15.4. Configure STSIssuingLoginModule
The
STSIssuingLoginModule uses a user name and password to authenticate the user against an STS by retrieving a token.
Example 15.4. Configure STSIssuingLoginModule
<security-domain name="saml-issue-token">
<authentication>
<login-module
code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required"> <module-option name="configFile">./picketlink-sts-client.properties</module-option>
<module-option name="endpointURI">http://security_saml/endpoint</module-option>
</login-module>
</authentication>
<mapping>
<mapping-module
code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider"
type="principal" />
<mapping-module
code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider"
type="role" />
</mapping>
</security-domain>
Most configurations can switch to the configuration sited in the above example by:
- changing their declared security-domain
- specifying a Principal mapping provider
- specifying a RoleGroup mapping provider
The specified Principal mapping provider and the RoleGroup mapping provider results in an authenticated Subject being populated that enables coarse-grained and role-based authorization. After authentication, the Security Token is available and may be used to invoke other services by Single Sign-On.
