15.7.6. Configure Dynamic Account Chooser at a Service Provider

Prerequisites:

If a Service Provider (SP) is configured with multiple Identity Providers (IDPs), PicketLink can be configured to prompt the user to choose which IDP to use to authenticate their credentials.

Procedure 15.4. Configure Dynamic Account Chooser at a Service Provider

  1. Configure the account chooser valve in jboss-web.xml in the WEB-INF directory of your SP web application.

    Example 15.16. jboss-web.xml File Configuration for SP Account Chooser

    <jboss-web>
  <security-domain>sp</security-domain>
  <context-root>accountchooser</context-root>
  <valve>
    <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.AccountChooserValve</class-name>
  </valve>
  <valve>
    <class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
  </valve>
</jboss-web>
    AccountChooserValve has the following configurable options:
    DomainName
    The domain name to be used for the cookie that is sent to the user's browser.
    CookieExpiry
    The cookie expiry in seconds. Default is -1, which means the cookie expires when the browser is closed.
    AccountIDPMapProvider
    The fully-qualified name of the implementation for IDP Mapping. Default is a properties file idpmap.properties in the WEB-INF directory of your SP web application. This implementation must implement org.picketlink.identity.federation.bindings.tomcat.sp.AbstractAccountChooserValve.AccountIDPMapProvider.
    AccountChooserPage
    The name of the HTML/JSP page for listing the different IDP accounts. Default is /accountChooser.html.
  2. Define the mapping for the IDPs. By default, this is a properties file idpmap.properties in the WEB-INF directory of your SP web application.

    Example 15.17. idpmap.properties Configuration

    DomainA=http://localhost:8080/idp1/
DomainB=http://localhost:8080/idp2/
  3. Create a HTML page in your SP web application for the user to choose the IDP. By default, this file is accountChooser.html. The URL to each of IDP must have the parameter idp that specifies the name of the IDP listed in idpmap.properties.

    Example 15.18. accountChooser.html Configuration

    <html>
  ...
  <a href="?idp=DomainA">DomainA</a>
  <hr/>
  <a href="?idp=DomainB">DomainB</a>
  ...
</html>
Report a bug