I'm trying to set up container-managed authentication with Wildfly 24 and would like to use an existing (federated) Shibboleth IDP.
I haven't found docs detailing that use case, so I opted for the proxy auth scenario, e.g. Apache + Shibboleth SP connecting via AJP to Wildfly.
The Elytron docs mention "external" http authentication, meaning passing on REMOTE_USER
as a principal. What it doesn't include is how to get roles from the SP (or any other authenticating proxy for that matter).
What I want to know is:
- How can I get roles mapped from another AJP attribute / HTTP header without resorting to another data store like LDAP? Can I get additional attributes into the principal as well, like e.g. a mail address?
- Is there an alternative way to set up SAML2 with Wildfly? Keycloak support is rather limited, as it assumes a single (Keycloak) IDP. Picketlink is limited as well and deprecated.
- Alternatively, would OIDC work this way? How would I set this up?