JBoss/PicketLink WS-Trust Client and Third-Party Security Token Services

Another use-case that I touched on during my JBoss World 2012 presentation was using the PicketLink WS-Trust Client implementation to communicate with third-party Security Token Services.  In particular, we discussed how the PicketLink SAML2STSIssuingLoginModule can communicate with the IBM Tivoli Federated Identity Manager(TFIM) Security Token Service(STS).

To my knowledge, PicketLink had not been previously integrated with a third-party Security Token Service.

This JAAS Login Module makes WS-Trust ISSUE requests to an STS to validate an input credential (an identity token of some type).  One way of looking at this is that the STS takes a credential in one form, validates it, and issues a token in another form that can be consumed (used) by the actors involved.  The SAML2STSIssuingLoginModule can use a custom helper class to pull an identity token from a cookie or an HTTP header.  With a little work it could be extended to pull credentials from other sources.  In our example, an LTPA2 token was pulled from a cookie and an ivcred token was pulled from an HTTP Header.

The end result is the STS validates the input token (assuming it is good) and returns a SAML2 token that JBoss can understand-described in more detail here and here.