Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
13.3. About PicketLink STS Login Modules
A PicketLink Login Module is typically configured as part of the security setup of a JEE container to use a Security Token Service for authenticating users. The STS may be collocated on the same container as the Login Module or be accessed remotely through Web Service calls or another technology. PicketLink Login Modules support non-PicketLink STS implementations through standard WS-Trust calls.
Types of STS Login Modules
The following are the different types of STS Login Modules.
STSIssuingLoginModule
- Calls the configured STS and requests for a security token. Upon successfully receiving the
RequestedSecurityToken, it marks the authentication as successful. - A call to STS typically requires authentication. This Login Module uses credentials from one of the following sources:
- Its properties file, if the
useOptionsCredentialsmodule option is set totrue. - Previous login module credentials if the
password-stackingmodule option is set touseFirstPass. - From the configured
CallbackHandlerby supplying a Name and Password Callback.
- Upon successful authentication, the
SamlCredentialis inserted in the Subject's public credentials if one with the same Assertion is not found to be already present there.
STSValidatingLoginModule
- Calls the configured STS and validates an available security token.
- A call to STS typically requires authentication. This Login Module uses credentials from one of the following sources:
- Its properties file, if the
useOptionsCredentialsmodule option is set totrue. - Previous login module credentials if the
password-stackingmodule option is set touseFirstPass. - From the configured
CallbackHandlerby supplying a Name and Password Callback.
- Upon successful authentication, the SamlCredential is inserted in the Subject's public credentials if one with the same Assertion is not found to be already present there.
SAML2STSLoginModule
- This Login Module supplies a
ObjectCallbackto the configuredCallbackHandlerand expects aSamlCredentialobject back. The Assertion is validated against the configured STS. - If a user ID and SAML token are shared, this Login Module bypasses validation When stacked on top of another Login Module that is successfully authenticated.
- Upon successful authentication, the
SamlCredentialis inspected for aNameIDand a multi-valued role attribute that is respectively set as the ID and roles of the user.
SAML2LoginModule
- This login module is used in conjunction with other components for SAML authentication and performs no authentication itself.
- The
SPRedirectFormAuthenticatoruses this login module in PicketLink's implementation of the SAML v2 HTTP Redirect Profile. - The Tomcat authenticator valve performs authentication through redirecting to the identity provider and getting a SAML assertion.
- This login module is used to pass the user ID and roles to the JBoss security framework to be populated in the JAAS subject.
