Using SAML token profile
From GEANT2-JRA1 Wiki
The SAML token profile of the Web Services Security: SOAP Message Security specification is used for sending a valid SAML assertion in the eduGAIN trust model which it's required by the Authentication Service for authenticating the client/user.
The SAML construct used in this case must be able to convey information about the user accessing the resource and fulfil two essential constraints:
- It must be bound to the client by the Home Bridge Element (H-BE), so it is possible to check that the information about the user that it contains has been legally obtained.
- It must be bound to the resource by the client, so a potentially malicious resource can not use this information to further impersonate either the client or the user.
To comply with these two requirements, the client will build a SAML AuthenticationAssertion with:
- A valid audience restricted to the resource it is addressed to, through a SAML AudienceRestrictionCondition element containing an URI uniquely identifying the resource.
- A statement that this specific method of relayed trust must be used to evaluate the assertion, through a specific value in the SAML element ConfirmationMethod.
- The SAML AuthenticationAssertion received from the web container as evidence for this confirmation process, as part of the SAML element SubjectConfirmationData.
With this kind of SAML assertion, we must use the SAML Token profile of WS-SEC in the easiest way: we don't have to establish the relationship between the subject and claims of the SAML statements (of the referenced SAML assertions) and the entity providing the evidence to satisfy the confirmation method defined for the statements (i.e., the attesting entity).
A sample SAML assertion following the above procedures for a given client with the eduGAIN CId:
- urn:geant:edugain:component:ee:rediris:3def0388-4f17-11dc-8314-0800200c9a66.
And connecting to a resource identified by:
- urn:geant:edugain:component:psr:http://selena.acad.bg:8070/axis/services/LookupService: this is a temporary URN.
Should have a content as the one displayed below:
<Assertion AssertionID="_1f549dd5e113aa03ce0dfa7ad4389d40" IssueInstant="2007-10-17T14:49:27.742Z" Issuer="urn:geant:edugain:component:ee:rediris:3def0388-4f17-11dc-8314-0800200c9a66" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <Conditions> <AudienceRestrictionCondition> <Audience>urn:geant:edugain:component:psr:http://selena.acad.bg:8070/axis/services/LookupService</Audience> </AudienceRestrictionCondition> </Conditions> <AuthenticationStatement AuthenticationInstant="2007-10-17T14:49:27.741Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <Subject> <NameIdentifier NameQualifier="urn:geant:edugain:component:be:rediris:rediris.es">kan</NameIdentifier> <SubjectConfirmation> <ConfirmationMethod>relayed-trust</ConfirmationMethod> <SubjectConfirmationData> <Assertion AssertionID="_9caf0dbc0b024eef894ad2e620fde077" IssueInstant="2007-10-17T13:00:05.312Z" Issuer="urn:geant:edugain:component:be:rediris:rediris.es" MajorVersion="1" MinorVersion="1"> <AuthenticationStatement AuthenticationInstant="2007-10-17T13:00:05.244Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <Subject> <NameIdentifier NameQualifier="urn:geant:edugain:component:be:rediris:rediris.es">kan</NameIdentifier> </Subject> </AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_9caf0dbc0b024eef894ad2e620fde077"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="code ds kind rw saml samlp typens #default xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>bUBU8Mh7cO0X9RhDTInAKAc0+dE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> 6tu/5bLiKfNWJHz2DJ/2PmoK9Za6NRxCLaoRjVU1b17gZXeCiOcq2211hZmPfa0EcgxICHjNDvp8 Fqu/r6eATEEhmySl2sK8gLiZ60M1Letl9BvReE7wbPVefjU8YYsEA+9w04xccXME1Z0AQ0NMTmj/ MA1JxKXSN2Mn1arF7Ss= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIEJDCCAwygAwIBAgIBADANBgkqhkiG9w0BAQUFADBBMRMwEQYKCZImiZPyLGQBGRMDbmV0MRUw EwYKCZImiZPyLGQBGRMFZ2VhbnQxEzARBgNVBAMTCmVkdUdBSU5TQ0EwHhcNMDYwNTAyMTEzNzEw WhcNMDcwNTAyMTEzNzEwWjBbMRMwEQYKCZImiZPyLGQBGRMDbmV0MRUwEwYKCZImiZPyLGQBGRMF Z2VhbnQxEDAOBgNVBAoTB0ZlZElSSVMxGzAZBgNVBAMTEnNlcnZlcjEucmVkaXJpcy5lczCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9TzVI4RCDAVfMfqSOXpF1kAf38f9IB7FJ3qMgpjA/tfe +e6Chk1fU7iM2aziQbcceNIIYYWwMA8x8B3jex+No5qWsawCZlFl+00NUeDH+nnlbsptSLo6Vonf 6VVlcctNZfXVz5tKcv1NlWvycGkL50OmV/zgFUFvESLbnlh5tJECAwEAAaOCAY8wggGLMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFE5QyOn6UDlfYo9xSWSXbvvCNFYTMGgGA1UdIwRhMF+AFP3zpnBJLs8Z buBG4PudLUfm+7C9oUSkQjBAMRMwEQYKCZImiZPyLGQBGRYDbmV0MRUwEwYKCZImiZPyLGQBGRYF Z2VhbnQxEjAQBgNVBAMTCWVkdUdBSU5DQYIBATALBgNVHQ8EBAMCBPAwOwYDVR0lBDQwMgYIKwYB BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwMGCCsGAQUFBwMIMFQGA1UdEQRNMEuG SWh0dHA6Ly91cm4uZ2VhbnQubmV0L2VkdWdhaW4/Y2lkPXVybjpnZWFudDplZHVnYWluOmNvbXBv bmVudDpobHM6Z2FsYXhpYW4wOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL3d3dy5pcmlzZ3JpZC5l cy9wa2kvY3JsL2NhY3JsLnBlbTAaBgNVHSAEEzARMA8GDSsGAQQBunsCAgQBAQEwDQYJKoZIhvcN AQEFBQADggEBAAKy7Vz6+ZBxu9od0zhLjY3RgEq0b4/b5SPL3G4GXvORFo1CPtI4U6JDwWSIXLad h7MtYvOlvsJz50ZQztaGjaEG0Hr62HoAQJIb9QkgREyTxV9oJ6v57tvQkKiZfz6eXi+/Jm8pqJIK kR8WLxoXFBtZxDGl1R4NwXseBP4W/3G1K0ndVEWA38VmFbAcSGhj/RFT7Mc5a/s7LfwmbEBNaBng b3iGU7H/9DHxz1T64KYy60UVI7s48tVDewo7ApLqOvEtGR21H8mAPsFx7sUzcu/WNYPt77nWJGGM 3xio9fje5Rk96q5EtwCjJBQD5YE4zmxe7oJ5KSgKIsmCgkzP4VA= </ds:X509Certificate> <ds:X509Certificate> MIIDxzCCAq+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMRMwEQYKCZImiZPyLGQBGRYDbmV0MRUw EwYKCZImiZPyLGQBGRYFZ2VhbnQxEjAQBgNVBAMTCWVkdUdBSU5DQTAeFw0wNjAzMjkxMTU3MTFa Fw0wNzAzMjkxMTU3MTFaMEExEzARBgoJkiaJk/IsZAEZEwNuZXQxFTATBgoJkiaJk/IsZAEZEwVn ZWFudDETMBEGA1UEAxMKZWR1R0FJTlNDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMul25knoEhZ7kYGBRGBNotqfPmYHLGOlBgLDFMz4egfRIiK+5mQRw32FBXI3Ie9H52vZmSHfvV/ 9REElo9+cxcysSuJ7PHP2Ow+H8q7oooxNIXI8w+aUF7rqz49HXCUS53B2cnL+aesiO3KV+yJ8y4O E4NJQBxuVo0czyIadtoX40lBQYYd57+ap+F/8Vwz7nd4YOcTdnM18sIWjuZCXV9qg3J/NyV53Zw1 +cFXJSat+TQxqkiGO5lvc+TY79XU/d5CgQihsFUjboD7gTN2vD4chIAemqxQ/X5QR4JkP/WE2bEZ FPIZpj+sFRzS3n23UmIgQwGOEwDqrhZNcVpfiNcCAwEAAaOByjCBxzAMBgNVHRMEBTADAQH/MB0G A1UdDgQWBBT986ZwSS7PGW7gRuD7nS1H5vuwvTAfBgNVHSMEGDAWgBQGTtghG6aiIdEEuth/T18f 5bJH2DALBgNVHQ8EBAMCAcYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwOQYDVR0fBDIwMDAuoCygKoYo aHR0cDovL3d3dy5pcmlzZ3JpZC5lcy9wa2kvY3JsL2NhY3JsLnBlbTAaBgNVHSAEEzARMA8GDSsG AQQBunsCAgQBAQEwDQYJKoZIhvcNAQEFBQADggEBAFNEoS8vMb4JCJb0uWe2a7hTELIM4EkmWnR1 6HEpf/Q79nnJzzm9KvooTYSfVVdRnIErH3vGE+ASSlwNT8Zg8eDs8t7B2cdfkGzhJrfV/x+oaQ08 wUirfQYjjaUhIzr0YIzH2Lw9/DEWQ/1DjPCZNt9K0BxcGJ7VJwgkkT/sJWoao25cwmtRF8k7CsaC 1ldUG9REvVrk/vvNonmSdVQgCkj+bpNg2IJvT3rZAFcPpDj2MruA8nqcqn97QMwrWLWvAE6ZrPTR i3I7gR7Ch0rSRVT3vHzvGIMv5Ay+YF8B+NzzGjJ6JaztPcY6OGwTVGHD3I/RcktRxfCBsywDoefY laU= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </Assertion> </SubjectConfirmationData> </SubjectConfirmation> </Subject> </AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_1f549dd5e113aa03ce0dfa7ad4389d40"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="code ds kind rw saml samlp typens #default xsd xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>VU90Q2YM6BkZSMc1aqcLisnM2cE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Q21FEpBXHQ5eq2+BFcX+jXu74Jjhps70YfLV2VchWgc22CFoE4mLpGtw+iv3ql3oBk51FWlnzErN vaVjB4bD8qZ81201J6W081qKuEC+Uoxx4P3ZjCcuJX1TfW3KX7DJTM1K3YSrfbmN8L9X3LciTg2E XEZR1jEVbCm9iFACFVMuCvYPMcrMrMZ/fzaqlm7HLNgGKZmGDHuFfJK/pOZFq5zSRWhFHLGy9pW+ mpe08kFc98PuaWUQguUFCfV1ra3a8vFJeh8yI0+PaZkG2HOvnCT0pV06HqbhlfAhzVKJ7K9oty8r uE0IpZ7wnERCbTFVJ7dEgxk12IbJT9Abza7OWQ== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIElDCCA3ygAwIBAgIBQzANBgkqhkiG9w0BAQUFADBBMRMwEQYKCZImiZPyLGQBGRMDbmV0MRUw EwYKCZImiZPyLGQBGRMFZ2VhbnQxEzARBgNVBAMTCmVkdUdBSU5TQ0EwHhcNMDcwNTI4MDgxNjE2 WhcNMDgwNTI3MDgxNjE2WjBbMRMwEQYKCZImiZPyLGQBGRYDbmV0MRUwEwYKCZImiZPyLGQBGRYF Z2VhbnQxEDAOBgNVBAoTB0ZlZElSSVMxGzAZBgNVBAMTEnRlc3QtYXMucmVkaXJpcy5lczCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQxCW2uup3EDvVgWlpOluEAZ9g/gfp6iwaypIrg p/uk3J3LNT4iAfBg4KscZT4KnY97wHzCRoU2Uqgr3Lgm14RXZgbIl1pDf0XZa9uHVx0A+Q+hnFhN evCbM7Bcw5gBwBEXKRm2aYTlUxrEXYitcyChSqxSqZ/0BWwSe92lYiQxfdYh8k5NWnXrmqiSW3nQ HLWGxMNt2qP/f6ih8I2e+D3R97XuHLk/XnhethUwNIYRGtoiuinOr1hFRft1SfO1fAJsAdGiO1ER DXRNHHnTGUXRL5jIHXHl3hEfHd7XTDfpSFB1q3hx0vwL5nLb6n6YpxS5G/QkLtIZunaeS58rAOMC AwEAAaOCAXswggF3MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDHi/4JITDc5MCORoMV6+HWVmYjt MB8GA1UdIwQYMBaAFIsPjyeA0pPXRl2RhLsumGKuBPHSMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZwGA1UdEQSBlDCBkYY3aHR0cDovL3d3dy5yZWRpcmlz LmVzL3BraS9lZHVnYWluL2VlUmVzb2x2ZXI/ZWU9YTNiMThjMYZWaHR0cDovL2VkdWdhaW4uZ2Vh bnQubmV0L3Jlc29sdmVyP3Vybj11cm4lM0FnZWFudCUzQWVkdWdhaW4lM0Fjb21wb25lbnQlM0Fz cCUzQXRlc3QtYXMwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL3d3dy5yZWRpcmlzLmVzL3BraS9l ZHVnYWluL2NybC9jYWNybC5kZXIwFwYDVR0gBBAwDjAMBgorBgEEAbp7AgACMA0GCSqGSIb3DQEB BQUAA4IBAQAMj0taSdXv60fFVI/djyqB47LqfhUMz1Ja0zKAjrZsS5H8SU+D3ksOw0b6HR4BO21H FiYIHEB1UffEAgPqHhtcLT/TJ5kiewKOqaHv5QcfgxFMolAiDUsB6i9bCrWdwJIqPePaDG7KHwcp mHB0vLwJihCpRBgdCqiwz8i5VXdAmloMiEtnm1SU+1BfoTioi79/ZUhUBGPJb7GL20W3yyT9c4/5 JK5IKrRfXINlutqZgfUGXvyaxNh7Zgl3MpDaw8U5khl5ZSjcyfsBro2qQVMAJCcph1rwKNjgX8Mk Tb4GYbUpcnVP7p089kz9OTOLteEzVTIi3VKKiykPWcUYlgwY </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </Assertion>
So, applying the SAML token profile of the WS-SEC, a SOAP message containing the previous SAML assertion is:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsse:Security soapenv:actor="we" soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <Assertion AssertionID="_1f549dd5e113aa03ce0dfa7ad4389d40" IssueInstant="2007-10-17T14:49:27.742Z" Issuer="urn:geant:edugain:component:ee:rediris:3def0388-4f17-11dc-8314-0800200c9a66" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> . . . </Assertion> </wsse:Security> </soapenv:Header> <soapenv:Body> <nmwg:message> . . . </nmwg:message> </soapenv:Body> </soapenv:Envelope>
[edit]
Java Example
This is the code of how it's created the SAML assertion in Java:
private SAMLAssertion getAssertionAsSecurityToken(SAMLAssertion authAssertion,PrivateKey key,X509Certificate cert,String cidPerfsonarResource,String cidPerfsonarClient) throws SAMLException { SAMLAssertion authStatementAssertion=new SAMLAssertion(); // Adding the client information SAMLAudienceRestrictionCondition cond=new SAMLAudienceRestrictionCondition(); cond.addAudience(cidPerfsonarResource); authStatementAssertion.addCondition(cond); authStatementAssertion.setIssuer(cidPerfsonarClient); SAMLSubject subject=new SAMLSubject(); subject.addConfirmationMethod("relayed-trust"); try { Document request = authAssertion.toDOM().getOwnerDocument(); Element c=request.createElementNS(XML.SAML_NS, "SubjectConfirmationData"); c.appendChild(authAssertion.toDOM()); subject.setConfirmationData(c); } catch (Exception pce) { pce.printStackTrace(); } SAMLAuthenticationStatement authStatement=new SAMLAuthenticationStatement(); authStatement.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Unspecified); authStatement.setAuthInstant(new Date()); authStatement.setSubject(subject); authStatementAssertion.addStatement(authStatement); authStatementAssertion.sign(sigalg, digalg, key, Arrays.asList(cert)); return authStatementAssertion; }
