Tuesday, February 17, 2015

SAML2 bearer tokens with OAuth2 tokens in WSO2 API Manager


   Most of enterprise applications use SAML2 to engage a third-party identity provider to grant access to systems that are only authenticated against the enterprise application. These enterprise applications might need to consume OAuth-protected resources through APIs, after validating them against an OAuth2.0 authentication server. However, an enterprise application that already has a working SAML2.0 based Single Sign On infrastructure between itself and the IDP prefers to use the existing trust relationship, even if the OAuth authorization server is entirely different from the IDP. The SAML2 Bearer Assertion Profile for OAuth2.0 helps leverage this existing trust relationship by presenting the SAML2.0 token to the authorization server and exchanging it to an OAuth2.0 access token and then use that OAuth token to get access to APIs.



Ground work Understanding how this process can be implemented


  • Setup IDP in WSO2 Identity server (Uses IS 5.0.0)








  • Register a subscriber (user) in API-M


  • Now need to request SAML token for the user, for that have created a script as follows, make sure the SAML request being signed using the public certificate.

#!/bin/bash

#saml assertion issuer
ISSUER="SAML_ASSERTION_TEST_ISSUER"
#ISSUER="localhost"
#saml2_assertion_subject
SUBJECT="saman123"
#saml2_assertion_recipient
RECIPIENT="https://localhost:9444/oauth2/token/"
#saml2_asseertion_audience_restriction
AUDIENCE="https://localhost:9444/oauth2/token/"
#path to JKS store file
JKS_PATH="/Users/dushan/workspace/poc/apikeym/apim17/wso2is-5.0.0/repository/resources/security/wso2carbon.jks"

java -jar SAML2AssertionCreator/SAML2AssertionCreator.jar $ISSUER $SUBJECT $RECIPIENT $AUDIENCE $JKS_PATH wso2carbon wso2carbon wso2carbon



  • You can download SAML2AssertionCreator project from here
  • Exchange SAML token to Access Token
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML_ASSERTION obtained from above step >&scope=PRODUCTION" -H "Authorization: Basic <base 64[consumer_key:consumer_secret] of desired API, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token





No comments:

Post a Comment