...
        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="Role" Name="Role">
                <saml:AttributeValue>authenticated</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="memberOf" Name="memberOf">
                <saml:AttributeValue>CN=ga-A-102213-...</saml:AttributeValue>
                <saml:AttributeValue>CN=g-z-MeetingPlace,...</saml:AttributeValue>
                <saml:AttributeValue>CN=g-z-Serviceportal,...</saml:AttributeValue>
                <saml:AttributeValue>CN=g-z-BCM...</saml:AttributeValue>
                ...
            </saml:Attribute>
        </saml:AttributeStatement>
        ...
    </saml:Assertion>
</samlp:Response>

My question is, how could I configure PicketLink/JBoss to map these memberOf values onto specific roles in the application/SP?

For instance that CN=g-z-MeetingPlace,... should be mapped to ROLE_MEETING or CN=g-z-BCM... should be mapped onto ROLE_BCM. We could probably write a login module to do that, but for me it seems to be a very standard task. However I did not manage to find a configurative solution yet.

1

There are 1 answers

0
lexicore On BEST ANSWER

Seems like we've figured it out.

What we needed was org.jboss.security.auth.spi.RoleMappingLoginModule:

<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule"
  flag="optional"> 
  <module-option name="rolesProperties">roles.properties</module-option>
</login-module>

Mapping between AD group names and internal application roles is configured in the roles.properties file:

CN\=ga-A-102213-...=SomeInternalRole