Thursday, January 2, 2014

SAML2.0 Assertion with WSO2 Identity Server


In this blog post I will discuss the steps forCreating SAML2.0 Bearer Assertion profile for OAuth 2.0 with WSO2 Identity Server”.

  1. Download latest IS release from http://wso2.com/products/identity-server/.
    (Here I use WSO2 IS 4.6.0 since it is the latest release at the time of writing this blog post.)
  2. Create a SAML2 Assertion. You can use the command line client program (SAML2AssertionCreator) from here. Extract the ZIP file and navigate to the lib folder and execute the following command in the command linejava -jar SAML2AssertionCreator.jar <issuer> <username> <recipient> <requestedAudiences> <keyStoreFile> <keyStorePassword> <alias> <privateKeyPassword> <comma seperated user calimvalue pairs(claim:value)>
    ex:
    java -jar SAML2AssertionCreator.jar SAML2AssertionCreator shashika https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/shashika/Downloads/saml-oauth/wso2is-4.6.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon FirstName|shashika,LastName|Ubhayaratne,Country|SriLanka


Note the “base64-url Encoded Assertion String” from the reply above and copy the part “PD.......3D”. This needs to be used in step 5.
  1. Register new Trusted Identity Provider.
  • Go to Configure -> Trusted Identity Providers.
  • Click on ‘Add New Trusted Identity Provider’.
  • Enter a unique identifier for this Trusted Identity Provider across the tenant.
    ex :
  • Identity Provider Name: sampleidp
  • Identity Provider Issuer: SAML2AssertionCreator
  • Identity Provider Public Certificate: << attach the certificate “wso2pem.pem” >> (You can generate this public certificate using kytool: (keytool -export -alias wso2cert -file wso2pem.pem -keystore wso2carbon.jks)
  • Identity Provider Audience: https://localhost:9443/oauth2/token


  1. Create a new OAuth2.0 application under Main -> Manage -> OAuth
    SAML should be selected as “Allowed Grant Types”.
  2. Execute the following HTTP request to the https://localhost:9443/oauth2/token endpointcurl -X POST -k -u "<Client Id>:<Client Secret>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&scope=openid&assertion=<base64-url Encoded Assertion from step 2>" https://localhost:9443/oauth2/token/
    curl -X POST -k -u "noEnn5tvU5tgEJfHImicSApBMAwa:RMauKZY7H1GAWFJ77vffMI8Pv9ka" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&scope=openid&assertion=PD94bWwg<<.....>>9uPg%3D%3D" https://localhost:9443/oauth2/token/
    Note: assertion=PD94bWwg<<.....>>9uPg%3D%3D. This should be taken from Step2.
  3. In the response from above step you will get the base64 encoded id token
    ex: {"token_type":"bearer","expires_in":481,"refresh_token":"71df5c5a5ca2b6dc84c2cf2d64183342","id_token":"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=\r\n.eyJleHAiOi0zNzcyNjI5NywiYXpwIjoiZklFa1p0aW5yYnBMQlh4WDgzbXdEekNQOEFBYSIsInN1\r\nYiI6ImlzaGFyYSIsImF1ZCI6ImZJRWtadGlucmJwTEJYeFg4M213RHpDUDhBQWEiLCJpc3MiOiJo\r\ndHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMmVuZHBvaW50c1wvdG9rZW4iLCJGaXJzdE5h\r\nbWUiOiJJc2hhcmEiLCJMYXN0TmFtZSI6IkthcnVuYXJhdGhuYSIsIkNvdW50cnkiOiJTcmlMYW5r\r\nYSIsImlhdCI6LTQxMzI2Mjk3fQ==\r\n.","access_token":"466d19d052acd21aec3ce045cb46329b"}
  4. Decoding the id_token value you can get the user claims. (Id token contains two values separated by '.')
    Refer bold part from the response, Remove “/r/n” parts and paste it on decoder.
    Go to “http://www.base64decode.org/
    Paste the copied text here.
    Text should be prepared as follows: eyJleHAiOi0zNzcyNjI5NywiYXpwIjoiZklFa1p0aW5yYnBMQlh4WDgzbXdEekNQOEFBYSIsInN1YiI6ImlzaGFyYSIsImF1ZCI6ImZJRWtadGlucmJwTEJYeFg4M213RHpDUDhBQWEiLCJpc3MiOiJo\r\ndHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMmVuZHBvaW50c1wvdG9rZW4iLCJGaXJzdE5hbWUiOiJJc2hhcmEiLCJMYXN0TmFtZSI6IkthcnVuYXJhdGhuYSIsIkNvdW50cnkiOiJTcmlMYW5rYSIsImlhdCI6LTQxMzI2Mjk3fQ==
    Decoded String:
    {"exp":170653649,"azp":"noEnn5tvU5tgEJfHImicSApBMAwa","sub":"shashika","aud":"noEnn5tvU5tgEJfHImicSApBMAwa","iss":"https:\/\/localhost:9443\/oauth2endpoints\/token","FirstName":"shashika","LastName":"ubhayaratne","Country":"SriLanka","iat":167053649}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)