PicketLink Identity Management Fundamentals

PicketLink Identity Management is a fundamental module of PicketLink, with all other modules building on top of the IDM component to implement their extended features.

  • It provides API’s for managing the identities like users, groups and roles of your application and services.
  • Supports flexibility of partitioning of identity
  • Provides a code Identity Model API classes on which an applications identity classes are built to provide the application a robust security structure.

CORE Modules:

Partition Manager : It is used to manage the identity partitions, which are essential containers for a set a identity objects.

Identity Manager: It is used to manage the identity objects within the scope of a partition.

Relationship Manager: it is used to manage relationship; it is a typed association between two or more identities.

Identity Store: It provides the backend storage for the identity Persistency

  • JPAIdentityStore
  • LDAPIdentityStore
  • FileBaedIdentityStore

Below is the pictorial presentation of how the authentication happens followed by the IDM components work flow while authenticating a user.

PicketLink Authentication Process Flow

Below is the pictorial presentation of how all core modules are connected and work together while authentication process.

PicketLink Core Modules Flow


How credential validations happens:


PicketLink IDM provides an authentication subsystem that allows user credentials to be validated thereby confirming that an authenticating user is who they claim to be. The IdentityManager interface provides a single method for performing credential validation, as follows:

void validateCredentials(Credentials credentials);

Credentials interface has a method called Status which can be used to get the status of the credentials entered by the user.


public interface Credentials {

public enum Status {



Account getValidatedAccount();

Status getStatus();
void invalidate();


This status will return any of the below statuses:

UNVALIDATED – The credential is yet to be validated.

IN_PROGRESS – The credential is in the process of being validated.

INVALID – The credential has been validated unsuccessfully

VALID – The credential has been validated successfully

EXPIRED – The credential has expired


How to manage users, groups and roles?

PicketLink IDM provides a number of basic implementations of the identity model interfaces for convenience, in the org.picketlink.idm.model.basic package.

Below is the example of creating a user:

Login Name: jdoe

Full Name: John Doe

First Name: John

Last Name: Doe

Email: jdoe[at]techpaste.com


User user = new User("jdoe");

Once the User is created, it’s possible to look it up using its login name:

User user = BasicModel.getUser(identityManager, “jdoe”);

User properties can also be modified after the User has already been created.

The following example demonstrates how to change the e-mail address of the user we created above:

User user = BasicModel.getUser(identityManager, “jdoe”);



The following example demonstrates how to create a new group called employees:

Group employees = new Group(“employees”);

It is also possible to assign a parent group when creating a group. The following example demonstrates how to create a new group called managers, using the employees group created in the previous example as the parent group:

Group managers = new Group(“managers”, employees);

To lookup an existing Group, the getGroup() method may be used. If the group name is unique, it can be passed as a single parameter:

Group employees = BasicModel.getGroup(identityManager, “employees”);

Same for relationships too in IDM

Relationships are used to model typed associations between two or more identities. All concrete relationship types must implement the marker interface



The RelationshipManager interface provides three standard methods for managing relationships:


void add(Relationship relationship);
void update(Relationship relationship);
void remove(Relationship relationship);

Here add(), update(), remove() methods add a new relationship, update and remove an existing relationship.


You can look into more about integration side from below link from Jboss:




If you want to test a sample app with IDM to get a flavor of how it is working you can go to below link and follow the steps to deploy and test on wildfly.



Note: Maven needs to be configured to deploy the sample application . this can be downloaded from here


In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.