If PicketLink SP application contains picketlink.xml, this xml file is ignored when application is also added to PicketLink subsystem. Instead of that configuration from domain model is used. This contradicts the note in table in section 12.6. Federation states for WEB-INF/picketlink.xml: "If present it will be considered instead of the configurations defined in the domain model." [1] There is no documentation of PL subsystem for EAP, hence I come out from project documentation [1]. Configuration from jboss-web.xml is also ignored when the configuration is present in PicketLink subsystem. How to reproduce: 1) Create PicketLink SP application (e.g. use employee.war from quickstarts) 2) Configure PicketLink subystem for federation, set IDP and use something like: <service-provider name="employee.war" security-domain="sp" url="http://127.0.0.1:8080/employee.war/" post-binding="false" support-signatures="false"/> 3) Set different IDP url in picketlink.xml of employee.war then IDP URL in PicketLink subsystem IDP 4) Run application, it will take IDP URL from PicketLink subystem. [1] http://docs.jboss.org/picketlink/2/latest/reference/html-single
This issue requires to backport changes from upstream. The changes can be backported to product branch.
Setting back to ASSIGNED, subsystem changes are done, but will need a PL upgrade
Backported from upstream. Commit: https://code.engineering.redhat.com/gerrit/#/c/35778/
Current version correctly uses IDP URL from deployment configuration when redirects from SP to IDP before authentication. However after authentication when IDP tries to redirect back into SP it uses SP URL defined in PicketLink Federation Subsystem instead of URL defined in deployment configuration. For that reason I have to fail QA in EAP 6.4.0.DR11.