Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Table of Contents
maxLevel3
minLevel3

...

The following is the source code of a custom attribute finder. It simply parses the distinguished name of the certificate and extracts the value of CN, which is used as the identifier to query the user store for claims.

Code Block
languagejava
package org.wso2.carbon.identity.resource.sts.attributeservice.x509;
 
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasData;
import org.apache.rahas.impl.util.SAMLAttributeCallback;
import org.opensaml.SAMLException;
import org.wso2.carbon.identity.provider.AttributeCallbackHandler;
import org.wso2.carbon.identity.provider.IdentityAttributeService;
 
public class X509AttributeService extends AttributeCallbackHandler implements IdentityAttributeService {
 
    private static Log log = LogFactory.getLog(X509AttributeService.class);
 
    public void handle(SAMLAttributeCallback attrCallback) throws SAMLException {
        RahasData data = null;
        String userIdentifier = null;
        String[] splitArr;
     
        try {
                data = attrCallback.getData();
                splitArr = data.getPrincipal().getName().split(",")[0].split("=");
     
                if (splitArr.length == 2) {
                    userIdentifier = splitArr[1];
                    loadClaims(userIdentifier);
                    processClaimData(data, data.getClaimElem());
                    populateClaimValues(userIdentifier, attrCallback);
                }   
        }   
        catch (Exception e) {
            log.error("Error occuerd while populating claim data", e); 
        }   
    }   
}

You can download the compiled version of this - org.wso2.carbon.identity.resource.sts.attributeservice.x509-1.0.0.jar - from here.

Copy this into {IS_HOME}/repository/components/dropins folder.

Configuring Key Stores

The following steps generate a key pair for the particular user you are interested in client's key store, and add his/her certificate to IS' key store.

If you are using You can use the key store of the sts-sample downloaded (which is located at sts-sample/src/main/resources/keystore/wso2carbon.jks), and if you want to can test this with the "admin" user, skip step 1.

  1. Generate a new key pair in client's key store with the CN "admin" (or any other, if you want to test a different user in the IS user store).

    Code Block
    keytool -genkey -keyalg RSA -alias admin -keypass admin123 -keystore path/to/client/wso2carbon.jks -storepass wso2carbon -dname "CN=admin"
  2. Generate a certificate from the key pair.

    Code Block
    keytool -export -alias admin -file path/to/admin.cert -keystore path/to/client/wso2carbon.jks -storepass wso2carbon
  3. Import the new certificate to {IS_HOME}/repository/resources/security/wso2carbon.jks.

    Code Block
    keytool -import -alias admin -file path/to/admin.cert -keystore path/to/server/wso2carbon.jks -storepass wso2carbon
  4. When it asks "Trust this certificate? [no]:" at the end of above command, enter yes.

...