Bug 1084601
| Summary: | [GSS] (6.3.0) Backport PLINK-405 | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> | |
| Component: | PicketLink | Assignee: | Anil Saldhana <anil.saldhana> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> | |
| Severity: | unspecified | Docs Contact: | Nichola Moore <nmoore> | |
| Priority: | unspecified | |||
| Version: | 6.2.1 | CC: | kkhan, pskopek, smumford | |
| Target Milestone: | ER2 | |||
| Target Release: | EAP 6.3.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: |
A new feature has been incorporated into the PicketLink component of this version of JBoss EAP 6. In this release the the principal that gets sent to the AttributeManager has been made configurable.
When using PicketLink with JBoss Negotiation, the principal that is sent to the AttributeManager is a hashed string and not the username. This can result failed lookups if the mapping provider uses the principal to look up any attributes.
The ability to configure the principle ameliorates this issue.
|
Story Points: | --- | |
| Clone Of: | 1084596 | |||
| : | 1085534 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-28 15:44:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1084593, 1084597, 1091177, 1095230 | |||
|
Description
Derek Horton
2014-04-04 19:26:06 UTC
Functionality can be enabled as shown here:
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
<param>
<param-name>passUserPrincipalToAttributeManager</param-name>
<param-value>true</param-value>
</param>
</valve>
Reproducer notes for hashed user principal PL issue:
idp.war/WEB-INF/picketlink.xml (set the AttributeManager):
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"
StrictPostBinding="true">
idp.war/WEB-INF/jboss-web.xml:
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
<param>
<param-name>passUserPrincipalToAttributeManager</param-name>
<param-value>true</param-value>
</param>
</valve>
standalone.xml:
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
="java.naming.provider.url" value="ldaps://imatestldapserver.redhat.com"/>
<module-option name="bindDN" value="uid=imauser,dc=test,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="imapassword"/>
<module-option name="baseCtxDN" value="ou=users,dc=test,dc=redhat,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="attributeList" value="mail,cn,sn,UserType"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
</mapping>
Verified in 6.3.0.ER2 |