Page Comparison

SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).

Enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDP, even if the OAuth authorization server is entirely different from the IDP. The API Cloud leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server.

...

Let's configure the token exchange.

Configuring the token exchange

Note

Before you begin, make sure you have the following:

A valid user account in the API Store.
An Identity Provider which is capable of issuing SAML tokens.
A valid consumer key and consumer secret. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.

We use WSO2 Identity Server 5.0.0 as the IDP to get a SAML token and the API Cloud as the OAuth server.

To configure the token, contact WSO2 API Cloud Support via a support request or chat and follow the steps below.

Image Modified

Provide the following values to configure the IDP:
Download the SAML2AssertionCreator.zip file from here
- Under Basic Information
  - Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here.
  - Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g., https://keymanager.api.cloud.wso2.com/oauth2/token.
- Under Federated Authenticators -> SAML2 Web SSO Configuration
  - Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP. You give this name when configuring the SP.
  - Service Provider Entity Id: Issuer name given when configuring the SP
  - SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.
Make sure you have a service provider that issues tokens for them.
Next, let's see how to get a signed SAML2 token (encoded assertion value) when authenticating against a SAML2 IDP. With the authentication request, you pass attributes such as the SAML2 issuer name, token endpoint and the restricted audience. In this guide, we use a command-line client program to create the SAML2 assertion.
- - .
It contains the SAML token generation client JAR that you use in the next step.

Get the SAML token using the SAML2AssertionCreator.jaras shown in the following command:

Code Block

java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias>  <private_key_password>

Here's an example where TestSP is the name of the issuer.

Code Block

java -jar SAML2AssertionCreator.jar TestSP user1 https://keymanager.api.cloud.wso2.com/oauth2/token https://keymanager.api.cloud.wso2.com/oauth2/token home/ubuntu/wso2is-5.0.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon

Get the OAuth Access token. An example command is given below.
Code Blockcurl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ASSERTION_PROVIDED_BY_CLIENT>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com:8243/token?tenantDomain=<your_tenant_domain>

Invoking the Token API to generate tokens

...

Versions Compared

Old Version 13

New Version 14

Key

Configuring the token exchange

Invoking the Token API to generate tokens