I'm trying to figure out (if it's possible) how to integrate the JBoss GateIn Portal app with PicketLink-STS to generate a security token (i.e. SAML Assertion) that can be used to implement "Single Sign On" (thus talk to backside EJB services that require authentication).

There is decent documentation on how to configure JBoss 5.1 with EJB services and have them protected by PicketLink-STS for authentication with a security token (implemented via security domains and login config modules).

However, it's not clear how to get the JBoss 5.1/GateIn portal application to integrate with PicketLink-STS, so that the portlets can obtain a security token (for the logged in user) than can then be passed to the backside EJB services that are validated against the PicketLink-STS for authentication?

Wonder if this is possible or a dead-end road.

I'm no expert on GateIn, but, I show my results after some research .

First I based on version 3.4 of GateIn is the last for JBoss 5.

To configure Gatein authentication SAML token-based, must be enabled SSO autentication, the integration GateIn with SAML2 use JBoss project Picketlink Federation.

SAML SSO authentication is based on circle of trust between SP and IDP. This can be done by following the steps described in this link: Chapter 6. Authentication and Identity - SAML

The resources required can be downloaded from the following url:

• GateIn SSO: https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.1.2-Beta02/sso-packaging-1.1.2-Beta02.zip
• idp-sig (STS and more examples): https://repository.jboss.org/nexus/service/local/repositories/releases/content/org/picketlink/quickstarts/picketlink-quickstarts/2.1.1.Final/picketlink-quickstarts-2.1.1.Final-webapps-jboss-as5.zip

The STS configuration is a part of the Identity Provider and this can be edited as described in the following documentation: SecurityToken Service Configuration (PicketLinkSTS Element)

After you have completed all the steps to enable authentication based SAML tokens (working correctly), you must add the following filter to GateIn (like SAML2LogoutFilter):

<filter>
   <filter-name>PicketlinkSTSIntegrationFilter</filter-name>
   <filter-class>org.gatein.sso.agent.filter.PicketlinkSTSIntegrationFilter</filter-class>
</filter>

<filter-mapping>
   <filter-name>PicketlinkSTSIntegrationFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>

This filter set org.picketlink.identity.federation.core.wstrust.SamlCredential into org.jboss.security.client.SecurityClient, which enables to propagate authentication from SAML2 ticket into underlying EJB or WS calls.

See also:

• SAML EJB Integration with PicketLink STS
• SAML WS Integration with PicketLink STS

I hope this help.