Why does the PicketLink SAMLTokenCertValidatingLoginModule login module not work on JBoss EAP 7

Solution In Progress - Updated -


We have been using SAMLTokenCertValidatingLoginModule for some time in EAP6. I am attempting to configure it in EAP7 but am having difficulties.

The document here:
How To Set Up SSO with SAML v2

Points out a lot of changes since EAP6, but I cannot get it working with the attached configuration. Initially I was hung up by the change from SECURITY_DOMAIN to FORM in the web.xml, but now with the web.xml using FORM and a series of other configs made to match the suggestions, I'm not sure what handlers should be configured in the picketlink.xml file when using SAMLTokenCertValidatingLoginModule.

Every attempt to hit the secured area of the server ends up redirecting me to IDP like so:

<HTML><HEAD><TITLE>HTTP Post Binding (Request)</TITLE></HEAD><BODY Onload="document.forms[0].submit()"><FORM METHOD="POST" ACTION="https://test.host/IDP"><INPUT TYPE="HIDDEN" NAME="SAMLRequest" VALUE="P...=="/><NOSCRIPT><P>JavaScript is disabled. We strongly recommend to enable it. Click the button below to continue.</P><INPUT TYPE="SUBMIT" VALUE="CONTINUE" /></NOSCRIPT></FORM></BODY></HTML>

The documentation is all over the place for this and I've sunk a day into just trying to make it work. I have verified with the undertow request dumper that I am sending in a valid SAML assertion

For example, I've found this handler documentation that doesn't tell me much:

I also noticed no reference to the SAMLTokenCertValidatingLoginModule here, but found the class in several wildfly sources


  • Red Hat JBoss Enterprise Application Platform
    • 7.0.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In