Versions Compared

Old Version 15

changes.mady.by.user Former user

Saved on

compared with

New Version 16

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed some link texts

SAML 2.0 is an XML-based protocol. It uses security tokens  containing  assertions  to tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity an identity provider (IDPIdP) and a SAML consumer is a service provider (SP).

Enterprise applications that have SAML2 based SAML2-based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDPIdP, even if the OAuth authorization server is entirely different from the IDPIdP. The API Manager leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server. 

The diagram below depicts the above with WSO2 Identity Server Server (version 4.5.0 onwards) as the IDPIdP.

     
 The steps of the above diagram are explained below:

...

  • As the application is a SAML SP, it redirects the user to the SAML2.0 IDP IdP to log in. 
  • The user provides credentials at the IDP and is redirected back to the SP with a SAML2.0 token signed by the IDPIdP
  • The SP verifies the token and logs the user to the application. 
  • The SAML 2.0 token is stored in the user's session by the SP.  

...

Note

Before you begin, make sure you have the following:

  • A valid user account in the API Store.
  • A valid consumer key and consumer secret. Initially, these keys must be generated in the API Store by clicking the Generate Keys button on the Production Keys tab of the application.
  • A running API Gateway instance. 
  • If the Key Manager is on a different server than the API Gateway, change the server URL (host and ports) of the Key Manager accordingly in the <APIKeyManager><ServerURL> element of the <APIM_HOME>/repository/conf/api-manager.xml file.
  • A  valid SAML2 assertion. You can do this using the  Identity Server as the Identity Server can act as a SAML2 SSO IDPIdP. See Configuring SAML2 Single-Sign-On Across Different WSO2 Products in the Identity Server documentation for more information.

We use WSO2 Identity Server 5.2.0  as the IDP IdP to get a SAML token and the API Manager as the OAuth server.

  1. Sign in to the API Manager's management console ( https://localhost:9443/carbon ) using admin/admin credentials and select Add under Identity Providers menu in the Main menu. 

  2. Provide the following values to configure the IDPIdP:
    • Under Basic Information 
      • Identity Provider Name: Enter a unique name for IDPIdP

      • Identity Provider Public Certificate:   The certificate used to sign the SAML assertion.  Export the public certificate of WSO2 IS and import it here. 

        Alternatively, you can create a self-signed certificate and then export it as a .cer file using the following commands: 

        Code Block
        keytool -genkey -alias wookie -keyalg RSA -keystore wookieKeystore.jks -keysize 4096
keytool -v -export -file keystore1.cer -keystore keystore1.jks -alias keystore1
      • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. e.g., https://localhost:9443/oauth2/token
      • Under Federated Authenticators -> SAML2 Web SSO Configuration

      • Enable SAML2 Web SSO: true

      • Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP. You give this name when configuring the SP.

      • Service Provider Entity Id: Issuer name given when configuring the SP
      • SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.
     Next, let's register a service provider.
  3. Log in to the management console of the Identity Server and select Add under Service Providers menu in the Main menu.
  4. Choose to edit the service provider that you just registered and select SAML2 Web SSO Configuration.
  5. Provide the following values to configure the SP:

    Let's see how to get a signed SAML2 token (encoded assertion value) when authenticating against a SAML2 IDPIdP. With the authentication request, you pass attributes such as the SAML2 issuer name, token endpoint and the restricted audience. In this guide, we use a command-line client program developed by WSO2 to create the 64-bit, URL-encoded SAML assertion. 
  6. Download the client program from here and unzip the  SAML2AssertionCreator.zip  file.

  7. Execute the following command inside that SAML2AssertionCreator directory. It generates a SAML token.

    Code Block
    java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias>  <private_key_password>

    Here's an example command with the issuer name as TestSP:

    Code Block
    java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/user/wso2am-2.0.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon

    You now have a SAML2 assertion.

  8. Execute the following command to get the OAuth Access token. You can generate a  consumer key and consumer secret pair by clicking the the Generate Keys button on the Production Keys tab of the application in the API Store. 

    Code Block
    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP-of-the-APIM-server>:9443/oauth2/token

...