Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

One of the very first complements to the OAuth 2.0 specification is the SAML2 Bearer Assertion Profile for OAuth 2.0. This page talks about the following two uses scenarios for the SAML2.0 Assertion.

  • Using SAML2.0 assertions as authorization grants
  • Using SAML2.0 assertions for client authentication

Among the above two usesscenarios, the former is the one that is more commonly needed in enterprises. The WSO2 Identity Server supports this process.

...

  1. Create a SAML2 Assertion. You can use the command line client program from here. Extract the ZIP file, change directory into the extracted folder and execute the following command in the command line.

    Code Block
    languagejava
    java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://localhost:9443/oauth2endpointsoauth2/token https://localhost:9443/oauth2endpointsoauth2/token <your_JKS_file> <your_JKS_password> <your_certificate_alias>


    The first argument to the program is the saml:Issuer value. The second argument is the saml:Subject -> saml:NameId value. The third argument is the value of saml:Subject -> saml:SubjectConfirmation -> saml:SubjectConfirmationData.Recipient. The fourth argument could actually take multiple values separated by commas which are added to the saml:AudienceRestriction element of the token. Each value is added as a saml:Audience element within saml:AudienceRestriction. The fifth argument points to the Java Key Store (JKS) file to be used for credentials. The sixth argument is the JKS password. The seventh argument is the alias of the public certificate to be used. The eighth argument is the password of the private key that is used for signing.

  2. Download the WSO2 Identity Server from here. Open the identity.xml file found at:

    Panel

    <WSO2_IS_HOME>/repository/conf/identity.xml

    Make sure the “urn:ietf:params:oauth:grant-type:saml2-bearer” grant is listed under the <SupportedGrantTypes> confguration. Enter “SAML2AssertionCreator” under SAML2Grant -> Issuers. If you used another value for saml:Issuer when creating the SAML2 assertion enter that value here. Now start the server

  3. Start and log in to the WSO2 Identity Server and access the management console.
  4. Register a new Trusted Identity Provider. 
    1. To do this, go to Configure > Trusted Identity Providers
    2. Click on ‘Add New Trusted Identity Provider’. 
    3. Enter a unique identifier for this Trusted Identity Provider across the tenant. 

    4. Enter the Issuer value used to generate the SAML2 assertion into the Trusted Identity Provider Issuer field.

      Info

      The default Issuer value of the WSO2 Identity Server when acting as an SSO provider is ‘https://localhost:9443/samlsso. The default Identity Provider URL is also same as the Issuer value.

    5. Upload the corresponding public certificate of the private key used to sign the SAML2 Assertion.
  5. Create a new OAuth2.0 application under Main -> Manage -> OAuth.

  6. Execute the following HTTP request using an HTTP client such as cURL or Advanced Rest Client in Google Chrome. The cURL command is as follows:

    Code Block
    curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PHNhbWxwOl...[omitted for brevity]...ZT4" https://localhost:9443/oauth2endpointsoauth2/token
  7. The -u flag should specify the “<Client Id>:<Client Secret>” value. The assertion parameter should specify the base64url encoded SAML2.0 assertion. Copy and paste the output value of the command line client. Make sure you have carefully copied and pasted the exact same value produced by the client; no more no less, since that value can be quite large.

...