Bug 1121157

Summary: Identity-provider should be required for every federation in PicketLink subsystem
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Lukas <olukas>
Component: PicketLinkAssignee: Pedro Igor <psilva>
Status: CLOSED NOTABUG QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: bdawidow, hmlnarik, myarboro
Target Milestone: ---   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-23 21:13:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Lukas 2014-07-18 13:57:30 UTC
PicketLink subsystem allows use following empty federation:
<federation name="my-federation"/>

Also federation with service-providers is possible:
<federation name="my-federation">
	<service-providers>
            <service-provider name="sp.war" security-domain="sp" url="http://127.0.0.1:8080/sp/" post-binding="false" support-signatures="true"/>
        </service-providers>
    </federation>
</subsystem>

However federation without Identity Provider has no sense. Identity Provider should be required by xml schema. Otherwise, CLI command /subsystem=picketlink-federation/federation=my-federation:add() should work, but it causes:

ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) JBAS014607: Failed to persist configuration change: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014675: Failed to marshal configuration
	at org.jboss.as.controller.persistence.AbstractFilePersistenceResource.<init>(AbstractFilePersistenceResource.java:50) [jboss-as-controller-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
Caused by: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014680: Failed to write configuration
	at org.jboss.as.controller.persistence.AbstractConfigurationPersister.marshallAsXml(AbstractConfigurationPersister.java:123) [jboss-as-controller-7.4.0.Final-
Caused by: java.lang.IllegalArgumentException
	at org.jboss.dmr.ModelValue.asList(ModelValue.java:132) [jboss-dmr-1.2.0.Final-redhat-1.jar:1.2.0.Final-redhat-1]

It works fine, if it is used in batch with identity-provider:
batch
/subsystem=picketlink-federation/federation=my-federation:add()
/subsystem=picketlink-federation/federation=federation-simple-redirect-binding/identity-provider=idp.war:add(url=http://127.0.0.1:8080/idp/,security-domain=idp,support-signatures=false,strict-post-binding=false)
run-batch

Comment 2 Pedro Igor 2014-10-23 21:13:53 UTC
I've executed the following command in CLI:

[standalone@localhost:9990 /] /subsystem=picketlink-federation/federation=my-federation:add()
{"outcome" => "success"}
[standalone@localhost:9990 /] reload

It worked fine. Am I'm missing something ?

I understand your point when you say that does not makes sense a fed without an IdP in it. But we need this behavior in order to properly support the functionality provided by the console.