Description of problem: It is not possible to configure the SAML2STSLoginModule by using module options instead of configFile: <security-domain name="sts" cache-type="default"> <authentication> <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule" flag="required" module="org.picketlink"> <module-option name="serviceName" value="PicketLinkSTS"/> <module-option name="portName" value="PicketLinkSTSPort"/> <module-option name="endpointAddress" value="http://localhost:8080/picketlink-sts/PicketLinkSTS"/> <module-option name="username" value="admin"/> <module-option name="password" value="admin"/> The issue appears to be caused by the following check: diff --git picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java index bdadc40..deeef62 100644 --- picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java +++ picketlink-jbas-common/src/main/java/org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSCommonLoginModule.java @@ -346,10 +346,6 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest } else { logger.trace("Local Validation is disabled. Verifying with STS"); - // sts config file has to be present to call STS (using sts client) - if (this.stsConfigurationFile == null) - throw logger.authSTSConfigFileNotFound(); - // send the assertion to the STS for validation. STSClient client = this.getSTSClient(); try { @@ -555,4 +551,4 @@ public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequest protected abstract TimeCacheExpiry getCacheExpiry() throws Exception; -} \ No newline at end of file +} Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Configure JBoss EAP 6.4.12 as described here: https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints 2. Configure the SAML2STSLoginModule the module-option approach shown above (not the 'configFile' approach) 3. Deploy an ejb that is protected by the "ejb-remoting-sts" security-domain 4. Hit the ejb Actual results: Authentication fails Expected results: Authentication is successful Additional info:
Thank you for the fix, verified with EAP 6.4.19.CP.CR2