1

I'm trying to set up container-managed authentication with Wildfly 24 and would like to use an existing (federated) Shibboleth IDP.

I haven't found docs detailing that use case, so I opted for the proxy auth scenario, e.g. Apache + Shibboleth SP connecting via AJP to Wildfly.

The Elytron docs mention "external" http authentication, meaning passing on REMOTE_USER as a principal. What it doesn't include is how to get roles from the SP (or any other authenticating proxy for that matter).

What I want to know is:

  • How can I get roles mapped from another AJP attribute / HTTP header without resorting to another data store like LDAP? Can I get additional attributes into the principal as well, like e.g. a mail address?
  • Is there an alternative way to set up SAML2 with Wildfly? Keycloak support is rather limited, as it assumes a single (Keycloak) IDP. Picketlink is limited as well and deprecated.
  • Alternatively, would OIDC work this way? How would I set this up?
fuero
  • 9,413
  • 1
  • 35
  • 40

0 Answers0