Tuesday, February 17, 2015

SAML2 bearer tokens with OAuth2 tokens in WSO2 API Manager


   Most of enterprise applications use SAML2 to engage a third-party identity provider to grant access to systems that are only authenticated against the enterprise application. These enterprise applications might need to consume OAuth-protected resources through APIs, after validating them against an OAuth2.0 authentication server. However, an enterprise application that already has a working SAML2.0 based Single Sign On infrastructure between itself and the IDP prefers to use the existing trust relationship, even if the OAuth authorization server is entirely different from the IDP. The SAML2 Bearer Assertion Profile for OAuth2.0 helps leverage this existing trust relationship by presenting the SAML2.0 token to the authorization server and exchanging it to an OAuth2.0 access token and then use that OAuth token to get access to APIs.



Ground work Understanding how this process can be implemented


  • Setup IDP in WSO2 Identity server (Uses IS 5.0.0)








  • Register a subscriber (user) in API-M


  • Now need to request SAML token for the user, for that have created a script as follows, make sure the SAML request being signed using the public certificate.

#!/bin/bash

#saml assertion issuer
ISSUER="SAML_ASSERTION_TEST_ISSUER"
#ISSUER="localhost"
#saml2_assertion_subject
SUBJECT="saman123"
#saml2_assertion_recipient
RECIPIENT="https://localhost:9444/oauth2/token/"
#saml2_asseertion_audience_restriction
AUDIENCE="https://localhost:9444/oauth2/token/"
#path to JKS store file
JKS_PATH="/Users/dushan/workspace/poc/apikeym/apim17/wso2is-5.0.0/repository/resources/security/wso2carbon.jks"

java -jar SAML2AssertionCreator/SAML2AssertionCreator.jar $ISSUER $SUBJECT $RECIPIENT $AUDIENCE $JKS_PATH wso2carbon wso2carbon wso2carbon



  • You can download SAML2AssertionCreator project from here
  • Exchange SAML token to Access Token
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML_ASSERTION obtained from above step >&scope=PRODUCTION" -H "Authorization: Basic <base 64[consumer_key:consumer_secret] of desired API, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token





5 comments:

  1. Looking for best TNPSC study materials to prepare for the examination? Make use of our samacheer kalvi books and other study guide to learn from experts. TNPSC One Time Registration

    ReplyDelete
  2. Great Article. Thank you for sharing! Really an awesome post for every one.

    IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Project Domains for IT It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

    ReplyDelete
  3. Good job! Fruitful article. I like this very much. It is very useful for my research. It shows your interest in this topic very well. I hope you will post some more information about the software. Please keep sharing!!
    SEO Training in Chennai
    SEO Training in Bangalore
    SEO Training in Coimbatore
    SEO Training in Madurai
    SEO Course in Chennai
    SEO Course in Chennai
    SEO Course in Bangalore
    SEO Course in Coimbatore

    ReplyDelete