5.4. Configure STSIssuingLoginModule

The STSIssuingLoginModule uses a user name and password to authenticate the user against an STS by retrieving a token.

Example 5.4. Configure STSIssuingLoginModule

<application-policy name="saml-issue-token">
    <authentication>
        <login-module
            code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">          <module-option name="configFile">./picketlink-sts-client.properties</module-option>
          <module-option name="endpointURI">http://security_saml/endpoint</module-option>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module
            code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider"
            type="principal" />
        <mapping-module
            code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider"
            type="role" />
    </mapping>
</application-policy>

Most configurations can switch to the configuration sited in the above example by:
  • changing their declared security-domain
  • specifying a Principal mapping provider
  • specifying a RoleGroup mapping provider
The specified Principal mapping provider and the RoleGroup mapping provider results in an authenticated Subject being populated that enables coarse-grained and role-based authorization. After authentication, the Security Token is available and may be used to invoke other services by Single Sign-On.