Previous Topic

Next Topic

Book Contents

Authentication Using SAML Token Profile

Security Assertion Markup Language (SAML) 1.1

The Security Assertion Markup Language (SAML) standard defines an XML-based mechanism for exchanging messages that contain security information in the form of assertions. A SAML assertion contains one or more statements about a user. There are three different types of statements that are defined by the SAML specification:

  • Authentication statements define how and when the user was authenticated
  • Attribute statements provide details about the user
  • Authorization decision statements identify what the user is permitted to do

SAML messages follow a request and response protocol for requesting and receiving assertions in which SAML Request and Response elements are included within the body of a SOAP messages that are exchanged between SAML requesters and SAML responders. SAML messages provides a mechanism that you can use to implement SSO with P6 Web Services. Support for the SAML method of authentication is available in release 8 of P6 Web Services.

For additional information about SAML, please refer to the Security Assertion Markup Language (SAML) v1.1 specification set. This specification set contains information about SAML assertions, protocol, bindings, profiles, and conformance. At the time of this writing, this group of specifications was available at:

http://www.oasis-open.org/specs/

When using SAML, the P6 Authentication mode must be set to WebSSO or LDAP.

To configure the server to authenticate user credentials using SAML 1.1:

  1. Launch the Administration Application.
  2. On the Configurations tab, set the the Web Services/Security/Authentication/Mode setting to SAML Token Profile.
  3. On the Configurations tab, set Web Services/Security/Authentication/SAML Token Profile/SAML 1.1 Tokens/Issuer setting to a valid issuer for the SAML token. Separate multiple valid users with a space.
  4. On the Configurations tab, set the Web Services/Security/Authentication/SAML Token Profile/SAML 1.1 Tokens/IssueInstant Timeout setting to an appropriate value in seconds.
  5. On the Authentication tab, set the Authentication/Login Mode to WebSSO or LDAP.

Step one: Create the SAML Token

For example, the following code snippet was extracted from the DemoOutInterceptor.java file that is included with the P6 Web Services demo application:

private Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope)

throws Exception

{

SAMLInitializer.initialize(1, 1);

Document aDoc = wsEnvelope.getOwnerDocument();

// Create all the information that we need for our own SAML assertion

// And since we're acting as the identity provider, we also specify how the user authenticated

AuthenticationStatement statement = new AuthenticationStatement(aDoc);

statement.setAuthenticationMethod(SAMLURI.authentication_method_password);

statement.setAuthenticationInstant(new Date());

statement.setSubject(createSAMLSubject(aDoc, m_demoInfo.username));

String assertionId = XMLUtils.randomName();

Date notBefore = new Date();

Date notOnOrAfter = Utils.minutesFrom(notBefore, 5);

// Create the assertion element we need based on all the information above

Assertion assertion = createAssertion(aDoc, assertionId, SAML_ISSUER, notBefore, notOnOrAfter, SAML_ISSUER, statement);

SAMLAssertionToken samlToken = new SAMLAssertionToken(assertion);

sec.addSAMLAssertionToken(samlToken);

// Finally, to prove that the assertion that we're sending out is actually from the identity provider (us),

// we can sign the message with our private key.

if (m_demoInfo.samlSigned)

{

// We just need to load the digital certificate and private key from the keystore specified

KeyStore keyStore = KeyStore.getInstance(m_demoInfo.samlKeystoreType);

keyStore.load(new FileInputStream(m_demoInfo.samlKeystore), m_demoInfo.samlKeystorepass.toCharArray());

String privateKeyPassword = m_demoInfo.samlKeypass;

PrivateKey privateKey = (PrivateKey)keyStore.getKey(m_demoInfo.samlAlias, privateKeyPassword.toCharArray());

// And we can use the private key to sign our assertion,

// verifying that the message comes from us

assertion.sign(privateKey, null);

}

return assertion.getElement();

}

Step two: Configure the CXF outgoing properties for including SAML Information

For example, the following code snippet was extracted from the WSDemo.java file that is included with the P6 Web Services demo application:

if (m_demoInfo.authMode == USERNAME_TOKEN_MODE || m_demoInfo.authMode == SAML_MODE)

{

client.getEndpoint().getOutInterceptors().add(new SAAJOutInterceptor());

client.getEndpoint().getInInterceptors().add(new SAAJInInterceptor());

// To do UsernameToken or SAML, we use our own Interceptor

// This will also handle encryption, if enabled

client.getEndpoint().getOutInterceptors().add(new DemoOutInterceptor(m_demoInfo));

// However, we only need a custom inbound Interceptor if we know that the server

// is sending back encrypted messages.

if (m_demoInfo.encEnabled && m_demoInfo.encInbound)

{

client.getEndpoint().getInInterceptors().add(new DemoInInterceptor());

}

}

Refer to the demo source to view the code snippets above within their context.Re

At the time of this writing, related OSDT samples could be found at:

http://www.oracle.com/technology/sample_code/products/id_mgmt/security-developer-tools/index.html

Additional information can be found at:

http://www.oracle.com/technetwork/testcontent/index-093386.html


Copyright information