{"id":8956,"date":"2013-10-24T10:48:22","date_gmt":"2013-10-24T15:48:22","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=8956"},"modified":"2015-12-29T16:39:11","modified_gmt":"2015-12-29T21:39:11","slug":"jboss-picketlink","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=8956","title":{"rendered":"JBoss PicketLink SAML SSO with ADFS"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tEnvironment<\/a>\n\t<\/li>\n\t
  2. \n\t\tPrepare<\/a>\n\t<\/li>\n\t
  3. \n\t\tDownload PicketLink<\/a>\n\t<\/li>\n\t
  4. \n\t\tGenerate JKS Keystore<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tGenerate keystore using Java keytool<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tGenerate keystore using Portecle<\/a>\n\t\t\t\t
        \n\t\t\t\t\t
      1. \n\t\t\t\t\t\tGenerate New Key Store<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      2. \n\t\t\t\t\t\tGenerate CSR<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      3. \n\t\t\t\t\t\tImport CA Reply<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
      4. \n\t\t\t\tConfigure Keystore on JBoss AS<\/a>\n\t\t\t<\/li>\n\t\t\t
      5. \n\t\t\t\tSetup NTP<\/a>\n\t\t\t<\/li>\n\t\t\t
      6. \n\t\t\t\tExport ADFS Token Signing Cert<\/a>\n\t\t\t<\/li>\n\t\t\t
      7. \n\t\t\t\tCreate AD FS Trust Store<\/a>\n\t\t\t<\/li>\n\t\t\t
      8. \n\t\t\t\tInstall PicketLink Library Files<\/a>\n\t\t\t\t
          \n\t\t\t\t\t
        1. \n\t\t\t\t\t\tCopy Jar Files to JBoss common lib Directory<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        2. \n\t\t\t\t\t\tAuthorize PicketLink jar Files<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        3. \n\t\t\t\t\t\tConfigure PicketLink Authenticator<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        4. \n\t\t\t\t\t\tConfigure login.module<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        5. \n\t\t\t\t\t\tConfigure PicketLink Properties<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
        6. \n\t\t\t\t\t\tCopy ADFS Signing Keystore<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
        7. \n\t\t\t\tConfigure WAR (hw.war) Deployment<\/a>\n\t\t\t\t
            \n\t\t\t\t\t
          1. \n\t\t\t\t\t\tCreate a Test Web App<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          2. \n\t\t\t\t\t\tConfigure Application Security Constraints<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          3. \n\t\t\t\t\t\tConfigure login module<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          4. \n\t\t\t\t\t\tFinal web.xml File<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          5. \n\t\t\t\t\t\tUpdate Security Domain<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          6. \n\t\t\t\t\t\tCreate WEB-INF\/context.xml<\/em> File<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          7. \n\t\t\t\t\t\tCreate WEB-INF\/picketlink.xml<\/em> File<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
          8. \n\t\t\t\tCreate ADFS relying party named jboss01-PicketLink<\/strong><\/a>\n\t\t\t\t
              \n\t\t\t\t\t
            1. \n\t\t\t\t\t\tAdd Claim Rule for SAM-Account-Name<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            2. \n\t\t\t\t\t\tAdd Claim Rule for Name ID<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            3. \n\t\t\t\t\t\tAdd Claim Rule for Role<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            4. \n\t\t\t\t\t\tAdd SAML Logout Endpoint<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
            5. \n\t\t\t\tTest<\/a>\n\t\t\t\t
                \n\t\t\t\t\t
              1. \n\t\t\t\t\t\tIDP Initiated Sign on URL<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
              2. \n\t\t\t\t\t\tSAML Tracer<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
              3. \n\t\t\t\t\t\tPicketLink Logging Level<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
              4. \n\t\t\t\tIssues<\/a>\n\t\t\t\t
                  \n\t\t\t\t\t
                1. \n\t\t\t\t\t\tkeytool Import Error<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                2. \n\t\t\t\t\t\tMSIS7004<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                3. \n\t\t\t\tReferences<\/a>\n\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                   <\/div>\n

                  Environment<\/h2><\/span>\n

                  * JBoss 5.1.0.GA or JBoss 4.2.2.GA
                  \n* Centos version:<\/p>\n

                  \r\n[root@jboss01 ~]# cat \/etc\/redhat-release\r\nCentOS release 5.7 (Final)\r\n[root@jboss01 ~]# uname -m\r\nx86_64\r\n<\/pre>\n
                  * Java version:<\/p>\n
                  \r\njava version \"1.6.0_24\"\r\nOpenJDK Runtime Environment (IcedTea6 1.11.11.90) (rhel-1.41.1.11.11.90.el5_9-x86_64)\r\nOpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)\r\n<\/pre>\n
                  Prepare<\/h2><\/span>\n
                  * Install JBoss 5.1 AS. See this post<\/a> for details.<\/p>\n
                  Download PicketLink<\/h2><\/span>\n
                  * Download version v2.1.8.Final<\/em> from here<\/a>
                  \n– Core jar: picketlink-core-2.1.8.Final.jar<\/em>
                  \n– Binding jar for AS 5.x: picketlink-jbas5-2.1.8.Final.jar<\/em>
                  \n* For JBOss 4.2.2.GA, also download jboss-security-spi-3.0.0.Final.jar<\/em> from                   here<\/a><\/p>\n
                  Generate JKS Keystore<\/h2><\/span>\n
                  Generate keystore using Java keytool<\/h3><\/span>\n
                  * Generate private key:<\/p>\n
                  \r\nkeytool -genkey -alias jboss01 -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -keystore jboss01.jks -storepass Welcome1 -keypass Welcome1 -dname \"CN=jboss01.mytest.local, OU=Lab, O=My Test, L=Reston, S=Virginia, C=US\" -validity 360\r\n<\/pre>\n
                  * Generate CSR:<\/p>\n
                  \r\nkeytool -certreq -alias jboss01 -sigalg SHA1withRSA -file jboss01.csr -keystore jboss01.jks -storepass Welcome1 \r\n<\/pre>\n
                  * Send CSR to CA for signing.
                  \n* Import signed certificate:<\/p>\n
                  \r\nkeytool -import -v -keystore jboss01.jks -alias jboss01 -storepass Welcome1 -file jboss01.p7b\r\n<\/pre>\n
                  Generate keystore using Portecle<\/h3><\/span>\n
                  * Download Portecle from http:\/\/sourceforge.net\/projects\/portecle\/<\/a>
                  \n* Start Portecle:
                  \njava -jar portecle.jar<\/em><\/p>\n
                  Generate New Key Store<\/h4><\/span>\n
                  * Select File > New Keystore…<\/em><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Select JKS as store type:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Select Tools > Generate Key Pair…<\/em> and select:
                  \n– Key Algorithm: RSA<\/em>
                  \n– Key Size: 2048<\/em><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Enter CN for the new key:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Enter alias for the new key:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Keystore pass (e.g. Welcome1):<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Keystore generated:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Save keystore file jboss01.jks:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Set Keystore file password (e.g. Welcome1):<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Generate CSR<\/h4><\/span>\n
                  * Right click keystore entry and select Generate Certification Request<\/em>
                  \n– File Name: jboss01_mytest_local.csr<\/em>
                  \n* Submit to CA for signing<\/p>\n
                  Import CA Reply<\/h4><\/span>\n
                  * Import CA reply:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Configure Keystore on JBoss AS<\/h2><\/span>\n
                  * Copy jboss01.jks<\/em> to $JBOSS_HOME\/server\/default\/conf<\/em>
                  \n* Config JBoss AS to use the keystore
                  \nvi $JBOSS_HOME\/server\/default\/deploy\/jbossweb.sar\/server.xml<\/em><\/p>\n
                  \r\n\r\n<\/pre>\n
                  * Restart JBoss
                  \n* Open port 8443<\/p>\n
                  \r\n-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT\r\nservice iptables restart\r\n<\/pre>\n
                  * Check https connection:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Setup NTP<\/h2><\/span>\n
                  * All servers should setup NTP clients.<\/p>\n
                  Export ADFS Token Signing Cert<\/h2><\/span>\n
                  * Go to: AD FS 2.0 console, open AD FS 2.0 > Service > Certificates<\/em>
                  \n* Select: Token-signing certificate > View Certificate<\/em><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Install as Trusted Root Certificate if prompted<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Select: Token-signing certificate > View Certificate > Details<\/em>
                  \n* Click Copy to File…<\/em><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Select Base-64 encoded X.509 (.CER)<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * File name: adfs2_tokenSigning.cer<\/strong><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Create AD FS Trust Store<\/h2><\/span>\n
                  * Generate a new key store
                  \n* Generate a new key pair with CN: jboss01_adfs_sign.mytest.local<\/strong><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Save as file name: jboss01_adfs_sign.jks<\/strong> with password, e.g. Welcome1<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Import ADFS token signing certificate, i.e. adfs2_tokenSigning.cer<\/em> created previously.
                  \n– Select Tools > Import Trusted Certificate…<\/em>
                  \n– Enter Alias: adfs01-sign<\/strong><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Export keystore certificate. The certificate is used as encryption certificate by ADFS2:
                  \n– Right click keystore, select Export<\/em> then select PEM Encoded<\/em>:<\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  * Enter file name: jboss01_token_enc.cer<\/strong><\/p>\n
                  \"\"<\/a><\/h6><\/span>\n
                  Install PicketLink Library Files<\/h2><\/span>\n
                  Copy Jar Files to JBoss common lib Directory<\/h3><\/span>\n
                  * Copy following files to $JBOSS_HOME\/common\/lib directory
                  \n– picketlink-core-2.1.8.Final.jar<\/em>
                  \n– picketlink-jbas5-2.1.8.Final.jar<\/em>
                  \n* For JBoss 4.2.2, copy instead<\/em> to $JBOSS_HOME\/server\/default\/lib<\/em> directory:
                  \n– picketlink-core-2.1.8.Final.jar<\/em>
                  \n– picketlink-jbas5-2.1.8.Final.jar<\/em>
                  \n– jboss-security-spi-3.0.0.Final.jar<\/em>
                  \n* Setup file permissions:<\/p>\n
                  \r\nchmod 644 picketlink*jar\r\n<\/pre>\n
                  Authorize PicketLink jar Files<\/h3><\/span>\n
                  * For EAP 5.1, edit $JBOSS_HOME\/bin\/security_cc.policy<\/em> and grant permission to PicketLink jar files:<\/p>\n
                  \r\n\/\/ Picketlink libraries\r\ngrant codeBase \"file:${jboss.home.dir}\/common\/lib\/picketlink-core-2.1.7.jar\" {\r\n   permission java.security.AllPermission;\r\n};\r\ngrant codeBase \"file:${jboss.home.dir}\/common\/lib\/picketlink-jbas5-2.1.7.jar\" {\r\n   permission java.security.AllPermission;\r\n};\r\n<\/pre>\n
                  Configure PicketLink Authenticator<\/h3><\/span>\n
                  * Add to $JBOSS_HOME\/server\/default\/deployers\/jbossweb.deployer\/META-INF\/war-deployers-jboss-beans.xml<\/em> after the BASIC<\/em> entry:<\/p>\n
                  \r\n\r\n   SAML_FEDERATION<\/key>\r\n   org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator<\/value>\r\n<\/entry>\r\n<\/pre>\n
                  * For JBoss 4.2.2, add instead<\/em> to $JBOSS_HOME\/server\/default\/deploy\/jboss-web.deployer\/META-INF\/jboss-service.xml<\/em>:<\/p>\n
                  \r\n\t \r\n\t   SAML_FEDERATION<\/java:key>\r\n\t   org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator<\/java:value>\r\n\t<\/java:property>\r\n<\/pre>\n
                  Configure login.module<\/h3><\/span>\n
                  * Setup a PicketLink SAML2 Login Module by adding to $JBOSS_HOME\/server\/default\/conf\/login-config.xml<\/em>:<\/p>\n
                  \r\n\r\n  \r\n\t\r\n  <\/authentication>\r\n<\/application-policy>\r\n<\/pre>\n
                  Configure PicketLink Properties<\/h3><\/span>\n
                  * Create a directory named \/home\/jboss\/picketlink<\/strong> to place PicketLink property file.
                  \n* Create a file named picketlink.properties<\/strong> in the newly created directory with the following content:<\/p>\n
                  \r\n# Identity Provider configuration\r\npicketlink.idp.domain=mytest.local\r\npicketlink.idp.public.fqdn=adfs01.mytest.local\r\npicketlink.idp.public.url=https:\/\/adfs01.mytest.local\/adfs\/ls\/\r\n\r\n# Service Provider configuration\r\npicketlink.sp.public.fqdn=jboss01.mytest.local\r\npicketlink.sp.public.port=8443\r\n\r\n# Trust Store configuration\r\npicketlink.truststore.url=file:\/\/\/home\/jboss\/picketlink\/jboss01_adfs_sign.jks\r\npicketlink.truststore.password=Welcome1\r\npicketlink.truststore.idp.alias=adfs01-sign\r\n<\/pre>\n
                  * Setup file permissions:<\/p>\n
                  \r\nchmod 400 picketlink.properties\r\n<\/pre>\n
                  * Expose picketlink.properties file by adding to $JBOSS_HOME\/server\/default\/deploy\/properties-service.xml<\/em> file’s SystemPropertiesService<\/em> mbean:<\/p>\n
                  \r\n    \r\n        \/home\/jboss\/picketlink\/picketlink.properties\r\n    <\/attribute>\r\n<\/pre>\n
                  Copy ADFS Signing Keystore<\/h3><\/span>\n
                  * Copy jbooss01_adfs_sign.jks<\/em> to \/home\/jboss\/picketlink<\/em> directory<\/p>\n
                  Configure WAR (hw.war) Deployment<\/h2><\/span>\n
                  Create a Test Web App<\/h3><\/span>\n
                  * Create a temp directory to host all files
                  \n* Create a jsp file named default.jsp<\/strong>:<\/p>\n
                  \r\n\r\n\r\nJSP Test<\/title>\r\n<%\r\nString userId = null;\r\nif (request.getUserPrincipal() != null){\r\n  userId = request.getUserPrincipal().getName();\r\n}else{\r\n  userId = request.getRemoteUser();\r\n}\r\n\r\nif (userId == null){\r\n  userId = \"World\";\r\n}\r\n\r\nString message = \"Hello, \" + userId;\r\n%>\r\n<\/head>\r\n<body>\r\n<span id=\"_29\"><h2><%= message%><\/h2><\/span>\r\n<% if (request.isUserInRole(\"SAMLUser\")){ %>\r\n<br\/>\r\nRole: SAMLUser\r\n<%}%>\r\n<br\/>\r\n<a href=\"https:\/\/adfs01.mytest.local\/adfs\/ls\/?wa=wsignout1.0\">Logout<\/a>\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n<p>* Create a new directory named <strong>WEB-INF<\/strong><br \/>\n* Create a new file named <strong>web.xml<\/strong>:<\/p>\n<pre lang=\"xml\">\r\n<web-app>\r\n    <display-name>Hello World<\/display-name>\r\n<\/web-app> \r\n<\/pre>\n<p>* Jar all files into war file:<\/p>\n<pre lang=\"java\">\r\n\"%JAVA_HOME%\\jar\" -cvf hw.war *\r\n<\/pre>\n<p>* Copy hw.war file to <em>$JBOSS_HOME\/server\/default\/deploy<\/em> directory<\/p>\n<pre lang=\"java\">\r\n$JAVA_HOME\/bin\/jar -cvf hw.war *\r\n\r\n# Win\r\n\"%JAVA_HOME%\/bin\/jar\" -cvf hw.war *\r\n<\/pre>\n<p>* Check that page is displayed properly.<\/p>\n<span id=\"Configure_Application_Security_Constraints\"><h3>Configure Application Security Constraints<\/h3><\/span>\n<p>* Add to <em>web.xml<\/em>:<\/p>\n<pre lang=\"xml\">\r\n    <security-constraint>\r\n        <web-resource-collection>\r\n            <web-resource-name>All Pages<\/web-resource-name>\r\n            <url-pattern>\/*<\/url-pattern>\r\n        <\/web-resource-collection>\r\n        <auth-constraint>\r\n            <role-name>SAMLUser<\/role-name>\r\n        <\/auth-constraint>\r\n        <user-data-constraint>\r\n            <transport-guarantee>CONFIDENTIAL<\/transport-guarantee>\r\n        <\/user-data-constraint>\r\n    <\/security-constraint>\r\n\r\n    <security-role>\r\n        <role-name>SAMLUser<\/role-name>\r\n    <\/security-role>\r\n<\/pre>\n<p>* Add to <em>web.xml<\/em> a new constraint to act as SAML <em>Assertion Consumer Service<\/em>.<br \/>\n– <em>url-pattern<\/em> is not significant and does not map to any actual resource:<\/p>\n<pre lang=\"xml\">\r\n    <security-constraint>\r\n        <web-resource-collection>\r\n            <web-resource-name>SAML HW<\/web-resource-name>\r\n            <url-pattern>\/saml-hw<\/url-pattern>\r\n        <\/web-resource-collection>\r\n        <auth-constraint>\r\n            <role-name>*<\/role-name>\r\n        <\/auth-constraint>\r\n        <user-data-constraint>\r\n            <transport-guarantee>CONFIDENTIAL<\/transport-guarantee>\r\n        <\/user-data-constraint>\r\n    <\/security-constraint>\r\n<\/pre>\n<span id=\"Configure_login_module\"><h3>Configure login module<\/h3><\/span>\n<p>* Add to <em>web.xml<\/em><\/p>\n<pre lang=\"xml\">\r\n    <login-config>\r\n        <auth-method>SAML_FEDERATION<\/auth-method>\r\n        <realm-name>SAML Federation<\/realm-name>\r\n    <\/login-config>\r\n<\/pre>\n<span id=\"Final_web.xml_File\"><h3>Final web.xml File<\/h3><\/span>\n<pre lang=\"xml\">\r\n<web-app>\r\n\t<display-name>Hello World<\/display-name>\r\n    <security-constraint>\r\n        <web-resource-collection>\r\n            <web-resource-name>All Pages<\/web-resource-name>\r\n            <url-pattern>\/*<\/url-pattern>\r\n        <\/web-resource-collection>\r\n        <auth-constraint>\r\n            <role-name>SAMLUser<\/role-name>\r\n        <\/auth-constraint>\r\n        <user-data-constraint>\r\n            <transport-guarantee>CONFIDENTIAL<\/transport-guarantee>\r\n        <\/user-data-constraint>\r\n    <\/security-constraint>\r\n\r\n    <security-constraint>\r\n        <web-resource-collection>\r\n            <web-resource-name>SAML HW<\/web-resource-name>\r\n            <url-pattern>\/saml-hw<\/url-pattern>\r\n        <\/web-resource-collection>\r\n        <auth-constraint>\r\n            <role-name>*<\/role-name>\r\n        <\/auth-constraint>\r\n        <user-data-constraint>\r\n            <transport-guarantee>CONFIDENTIAL<\/transport-guarantee>\r\n        <\/user-data-constraint>\r\n    <\/security-constraint>\r\n\t\r\n    <login-config>\r\n        <auth-method>SAML_FEDERATION<\/auth-method>\r\n        <realm-name>SAML Federation<\/realm-name>\r\n    <\/login-config>\r\n    \r\n\t<security-role>\r\n        <role-name>SAMLUser<\/role-name>\r\n    <\/security-role>\r\n<\/web-app> \r\n<\/pre>\n<span id=\"Update_Security_Domain\"><h3>Update Security Domain<\/h3><\/span>\n<p>* Edit <em>WEB-INF\/jboss-web.xml<\/em> to use PicketLink login module defined previously:<\/p>\n<pre lang=\"xml\">\r\n<?xml version='1.0' encoding='UTF-8' ?>\r\n<!DOCTYPE jboss-web\r\n    PUBLIC \"-\/\/JBoss\/\/DTD Web Application 2.3V2\/\/EN\"\r\n    \"http:\/\/www.jboss.org\/j2ee\/dtd\/jboss-web_3_2.dtd\">\r\n<jboss-web>\r\n   <security-domain>java:\/jaas\/saml-federation-hw<\/security-domain>\r\n<\/jboss-web>\r\n<\/pre>\n<span id=\"Create_WEB-INFcontext.xml_File\"><h3>Create <em>WEB-INF\/context.xml<\/em> File<\/h3><\/span>\n<pre lang=\"xml\">\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<Context>\r\n    <Valve className=\"org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator\" \/>\r\n<\/Context>\r\n<\/pre>\n<span id=\"Create_WEB-INFpicketlink.xml_File\"><h3>Create <em>WEB-INF\/picketlink.xml<\/em> File<\/h3><\/span>\n<pre lang=\"xml\">\r\n<PicketLink xmlns=\"urn:picketlink:identity-federation:config:2.1\">\r\n    <PicketLinkSP xmlns=\"urn:picketlink:identity-federation:config:2.1\"\r\n            CanonicalizationMethod=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\r\n            BindingType=\"POST\"\r\n            IDPUsesPostBindings=\"true\"\r\n            SupportsSignatures=\"true\">\r\n        <IdentityURL>${picketlink.idp.public.url}<\/IdentityURL>\r\n        <ServiceURL>https:\/\/${picketlink.sp.public.fqdn}:${picketlink.sp.public.port}\/hw\/saml-hw<\/ServiceURL>\r\n        <Trust>\r\n            <Domains>${picketlink.idp.domain}<\/Domains>\r\n        <\/Trust>\r\n        <KeyProvider ClassName=\"org.picketlink.identity.federation.core.impl.KeyStoreKeyManager\">\r\n            <Auth Key=\"KeyStoreURL\" Value=\"${picketlink.truststore.url}\"\/>\r\n            <Auth Key=\"KeyStorePass\" Value=\"${picketlink.truststore.password}\"\/>\r\n            <Auth Key=\"SigningKeyAlias\" Value=\"NOTUSED\"\/>\r\n            <Auth Key=\"SigningKeyPass\" Value=\"NOTUSED\"\/>\r\n            <ValidatingAlias Key=\"${picketlink.idp.public.fqdn}\" Value=\"${picketlink.truststore.idp.alias}\"\/>\r\n        <\/KeyProvider>\r\n    <\/PicketLinkSP>\r\n\r\n    <Handlers xmlns=\"urn:picketlink:identity-federation:handler:config:2.1\">\r\n        <Handler class=\"org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler\" \/>\r\n        <Handler class=\"org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler\" \/>\r\n        <Handler class=\"org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler\" \/>\r\n        <Handler class=\"org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler\">\r\n            <Option Key=\"ROLE_KEY\" Value=\"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role\"\/>\r\n        <\/Handler>\r\n        <Handler class=\"org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler\"\/>\r\n    <\/Handlers>\r\n<\/PicketLink>\r\n<\/pre>\n<p>* Jar all files and deploy to JBoss as described previously.<\/p>\n<span id=\"Create_ADFS_relying_party_named_jboss01-PicketLink\"><h2>Create ADFS relying party named <strong>jboss01-PicketLink<\/strong><\/h2><\/span>\n<p>* Login ADFS server, e.g. <em>adfs01<\/em>, as domain administrator.<br \/>\n* Open AD FS 2.0 console<br \/>\n* Go to <em>AD FS 2.0 > Trust Relationships > Replying Party Trusts<\/em><br \/>\n* Right click and select <em>Add Relying Party Trust…<\/em><\/p>\n<h3Add Relying Party><\/h3>\n<p>* Click Start on Welcome page:<\/p>\n<span id=\"_30\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_welcome.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_welcome-300x114.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_welcome\" width=\"300\" height=\"114\" class=\"aligncenter size-medium wp-image-9023\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_welcome-300x114.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_welcome.jpg 994w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Select <em>Enter data about the relying party manually<\/em><\/p>\n<span id=\"_31\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_manually.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_manually-300x168.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_manually\" width=\"300\" height=\"168\" class=\"aligncenter size-medium wp-image-9024\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_manually-300x168.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_manually.jpg 713w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Enter<br \/>\n– Display name: <strong>jboss01.mytest.local:8443\/hw<\/strong><\/p>\n<span id=\"_32\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_displayName_8443.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_displayName_8443-300x139.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_displayName_8443\" width=\"300\" height=\"139\" class=\"aligncenter size-medium wp-image-9025\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_displayName_8443-300x139.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_displayName_8443.jpg 711w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Select AD FS 2.0 profile<\/p>\n<span id=\"_33\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_adfs2Profile.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_adfs2Profile-300x145.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_adfs2Profile\" width=\"300\" height=\"145\" class=\"aligncenter size-medium wp-image-9026\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_adfs2Profile-300x145.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_adfs2Profile.jpg 661w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* (Skip for now)Configure Certificate by browsing to <em>jboss01_token_enc.cer<\/em><\/p>\n<span id=\"_34\"><h6><\/h6><\/span>\n<p>* Select <em>Enable support for the SAML 2.0 WebSSO protocol<\/em> and enter:<br \/>\n– Replying party SAML 2.0 SSO service URL: <strong>https:\/\/jboss01.mytest.local:8443\/hw\/saml-hw<\/strong><br \/>\nand click Add button:<\/p>\n<span id=\"_35\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_URL.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_URL-300x164.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_URL\" width=\"300\" height=\"164\" class=\"aligncenter size-medium wp-image-9027\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_URL-300x164.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_URL.jpg 714w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* On <em>Configure Identifiers<\/em> screen, enter<br \/>\n– Relying party trust identifier: <strong>https:\/\/jboss01.mytest.local:8443\/hw\/saml-hw<\/strong><\/p>\n<span id=\"_36\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_identifier_8443.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_identifier_8443-300x140.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_identifier_8443\" width=\"300\" height=\"140\" class=\"aligncenter size-medium wp-image-9029\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_identifier_8443-300x140.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_identifier_8443.jpg 715w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* On Choose Issuance Authorization Rules, select:<br \/>\n– Permit all users to access this relying party<\/p>\n<span id=\"_37\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_issuance.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_issuance-300x140.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_issuance\" width=\"300\" height=\"140\" class=\"aligncenter size-medium wp-image-9031\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_issuance-300x140.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_issuance.jpg 714w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* On <em>Ready to Add Trust<\/em> screen, click <strong>Next><\/strong><br \/>\n* On Finish screen, select Open the Edit Claim Rules and click Close<\/p>\n<span id=\"_38\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_finish.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_finish-300x240.jpg\" alt=\"\" title=\"jboss01_adfs2_addRP_finish\" width=\"300\" height=\"240\" class=\"aligncenter size-medium wp-image-9030\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_finish-300x240.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addRP_finish.jpg 716w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Edit <em>Claim Rules for jboss01.mytest.local\/hw<\/em> opens<\/p>\n<span id=\"_39\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_start.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_start-300x274.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_start\" width=\"300\" height=\"274\" class=\"aligncenter size-medium wp-image-9035\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_start-300x274.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_start.jpg 489w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"Add_Claim_Rule_for_SAM-Account-Name\"><h3>Add Claim Rule for SAM-Account-Name<\/h3><\/span>\n<p>* Select <em>Issuance Transform Rules<\/em> tab<br \/>\n* Click <em>Add Rule…<\/em><br \/>\n* Select <em>Send LDAP Attributes as Claims<\/em><\/p>\n<span id=\"_40\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam-300x74.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_sam\" width=\"300\" height=\"74\" class=\"aligncenter size-medium wp-image-9033\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam-300x74.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam.jpg 654w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Enter:<br \/>\n– Claim rule name: <strong>Issue SAM-Account-Name<\/strong><br \/>\n– Attribute store: <strong>Active Directory<\/strong><br \/>\n– Mapping of LDAP attributes to outgoing claim types:<br \/>\nLDAP Attribute: <strong>SAM-Account-Name<\/strong><br \/>\nOutgoing Claim Type: <strong>http:\/\/mytest.local\/SAM-Account-Name<\/strong><\/p>\n<span id=\"_41\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam_detail.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam_detail-300x176.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_sam_detail\" width=\"300\" height=\"176\" class=\"aligncenter size-medium wp-image-9034\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam_detail-300x176.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sam_detail.jpg 713w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"Add_Claim_Rule_for_Name_ID\"><h3>Add Claim Rule for Name ID<\/h3><\/span>\n<p>* Select <em>Issuance Transform Rules<\/em> tab<br \/>\n* Click <em>Add Rule<\/em><br \/>\n* Select <em>Transform an Incoming Claim<\/em> and click <em>Next<\/em>:<\/p>\n<span id=\"_42\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim-300x67.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_transformIncomingClaim\" width=\"300\" height=\"67\" class=\"aligncenter size-medium wp-image-9036\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim-300x67.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim.jpg 713w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Configure claim rule:<br \/>\n– Claim rule name: <strong>Issue Name ID<\/strong><br \/>\n– Incoming claim type: <strong>http:\/\/mytest.local\/SAM-Account-Name<\/strong><br \/>\n– Outgoing claim type: <strong>Name ID<\/strong><br \/>\n– Outgoing name ID format: <strong>Transient Identifier<\/strong><br \/>\n– Select: <strong>Pass through all claim values<\/strong><\/p>\n<span id=\"_43\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim_detail.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim_detail-300x248.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_transformIncomingClaim_detail\" width=\"300\" height=\"248\" class=\"aligncenter size-medium wp-image-9037\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim_detail-300x248.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_transformIncomingClaim_detail.jpg 551w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Click <em>Finish<\/em><\/p>\n<span id=\"Add_Claim_Rule_for_Role\"><h3>Add Claim Rule for Role<\/h3><\/span>\n<p>* Still on Issuance Transform Rules tab<br \/>\n* Click Add Rule…<br \/>\n* Select <em>Send Group Membership as a Claim<\/em>:<\/p>\n<span id=\"_44\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp-300x124.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_sendGrp\" width=\"300\" height=\"124\" class=\"aligncenter size-medium wp-image-9038\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp-300x124.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp.jpg 718w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Configure claim rule:<br \/>\n– Claim rule name: <strong>Issue SAMLUser<\/strong><br \/>\n– User’s group: <strong>MYTEST\\SAML Group<\/strong> (note this is an <em>existing<\/em> group in MYTEST domain)<br \/>\n– Outgoing claim type: <strong>Role<\/strong><br \/>\n– Outgoing claim value: <strong>SAMLUser<\/strong> (note that this need to match the role as defined in web application’s <em>web.xml<\/em> file)<\/p>\n<span id=\"_45\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp_detail.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp_detail-300x164.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_sendGrp_detail\" width=\"300\" height=\"164\" class=\"aligncenter size-medium wp-image-9039\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp_detail-300x164.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_sendGrp_detail.jpg 713w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Click <em>Finish<\/em><br \/>\n* Click <em>OK<\/em> to add the newly configured Relying Party. Three rules are shown:<\/p>\n<span id=\"_46\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_overviewl.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_overviewl-300x86.jpg\" alt=\"\" title=\"jboss01_adfs2_addClaimRule_overviewl\" width=\"300\" height=\"86\" class=\"aligncenter size-medium wp-image-9040\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_overviewl-300x86.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_addClaimRule_overviewl.jpg 481w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"Add_SAML_Logout_Endpoint\"><h3>Add SAML Logout Endpoint<\/h3><\/span>\n<p>* From AD FS 2.0 console, go to <em>AD FS 2.0 > Trust Relationships > Relying Party Trusts<\/em><br \/>\n* Right click <em>jboss01.mytest.local:8443\/hw<\/em> relying party and select <em>Properties<\/em><br \/>\n* Select <em>Endpoints<\/em> tab and click <em>Add<\/em><br \/>\n* On Add an Endpoint screen, enter:<br \/>\n– Endpoint type: <em>SAML Logout<\/em><br \/>\n– Binding = <em>POST<\/em><br \/>\n– URL: <em>https:\/\/jboss01.mytest.local:8443\/hw\/signout.jsp<\/em> # This is the application logout page and should not be protected.<br \/>\n– Response URL: <Can be left empty><\/p>\n<span id=\"_47\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_add_LogoutEndPoint2.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_add_LogoutEndPoint2-300x296.jpg\" alt=\"\" title=\"jboss01_adfs2_add_LogoutEndPoint2\" width=\"300\" height=\"296\" class=\"aligncenter size-medium wp-image-9059\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_add_LogoutEndPoint2-300x296.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_add_LogoutEndPoint2.jpg 621w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Click <em>OK<\/em> twice.<br \/>\n* Add logout URL on web site logout link: <em>https:\/\/adfs01.mytest.local\/adfs\/ls\/?wa=wsignout1.0<\/em><\/p>\n<span id=\"Test\"><h2>Test<\/h2><\/span>\n<p>* Import <em>MytestRootCA.cer<\/em> as <em>Trusted Root Certificate Authorities<\/em><br \/>\n* Point browser to <a href=\"https:\/\/jboss01.mytest.local:8443\/hw\">https:\/\/jboss01.mytest.local:8443\/hw\/default.jsp<\/a><br \/>\n* Enter username and password when prompted.<br \/>\n– Note that you will not be prompted for username and password if you logged into a domain computer.<\/p>\n<span id=\"_48\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_signin.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_signin-300x165.jpg\" alt=\"\" title=\"jboss01_adfs2_test_signin\" width=\"300\" height=\"165\" class=\"aligncenter size-medium wp-image-9052\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_signin-300x165.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_signin.jpg 424w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* The page is displayed:<\/p>\n<span id=\"_49\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedin.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedin.jpg\" alt=\"\" title=\"jboss01_adfs2_test_loggedin\" width=\"175\" height=\"110\" class=\"aligncenter size-full wp-image-9053\" \/><\/a><\/h6><\/span>\n<p>* Click the Logout link, ADFS logout page is displayed:<\/p>\n<span id=\"_50\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedout.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedout-300x127.jpg\" alt=\"\" title=\"jboss01_adfs2_test_loggedout\" width=\"300\" height=\"127\" class=\"aligncenter size-medium wp-image-9054\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedout-300x127.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/10\/jboss01_adfs2_test_loggedout.jpg 613w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"IDP_Initiated_Sign_on_URL\"><h3>IDP Initiated Sign on URL<\/h3><\/span>\n<p>* <a href=\"https:\/\/adfs01.mytest.local\/adfs\/ls\/IdpInitiatedSignOn.aspx\">https:\/\/adfs01.mytest.local\/adfs\/ls\/IdpInitiatedSignOn.aspx<\/a><\/p>\n<span id=\"SAML_Tracer\"><h3>SAML Tracer<\/h3><\/span>\n<p>* Install SAML Tracer Addon for Firefox<br \/>\n* Open SAML Tracer console from <em>Tools > SAML tracer<\/em><br \/>\n* Example:<\/p>\n<pre lang=\"xml\">\r\n<samlp:Response ID=\"_4d71a2dd-b0b9-4e19-a0c1-a1718adb6f1f\"\r\n                Version=\"2.0\"\r\n                IssueInstant=\"2013-10-01T23:41:10.278Z\"\r\n                Destination=\"https:\/\/jboss01.mytest.local:8443\/hw\/saml-hw\"\r\n                Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\"\r\n                InResponseTo=\"ID_8af19346-3479-4eac-9076-2b37f6d2c31f\"\r\n                xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\r\n                >\r\n    <Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http:\/\/adfs01.mytest.local\/adfs\/services\/trust<\/Issuer>\r\n    <samlp:Status>\r\n        <samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\" \/>\r\n    <\/samlp:Status>\r\n    <Assertion ID=\"_610520ab-d49d-49cc-95fb-c82bcf555af8\"\r\n               IssueInstant=\"2013-10-01T23:41:10.277Z\"\r\n               Version=\"2.0\"\r\n               xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"\r\n               >\r\n        <Issuer>http:\/\/adfs01.mytest.local\/adfs\/services\/trust<\/Issuer>\r\n        <ds:Signature xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">\r\n            <ds:SignedInfo>\r\n                <ds:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\" \/>\r\n                <ds:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256\" \/>\r\n                <ds:Reference URI=\"#_610520ab-d49d-49cc-95fb-c82bcf555af8\">\r\n                    <ds:Transforms>\r\n                        <ds:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\" \/>\r\n                        <ds:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\" \/>\r\n                    <\/ds:Transforms>\r\n                    <ds:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256\" \/>\r\n                    <ds:DigestValue>M2oIWu3zrkQxt8t\/ARsSkape8m3nUNb8u0F9OiSVqy0=<\/ds:DigestValue>\r\n                <\/ds:Reference>\r\n            <\/ds:SignedInfo>\r\n            <ds:SignatureValue>aLInCoeyPfAA5Yt+ppCCr0vR4c2\/g2gFf8WtosdzNQgeewwhTNGQKF+DIK3OpkhiIlHZ8v58S+QO5DH5KeJ8NjuhIgujVNIbDev6+6eneIuXVx2HUZZwH8zhdj\/MT8Pir0BQq8\/BtC8wHzDWmyxmRH0fJ8rZ479ODJzqABWxdkPhkDoiIRiCrjCyZekGnwVlfi9tCVCs1Xs50txkOTpbQLODQf4PyLWzhZPghcNkrR1M8r9e+J3\/mtGAQHKeHI\/Ih\/WRic+nDHpPKi4PBAUZFcwQCkqku2SrQXecQJ3eLfZA6ujYJHSWHzoMuTFFRLY0Hnuwc3sMmZLbxLx7asrJVQ==<\/ds:SignatureValue>\r\n            <KeyInfo xmlns=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">\r\n                <ds:X509Data>\r\n                    <ds:X509Certificate>MIIC4jCCAcqgAwIBAgIQaJY2+PWHmZxBo3mRmD1JCzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJBREZTIFNpZ25pbmcgLSBhZGZzMDEubXl0ZXN0LmxvY2FsMB4XDTEzMDkyODIzNDQxMloXDTE0MDkyODIzNDQxMlowLTErMCkGA1UEAxMiQURGUyBTaWduaW5nIC0gYWRmczAxLm15dGVzdC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKuuRT6vQ+XuzEq69yGlIsyttykycdOOf85VEZ7OKnFMN4H6zpp+OrjhFI4GBhjBIrX+BcgGauan18DPOs9mVl7AYS1iLtZay6cJ\/Nz8O5m66TPiB+k07pu6SdE23WOzxVotf6jwY8b+9DtDcy6ck3yCUBIHIpJ8dgn7we4\/yPFWY5ARHBJ0s5rsP2sDO3SQNz2ZZ9bKZxePnoScFDoM5mK0BOBqQuxGKi\/YtF+JdfYG5V1OuHlx3Oe0Ybyx9xSKdP1NAjbvWMrN3SptbBLixOguXTEkfAzYB6UZKi183yElV\/VogMGixRVu38a4R3w4yyXlYcshH7hwP07L4+hodTUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAolGuUbbv+d0E3OvjCDunOJVznYSAnca3HBToWItwHbM0MvXaft\/Kq+CV+vrPuaVM+n\/RJndqzMY5PUDAInOmVM72BGyKhgl8C899PfClsLcKBLQJciTRHRekLLv66wp2lFlF3VVaRc+U+6tQFW62l2ITAdyPp34NEk5TQVBh9A5L03WdMkiWJzXRGob8lTuFmBc15FUFE+noqT5Q+EP8LU5t54\/KaEr+9vLNqR6pCJePemHOZLXcxozSmMUEuCfi551g875TBT88feSVWBuW6FqfrTFPD9i4Lub5TjDPZ0S9zHuePzFjJ6KvLadtDva+r4aNV+NUR5UT5loJcVnqVQ==<\/ds:X509Certificate>\r\n                <\/ds:X509Data>\r\n            <\/KeyInfo>\r\n        <\/ds:Signature>\r\n        <Subject>\r\n            <NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">Jimmy.Li<\/NameID>\r\n            <SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\r\n                <SubjectConfirmationData InResponseTo=\"ID_8af19346-3479-4eac-9076-2b37f6d2c31f\"\r\n                                         NotOnOrAfter=\"2013-10-01T23:46:10.278Z\"\r\n                                         Recipient=\"https:\/\/jboss01.mytest.local:8443\/hw\/saml-hw\"\r\n                                         \/>\r\n            <\/SubjectConfirmation>\r\n        <\/Subject>\r\n        <Conditions NotBefore=\"2013-10-01T23:41:09.507Z\"\r\n                    NotOnOrAfter=\"2013-10-02T00:41:09.507Z\"\r\n                    >\r\n            <AudienceRestriction>\r\n                <Audience>https:\/\/jboss01.mytest.local:8443\/hw\/saml-hw<\/Audience>\r\n            <\/AudienceRestriction>\r\n        <\/Conditions>\r\n        <AttributeStatement>\r\n            <Attribute Name=\"http:\/\/mytest.local\/SAM-Account-Name\">\r\n                <AttributeValue>Jimmy.Li<\/AttributeValue>\r\n            <\/Attribute>\r\n            <Attribute Name=\"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role\">\r\n                <AttributeValue>SAMLUser<\/AttributeValue>\r\n            <\/Attribute>\r\n        <\/AttributeStatement>\r\n        <AuthnStatement AuthnInstant=\"2013-10-01T23:41:09.455Z\"\r\n                        SessionIndex=\"_610520ab-d49d-49cc-95fb-c82bcf555af8\"\r\n                        >\r\n            <AuthnContext>\r\n                <AuthnContextClassRef>urn:federation:authentication:windows<\/AuthnContextClassRef>\r\n            <\/AuthnContext>\r\n        <\/AuthnStatement>\r\n    <\/Assertion>\r\n<\/samlp:Response>\r\n<\/pre>\n<span id=\"PicketLink_Logging_Level\"><h3>PicketLink Logging Level<\/h3><\/span>\n<p>* Replace log4j jar file in the <em>server\/default\/lib<\/em> directory with <em>log4j-1.2.17.jar<\/em><br \/>\n* For JBoss 4.2.2, logging file is <em>server\/default\/conf\/jboss-log4j.xml<\/em><br \/>\n* Duplicate <em>CONSOLE<\/em> appender and name it <strong>CONSOLE2<\/strong>.<br \/>\n– Also set <em>Threshold<\/em> value to <strong>TRACE<\/strong>:<\/p>\n<pre lang=\"xml\">\r\n   <appender name=\"CONSOLE2\" class=\"org.apache.log4j.ConsoleAppender\">\r\n      <errorHandler class=\"org.jboss.logging.util.OnlyOnceErrorHandler\"\/>\r\n      <param name=\"Target\" value=\"System.out\"\/>\r\n      <param name=\"Threshold\" value=\"TRACE\"\/>\r\n\r\n      <layout class=\"org.apache.log4j.PatternLayout\">\r\n         <!-- The default pattern: Date Priority [Category] Message\\n -->\r\n         <param name=\"ConversionPattern\" value=\"%d{ABSOLUTE} %-5p [%c{1}] %m%n\"\/>\r\n      <\/layout>\r\n   <\/appender>\r\n<\/pre>\n<p>* Set logging level to <strong>TRACE<\/strong> for <em>org.picketlink<\/em> category and <em>appender<\/em> to <strong>CONSOLE2<\/strong>:<\/p>\n<pre lang=\"xml\">\r\n   <category name=\"org.picketlink\">\r\n      <priority value=\"TRACE\" \/>\r\n      <appender-ref ref=\"CONSOLE2\"\/>\r\n   <\/category>\r\n<\/pre>\n<span id=\"Issues\"><h2>Issues<\/h2><\/span>\n<span id=\"keytool_Import_Error\"><h3>keytool Import Error<\/h3><\/span>\n<p>* I copied ADFS signing certificate from ADFS metadata URL (https:\/\/hostname\/federationmetadata\/2007-06\/federationmetadata.xml) and tried to do an import with<\/p>\n<pre lang=\"bash\">\r\nkeytool -import -v -keystore samTrust.jks -alias adfs -sotrepass changeit -file adfs_sign.cer\r\n<\/pre>\n<p>* Error message:<\/p>\n<pre lang=\"bash\">\r\nkeytool error: java.lang.Exception: Input not an x.509 certificate\r\n<\/pre>\n<p>* Solution: enclose the copied token signing certificate with<\/p>\n<pre lang=\"bash\">\r\n-----BEGIN CERTIFICATE-----\r\ntoken signing cert string goes here\r\n-----END CERTIFICATE-----\r\n<\/pre>\n<span id=\"MSIS7004\"><h3>MSIS7004<\/h3><\/span>\n<p>* Error message in <em>Event Viewer > Application and Services > AD FS 2.0 > Admin<\/em>:<\/p>\n<pre>\r\nIdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service\r\n<\/pre>\n<p>* Solutions:<br \/>\n– I got this error because all my ADFS 2.0 certificates (IIS cert, signing cert, encryption cert) expired. You need to renew all certificates. See <a href=\"?p=7261#Renew_Certificates\">this post<\/a> on how to renew ADFS 2.0 certificates.<br \/>\n– Also you need to enable net.tcp protocol for IIS sites. See this <a href=\"https:\/\/social.msdn.microsoft.com\/Forums\/vstudio\/en-US\/b6ab634b-71b8-46eb-9a49-d33113678aba\/adfs-20-and-the-msis7004-exception?forum=Geneva\">discussion<\/a> and quoted here:<\/p>\n<pre>\r\nYou need to add net.tcp to the enabled protocols of your site. Go to IIS Manager, right-click on your website, go to 'Manage Web Site' or 'Manage Application', then to 'Advanced Settings...'. There you see 'Enabled Protocols'. It probably says http. Change it to http,net.tcp\r\n<\/pre>\n<p>.<\/p>\n<span id=\"References\"><h2>References<\/h2><\/span>\n<p>* <a href=\"http:\/\/www.jboss.org\/picketlink\/downloads\">PicketLink Download<\/a><br \/>\n* <a href=\"http:\/\/docs.jboss.org\/picketlink\/2\/2.1.7.Final\/reference\/html_single\/\">PicketLink 2.1.7 Doc<\/a><br \/>\n* <a href=\"http:\/\/docs.jboss.org\/jbossidentity\/docs\/guides\/identity-fed\/UserGuide\/pdf\/UserGuide.pdf\">UserGuide.pdf<\/a><br \/>\n* <a href=\"https:\/\/community.jboss.org\/wiki\/SecurityFAQ\">JBoss SecurityFAQ<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Environment * JBoss 5.1.0.GA or JBoss 4.2.2.GA * Centos version: [root@jboss01 ~]# cat \/etc\/redhat-release CentOS release 5.7 (Final) [root@jboss01 ~]# uname -m x86_64 * Java version: java version “1.6.0_24” OpenJDK Runtime Environment (IcedTea6 1.11.11.90) (rhel-1.41.1.11.11.90.el5_9-x86_64) OpenJDK 64-Bit Server VM (build … <a href=\"https:\/\/jianmingli.com\/wp\/?p=8956\">Continue reading <span class=\"meta-nav\">→<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[346,30],"tags":[275,448,450,449],"class_list":["post-8956","post","type-post","status-publish","format-standard","hentry","category-adfs","category-jboss","tag-ad","tag-adfs2","tag-jboss5-1","tag-saml2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-2ks","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/8956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8956"}],"version-history":[{"count":58,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/8956\/revisions"}],"predecessor-version":[{"id":11217,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/8956\/revisions\/11217"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}