You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Pierre-yves motreff <py...@gmail.com> on 2011/11/09 11:16:22 UTC
How to validate SAML2.0 assertion with axis2
Hi,
I have developed the server side of a WebService with Axis2. Now I have to
securise this side with SAML 2.0.
The client side is developed by an other company, and contains already the
signed saml assertion (x509 certificate), see an example :
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
IssueInstant="2007-09-03T19:09:56Z">
<saml:Issuer>issuer</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
<X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
<X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
<saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
Recipient="recip_id" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2007-09-03T19:09:46Z"
NotOnOrAfter="2007-09-03T20:10:06Z">
<saml:AudienceRestriction>
<saml:Audience>http://adresse</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
....
I passed a long time on google to find examples of assertion validation,
but i didn't find anything... I found some example of STS module, but if I
understand this module delivers an assertion, but my client's request
contains the assertion alredy ....
So I have develop my own axis2 module to validate the assertion with
opensaml library.
But I want to know if it's possible to do the validation with rampart, for
me it will be more secure to use a standart implementation than my own
module.
thanks in advance for your help.
Regards
Re: How to validate SAML2.0 assertion with axis2
Posted by Hasini Gunasinghe <ha...@gmail.com>.
Hi,
There is an implementation supporting the validation binding of WS-Trust in
Rampart-Trust module.
AFAIU, it supports the version SAMLV1.1. Please refer to SAMLTokenValidator
at [1] and module.xml of rahas module at [2].
But with TokenValidator interface [3], an extension point is provided to
plug-in any other token validation implementations as well.
[1]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAMLTokenValidator.java
[2]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust-mar/module.xml
[3]
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-trust/src/main/java/org/apache/rahas/TokenValidator.java
HTH.
Thanks,
Hasini.
On Wed, Nov 9, 2011 at 3:46 PM, Pierre-yves motreff <py...@gmail.com>wrote:
> Hi,
>
> I have developed the server side of a WebService with Axis2. Now I have to
> securise this side with SAML 2.0.
> The client side is developed by an other company, and contains already the
> signed saml assertion (x509 certificate), see an example :
>
> <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:assertion
> http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
> "
> ID="_86bb16eb-3f39-0410-9d53-919a2d5a47b9" Version="2.0"
> IssueInstant="2007-09-03T19:09:56Z">
> <saml:Issuer>issuer</saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" />
> <SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <Reference URI="#_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
> <Transforms>
> <Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> />
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
> />
> <DigestValue>59QJ/N...zTtwPZIw0=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>QKWB9mK...tQnWRFmL78=</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>MIIB2DCCAUG...61mFkJn7/Ng=</X509Certificate>
> <X509Certificate>MIIB4jCCAUu...GFe7QdEO</X509Certificate>
> <X509Certificate>MIIB3TCCAUa...BqxwnpnpA==</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> <saml:Subject>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">sourceID</saml:NameID>
> <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches">
> <saml:SubjectConfirmationData NotOnOrAfter="2007-09-03T20:10:06Z"
> Recipient="recip_id" />
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Conditions NotBefore="2007-09-03T19:09:46Z"
> NotOnOrAfter="2007-09-03T20:10:06Z">
> <saml:AudienceRestriction>
> <saml:Audience>http://adresse</saml:Audience>
> </saml:AudienceRestriction>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2007-09-03T17:44:57Z"
> SessionIndex="_86bb16eb-3f39-0410-9d53-919a2d5a47b9">
> <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> ....
>
> I passed a long time on google to find examples of assertion validation,
> but i didn't find anything... I found some example of STS module, but if I
> understand this module delivers an assertion, but my client's request
> contains the assertion alredy ....
> So I have develop my own axis2 module to validate the assertion with
> opensaml library.
> But I want to know if it's possible to do the validation with rampart, for
> me it will be more secure to use a standart implementation than my own
> module.
>
> thanks in advance for your help.
>
> Regards
>