Bug 1121155

Summary: PicketLink SP application configuration is ignored when it is also added to PicketLink subsystem
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Lukas <olukas>
Component: PicketLinkAssignee: Peter Skopek <pskopek>
Status: CLOSED EOL QA Contact: Pavel Slavicek <pslavice>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bdawidow, kkhan, pslavice
Target Milestone: DR11   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:49:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1164220    
Bug Blocks:    

Description Ondrej Lukas 2014-07-18 13:53:03 UTC 
If PicketLink SP application contains picketlink.xml, this xml file is ignored when application is also added to PicketLink subsystem. Instead of that configuration from domain model is used. This contradicts the note in table in section 12.6. Federation states for WEB-INF/picketlink.xml: "If present it will be considered instead of the configurations defined in the domain model." [1] 

There is no documentation of PL subsystem for EAP, hence I come out from project documentation [1].  

Configuration from jboss-web.xml is also ignored when the configuration is present in PicketLink subsystem.

How to reproduce:
1) Create PicketLink SP application (e.g. use employee.war from quickstarts)
2) Configure PicketLink subystem for federation, set IDP and use something like:
<service-provider name="employee.war" security-domain="sp" url="http://127.0.0.1:8080/employee.war/" post-binding="false" support-signatures="false"/>
3) Set different IDP url in picketlink.xml of employee.war then IDP URL in PicketLink subsystem IDP
4) Run application, it will take IDP URL from PicketLink subystem. 

[1] http://docs.jboss.org/picketlink/2/latest/reference/html-single
Comment 2 Pedro Igor 2014-10-23 21:04:03 UTC 
This issue requires to backport changes from upstream. The changes can be backported to product branch.
Comment 3 Kabir Khan 2014-10-24 12:10:41 UTC 
Setting back to ASSIGNED, subsystem changes are done, but will need a PL upgrade
Comment 6 Pedro Igor 2014-10-30 19:41:20 UTC 
Backported from upstream.

Commit:

https://code.engineering.redhat.com/gerrit/#/c/35778/
Comment 8 Ondrej Lukas 2014-11-27 14:53:18 UTC 
Current version correctly uses IDP URL from deployment configuration when redirects from SP to IDP before authentication. 

However after authentication when IDP tries to redirect back into SP it uses SP URL defined in PicketLink Federation Subsystem instead of URL defined in deployment configuration.

For that reason I have to fail QA in EAP 6.4.0.DR11.