Authentication Using SAML Token ProfileSecurity Assertion Markup Language (SAML) 1.1 The Security Assertion Markup Language (SAML) standard defines an XML-based mechanism for exchanging messages that contain security information in the form of assertions. A SAML assertion contains one or more statements about a user. There are three different types of statements that are defined by the SAML specification:
SAML messages follow a request and response protocol for requesting and receiving assertions in which SAML Request and Response elements are included within the body of a SOAP messages that are exchanged between SAML requesters and SAML responders. SAML messages provides a mechanism that you can use to implement SSO with P6 Web Services. Support for the SAML method of authentication is available in release 8 of P6 Web Services. For additional information about SAML, please refer to the Security Assertion Markup Language (SAML) v1.1 specification set. This specification set contains information about SAML assertions, protocol, bindings, profiles, and conformance. At the time of this writing, this group of specifications was available at: http://www.oasis-open.org/specs/ When using SAML, the P6 Authentication mode must be set to WebSSO or LDAP. To configure the server to authenticate user credentials using SAML 1.1:
Step one: Create the SAML Token For example, the following code snippet was extracted from the DemoOutInterceptor.java file that is included with the P6 Web Services demo application: private Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope) throws Exception { SAMLInitializer.initialize(1, 1); Document aDoc = wsEnvelope.getOwnerDocument(); // Create all the information that we need for our own SAML assertion // And since we're acting as the identity provider, we also specify how the user authenticated AuthenticationStatement statement = new AuthenticationStatement(aDoc); statement.setAuthenticationMethod(SAMLURI.authentication_method_password); statement.setAuthenticationInstant(new Date()); statement.setSubject(createSAMLSubject(aDoc, m_demoInfo.username)); String assertionId = XMLUtils.randomName(); Date notBefore = new Date(); Date notOnOrAfter = Utils.minutesFrom(notBefore, 5); // Create the assertion element we need based on all the information above Assertion assertion = createAssertion(aDoc, assertionId, SAML_ISSUER, notBefore, notOnOrAfter, SAML_ISSUER, statement); SAMLAssertionToken samlToken = new SAMLAssertionToken(assertion); sec.addSAMLAssertionToken(samlToken); // Finally, to prove that the assertion that we're sending out is actually from the identity provider (us), // we can sign the message with our private key. if (m_demoInfo.samlSigned) { // We just need to load the digital certificate and private key from the keystore specified KeyStore keyStore = KeyStore.getInstance(m_demoInfo.samlKeystoreType); keyStore.load(new FileInputStream(m_demoInfo.samlKeystore), m_demoInfo.samlKeystorepass.toCharArray()); String privateKeyPassword = m_demoInfo.samlKeypass; PrivateKey privateKey = (PrivateKey)keyStore.getKey(m_demoInfo.samlAlias, privateKeyPassword.toCharArray()); // And we can use the private key to sign our assertion, // verifying that the message comes from us assertion.sign(privateKey, null); } return assertion.getElement(); } Step two: Configure the CXF outgoing properties for including SAML Information For example, the following code snippet was extracted from the WSDemo.java file that is included with the P6 Web Services demo application: if (m_demoInfo.authMode == USERNAME_TOKEN_MODE || m_demoInfo.authMode == SAML_MODE) { client.getEndpoint().getOutInterceptors().add(new SAAJOutInterceptor()); client.getEndpoint().getInInterceptors().add(new SAAJInInterceptor()); // To do UsernameToken or SAML, we use our own Interceptor // This will also handle encryption, if enabled client.getEndpoint().getOutInterceptors().add(new DemoOutInterceptor(m_demoInfo)); // However, we only need a custom inbound Interceptor if we know that the server // is sending back encrypted messages. if (m_demoInfo.encEnabled && m_demoInfo.encInbound) { client.getEndpoint().getInInterceptors().add(new DemoInInterceptor()); } } Refer to the demo source to view the code snippets above within their context.Re At the time of this writing, related OSDT samples could be found at: http://www.oracle.com/technology/sample_code/products/id_mgmt/security-developer-tools/index.html Additional information can be found at: http://www.oracle.com/technetwork/testcontent/index-093386.html |