You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by Pierre-yves motreff <py...@gmail.com> on 2011/11/09 11:16:22 UTC

How to validate SAML2.0 assertion with axis2

Hi,

I have developed the server side of a WebService with Axis2. Now I have to
securise this side with SAML 2.0.
The client side is developed by an other company, and contains already the
signed saml assertion (x509 certificate), see an example :

<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
IssueInstant="2007-09-03T19:09:56Z">
  <saml:Issuer>issuer</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
      <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
        <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
        <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <saml:Subject>
    <saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
    <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
      <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
Recipient="recip_id" />
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2007-09-03T19:09:46Z"
NotOnOrAfter="2007-09-03T20:10:06Z">
    <saml:AudienceRestriction>
      <saml:Audience>http://adresse</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
    <saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
....

I passed a long time on google to find examples of assertion validation,
but i didn't find anything... I found some example of STS module, but if I
understand this module delivers an assertion, but my client's request
contains the assertion alredy ....
So I have develop my own axis2 module to validate the assertion with
opensaml library.
But I want to know if it's possible to do the validation with rampart, for
me it will be more secure to use a standart implementation than my own
module.

thanks in advance for your help.

Regards

Re: How to validate SAML2.0 assertion with axis2

Posted by Hasini Gunasinghe <ha...@gmail.com>.

Hi,

There is an implementation supporting the validation binding of WS-Trust in
Rampart-Trust module.
AFAIU, it supports the version SAMLV1.1. Please refer to SAMLTokenValidator
at [1] and module.xml of rahas module at [2].
But with TokenValidator interface [3], an extension point is provided to
plug-in any other token validation implementations as well.

[1]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenValidator.java
[2]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust-mar/module.xml
[3]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/TokenValidator.java

HTH.
Thanks,
Hasini.

On Wed, Nov 9, 2011 at 3:46 PM, Pierre-yves motreff <py...@gmail.com>wrote:

> Hi,
>
> I have developed the server side of a WebService with Axis2. Now I have to
> securise this side with SAML 2.0.
> The client side is developed by an other company, and contains already the
> signed saml assertion (x509 certificate), see an example :
>
> <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
> "
> ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
> IssueInstant="2007-09-03T19:09:56Z">
>   <saml:Issuer>issuer</saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>     <SignedInfo>
>       <CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" />
>       <SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>       <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
>         <Transforms>
>           <Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>           <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> />
>         </Transforms>
>         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> />
>         <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
>       </Reference>
>     </SignedInfo>
>     <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
>     <KeyInfo>
>       <X509Data>
>         <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
>         <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
>         <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
>       </X509Data>
>     </KeyInfo>
>   </Signature>
>   <saml:Subject>
>     <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
>     <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
>       <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
> Recipient="recip_id" />
>     </saml:SubjectConfirmation>
>   </saml:Subject>
>   <saml:Conditions NotBefore="2007-09-03T19:09:46Z"
> NotOnOrAfter="2007-09-03T20:10:06Z">
>     <saml:AudienceRestriction>
>       <saml:Audience>http://adresse</saml:Audience>
>     </saml:AudienceRestriction>
>   </saml:Conditions>
>   <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
> SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
>     <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
>     </saml:AuthnContext>
>   </saml:AuthnStatement>
> ....
>
> I passed a long time on google to find examples of assertion validation,
> but i didn't find anything... I found some example of STS module, but if I
> understand this module delivers an assertion, but my client's request
> contains the assertion alredy ....
> So I have develop my own axis2 module to validate the assertion with
> opensaml library.
> But I want to know if it's possible to do the validation with rampart, for
> me it will be more secure to use a standart implementation than my own
> module.
>
> thanks in advance for your help.
>
> Regards
>