SAML 2.0 is an XML SAML 2.0 is an XML-based protocol. It uses security tokens containing containing assertions to to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDPis an identity provider (IdP) and a SAML consumer consumer is a service provider provider (SP).
Enterprise applications that have SAML2 based SAML2-based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDPIdP, even if the OAuth authorization server is entirely different from the IDPIdP. The The API Manager leverages this trust relationship by exchanging by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server.
The diagram below depicts the above with WSO2 Identity Server Server (version 4.5.0 onwards) as the IDPIdP.
The steps of the above diagram are explained below:
Step [1]: User initiates a login call to an enterprise application
Step [2]:
- As the application is a SAML SP, it redirects the user to the SAML2.0 IDP IdP to log in.
- The user provides credentials at the IDP and is redirected back to the SP with a SAML2.0 token signed by the IDPIdP.
- The SP verifies the token and logs the user to the application.
- The SAML 2.0 token is stored in the user's session by the SP.
Step [3]:
- The enterprise application (SP) wants to access an OAuth2 protected API resource through WSO2 API Manager.
- The application makes a request to the API Manager to exchange the SAML2 bearer token for an OAuth2.0 access token.
- The API Manager validates the assertion and returns the access token.
Step [4]: User does API invocations through the API Manager by setting it as an Authorization header with header with the returned OAuth2 access token.
...
Table of Contents |
---|
A sequence diagram explaining the above flow would be as follows:
Configuring the token exchange
Note |
---|
Before you begin, make sure you have the following:
|
We use WSO2 Identity Server 5.2.0 as the IDP IdP to get a SAML token and the API Manager as the OAuth server.
Log Sign in to the API Manager's management console ( https://localhost:9443/carbon ) using admin/admin credentials and select Add under Identity Providers menu in the Main menu.
Note If you are using a tenant to create the Identity Provider, use the credentials of tenant admin to log into the API Manager's Management Console.
- Provide the following values to configure the IDPIdP:
- Under Basic Information
- Identity Provider Name: Enter a unique name for IDPIdP
Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here.
Alternatively, you can create a selfa self-signed certificate and then export it as a
.cer
file using the following commands:Code Block keytool -genkey -alias wookie -keyalg RSA -keystore wookieKeystore.jks -keysize 4096 keytool -v -export -file keystore1.cer -keystore keystore1.jks -alias keystore1
- Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. Ee.g., https://localhost:9443/oauth2/token
- Under Federated Authenticators -> SAML2 Web SSO Configuration
Enable SAML2 Web SSO: true
Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP. You give this name when configuring the SP.
- Service Provider Entity Id: Issuer Issuer name given when configuring the SP
SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.
Note If you are in tenant mode, append the tenant domain to the SSO URL as a query parameter as below.
https://localhost:9443/samlsso?tenantDomain=<tenantDomain>
- Under Basic Information
- Log in to the management console of the Identity Server and select Add under Service Providers menu in the Main menu.
- Choose to edit the service provider that you just registered and select SAML2 Web SSO Configuration.
- Provide the following values to configure the SP :and click Update.
- Issuer: Give any name
- Assertion Consumer URL: The URL to which the IDP IdP sends the SAML response . E(e.g., https://localhost:9443/store/jagg/jaggery_acs.jag).
- Enable Response Signing: true
- Enable Assertion Signing: true
- Enable Audience Restriction: true
- Audience: URL of the token API (e. E.g., https://localhost:9443/oauth2/token).
Let's see how toget a signed SAML2 token (encoded assertion value) when authenticating against a SAML2
IDPIdP. With the authentication request, you pass attributes such as the SAML2 issuer name, token endpoint and the restricted audience. In this guide, we use a command-line client program developed by WSO2
to create the 64to create the 64-bit, URL-encoded SAML assertion.
- Download the client program from here and unzip the
SAML2AssertionCreator.zip
file. Execute the following command inside that
SAML2AssertionCreator
directory. It generates a SAML token.Code Block java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias> <private_key_password>
Here's an example command with the issuer name as TestSP:
Code Block java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token/home/dinusha/nothing/WSO2/API-Manager/saml-oauth/wso2is-5.2.0/rhbepository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
You now have a SAML2 assertion.
Execute the following command to get the OAuth Access token. You can generate a consumer key and consumer secret pair by clicking the the Generate Keys button on the Production Keys tab of the application in the API Store .
Code Block curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP of the APIM server>:9443/oauth2/token
Invoking the Token API to generate tokens
...
- Combine the consumer key and consumer secret keys as
consumer-key:consumer-secret
. Encode the combined string using base64 (http://base64encode.org). Here Here's an example consumer key and secret combination:wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
Let's create a SAML2 assertion using the same command-line client that you used in the previous section. - Download the command-line too from here and extract the ZIP file.
Go to the extracted folder using the command line and execute the following command. We assume We assume that both the client and the API Gateway run on the same server. Therefore, the Token API URL is https://localhost:8243/token.
Localtabgroup Localtab active true id format title Format Code Block title Format java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <saml-subject> <saml-recipient> <saml-audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias> <Identity_Provider_private_key_password>
Localtab id example title Example Code Block title Example java -jar SAML2AssertionCreator.jar localhost admin https://localhost:9443/oauth2/tokenhttpstoken https://localhost:9443/oauth2/token /home/user/wso2am-2.1.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
The arguments are as follows:
<Identity_Provider_Entity_Id>
- This is the value of thesaml:Issuer
, which is a unique identifier of the identity provider.<saml-subject>
- This is the value of the name ID, which is found in thesaml:Subject
->saml:NameId
<saml-recipient>
- This is the value of the subject confirmation data recipient, which is found in thesaml:Subject
->saml:SubjectConfirmation
>saml:SubjectConfirmationData.Recipient
<saml-audience>
- This is the value that is added to thesaml:AudienceRestriction
element of the token. This argument can take multiple values separated by commas. Each value is added as asaml:Audience
element withinsaml:AudienceRestriction
.<Identity_Provider_JKS_file>
- Pointer to the Java Key Store (JKS) file to be used for credentials.<Identity_Provider_JKS_password> -
The JKS password.<Identity_Provider_certificate_alias>
- The alias of the public certificate.- The
<Identity_Provider_private_key_password> -
The password of the private key that is used for signing.
This commend returns a SAML2 assertion XML string and a base64-URL encoded assertion XML string.
Access the Token API using a REST client such as curl. For example, the following Curl command generates an access token and a refresh token. You can use the refresh token at the time a a token is renewed.
Code Block curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<base64-URL_encoded_assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64_encoded_consumer-key:consumer-secret>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Note Note that the Registered Users for Application statistics takes the number of users shared each of the Application. And for the users to be counted in the statistics, they should have to generate access tokens using Password Grant type.