...
Once the consumer possesses the necessary security tokens, these tokens are presented in order to authenticate to a Web Service deployed in WSO2 Application Server.
Pre-requisites:
...
- Start the WSO2 Identity Server.
- Log in as an admin to access the management console.
- Do the following steps if you are using a Holder of Key confirmation method. See here for more information.
- Navigate to the Service Providers section by clicking Add in the Main menu under Service Providers.
- Add a Service Provider Name and Description and click Register.
- In the resulting page, expand the Inbound Authentication Configuration and the WS-Trust Security Token Service Configuration sections. Click Configure.
Enter the trusted relying parties and upload the public certificate of the trusted relying party (against its end-point).
Info These relying parties will accept security tokens from the Identity Server.
The tokens issued are encrypted using the public key of the trusted relying party. Accordingly, even the client who obtains the token to send to the RP has no visibility to the included token.- Click Apply.
Now, apply the security to the STS. To do this, do the following.
Info This is to be done for both the Holder of Key confirmation method and the Bearer confirmation method. You must provide
UsernameToken-based security, which means that the client should have a valid user account with the Identity Server to obtain a token from the STS.- In the management console, click List under Identity Providers in the Main menu.
- Click Resident Identity Provider.
- In the resulting page, expand the Inbound Authentication Configuration section and the WS-Trust / WS-Federation (Passive) Configuration section.
- Click Apply Security Policy to configure security and go through the wizard.
- Configure security and go through the wizard by using the following steps.
- Select Yes from the Enable Security? dropdown.
- Select UsernameToken from the Basic Scenarios list.
- Click Next.
- Select admin as the user group and click on Finish.
Configure STS to add Axis2Service as a trusted service. Enter the HTTP endpoint url of the Axis2Service as the Endpoint Address.
Panel Endpoint Address =
http://localhost:9765/services/Axis2Service/- Usually, the security token is signed by STS. Thus, it is necessary to select a certificate alias to sign the token. Select the default wso2carbon certificate alias.
- Now, check the user profile of admin user who is going to authenticate to the STS. Click on My Profiles at the left menu. The Update Profile form displays where you can enter various user attributes such as First Name, Last Name, etc.
- Make sure to add some values to the First Name and Email address fields since we are going to use those as the required claims.
- Click on Configure in the left menu and select Claim Management. You find a set of claim dialects associated with the internal user store in IS. Click on the default claim dialect:
http://wso2.org/claims. - Click on the First Name claim mapping.
- As you can see in the following screen, First Name is mapped to givenName attribute.
Now, you should be able to understand why we have specified http://wso2.org/claims/givenName as the Claim Uri for First Name attribute in the service policy.
...
You can include the wst:RequestSecurityToken element into a SOAP message body and send it to STS. You can use the soapUI SOAP request editor as shown below:
Since we are using usernametoken authentication when submitting token request to STS, specify the username and password under the "Aut" tab in the soapUI. Also specify WSS-passwordType as plaintext and WSS timeto live to some integer value. Make sure to enable WS-Addressing for the token request.
...
| Info |
|---|
SoapUI still supports sender vouches confirmation method only. |
Because of this limitation, we need to follow a programmatic approach to insert the token into the Web Service request and forward to Axis2Service. You can find the complete working client in this sourceforge account.
...