We're implementing a SAML2-Based SSO solution and use PicketLink on the SP side.
On the IDP side we have a different implementation which is configured to output the multivalued memberOf attribute (these are actually LDAP/AD-group memberships. So we get basically get something like this in the assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ... >
...
<saml:Assertion ...>
...
<saml:AttributeStatement>
<saml:Attribute FriendlyName="Role" Name="Role">
<saml:AttributeValue>authenticated</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="memberOf" Name="memberOf">
<saml:AttributeValue>CN=ga-A-102213-...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-MeetingPlace,...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-Serviceportal,...</saml:AttributeValue>
<saml:AttributeValue>CN=g-z-BCM...</saml:AttributeValue>
...
</saml:Attribute>
</saml:AttributeStatement>
...
</saml:Assertion>
</samlp:Response>
My question is, how could I configure PicketLink/JBoss to map these memberOf values onto specific roles in the application/SP?
For instance that CN=g-z-MeetingPlace,... should be mapped to ROLE_MEETING or CN=g-z-BCM... should be mapped onto ROLE_BCM. We could probably write a login module to do that, but for me it seems to be a very standard task. However I did not manage to find a configurative solution yet.
Seems like we've figured it out.
What we needed was org.jboss.security.auth.spi.RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule"
flag="optional">
<module-option name="rolesProperties">roles.properties</module-option>
</login-module>
Mapping between AD group names and internal application roles is configured in the roles.properties file:
CN\=ga-A-102213-...=SomeInternalRole