Important: the SAML module of the Java EE security extension is incompatible with Rampart (Axis2 Web services security module). Rampart is based on an obsolete version of the OpenSAML library which is not compatible.
Rampart is no longer installed with Adelia Studio by default. It is, however, possible to have both Rampart and the security extension in OpenID mode. To do this, you need to exclude the SAML dependency of the security extension (org.pac4j:pac4j-saml) from your build scripts and explicitly force the rampart dependency (org.apache.rampart:rampart-core).
The Java EE security extension is compatible with the SAMLV2 extension module of Pac4J. It must be explicitly included in your build scripts (pac4j-saml).
runtime group:'org.pac4j',name:'pac4j-saml',version:'3.9.0'
The configuration is in the following form:
wagonSecurity: callbackUrl: https://domain.com/application/callback corsAuthorizer: allowedOrigins: "*" allowedMethods: GET,POST,HEAD,OPTIONS,PUT,DELETE # allowedHeaders: Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization # preflightMaxage: 1800 authorizationGenerator: className: com.hardis.adelia.jee.security.RoleGenerator rolesClaim: Role userNameClaim: surname clientsProperties: saml.serviceProviderEntityId: clientId saml.keystorePath: conf:saml-keystore.jks saml.keystorePassword: secret saml.privateKeyPassword: secret saml.identityProviderMetadataPath: conf:saml-keycloak.xml #saml.identityProviderMetadataPath: java:comp/env/url/samlDescriptor saml.maximumAuthenticationLifetime: 3600
To simplify the configuration of file resources (keystore, identity provider metadata file), the following extensions were defined when loading clientProperties section values:
- If the value is a simple file name prefixed with the "conf:" marker, the file will be looked up in the application's standard configuration directory (WEB-INF/conf).
- If the value represents a JNDI resource in "java:comp/env/url/<nomResource>" format, the value will be replaced by a JNDI resolution.
Note that in the case of SAML authentication, there is no notion of token expiration. The authentication will remain valid at least until the JEE session expires.
The default role generator (com.hardis.adelia.jee.security.RoleGenerator) is compatible with the SAML profiles. The parameters userNameClaim and rolesClaim are supported.
The example file above defines a minimal configuration of the security extension for a SAMLV2 authentication.
- saml.serviceProviderEntityId is your application's identifier, which is registered with your provider. It is provided by the identity provider.
- saml.keystorePath indicates the keystore to use to communicate with the identity server (optional). Pac4j can generate a key automatically.
- saml.keystorePassword is the keystore password.
- saml.keystoreAlias is the private key alias if there is more than one.
- saml.privateKeyPassword is the private key alias.
- saml.identityProviderMetadataPath is the access path to the identity provider's description file.
- saml.maximumAuthenticationLifetime is the SAML assertion lifetime accepted by Pac4J before explicitly retriggering an authentication.
Refer to "PropertiesConfigFactory" parameters online documentation http://www.pac4j.org/3.9.x/docs/config.html for the other accepted parameters.