We're implementing a SAML2-Based SSO solution and use PicketLink on the SP side.
On the IDP side we have a different implementation which is configured to output the multivalued memberOf
attribute (these are actually LDAP/AD-group memberships. So we get basically get something like this in the assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... >
...
<saml:Assertion ...>
...
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Role" Name="Role">
<saml:AttributeValue>authenticated</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="memberOf" Name="memberOf">
<saml:AttributeValue>CN=ga-A-102213-...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-MeetingPlace,...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-Serviceportal,...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-BCM...</saml:AttributeValue>
...
</saml:Attribute>
</saml:AttributeStatement>
...
</saml:Assertion>
</samlp:Response>
My question is, how could I configure PicketLink/JBoss to map these memberOf
values onto specific roles in the application/SP?
For instance that CN=g-z-MeetingPlace,...
should be mapped to ROLE_MEETING
or CN=g-z-BCM...
should be mapped onto ROLE_BCM
. We could probably write a login module to do that, but for me it seems to be a very standard task. However I did not manage to find a configurative solution yet.
Seems like we've figured it out.
What we needed was
org.jboss.security.auth.spi.RoleMappingLoginModule
:Mapping between AD group names and internal application roles is configured in the
roles.properties
file: