Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Deploy applications that use SAML


Create SAML attributes in SAML tokens

Use the SAML runtime API, you can create SAML tokens containing SAML attributes. We can also extract the SAML attributes from an existing SAML token. When WAS Version 7.0.0.7 and later is installed, you can create SAML attributes using the SAML token library APIs. The SAML attributes are added to a CredentialConfig object, which is used to generate a SAML token. The API also provides a function that extracts SAML attributes from an existing SAML token and processes the attributes.

To create a SAML token containing SAML attributes, perform the following steps:


Procedure

  1. Initialize a com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute object. This creates a SAML attribute based on an address, for example:
    SAMLAttribute sattribute =   
             new SAMLAttribute("urn:oid:2.5.4.20", //Name
           new String[] {" any address"}, //Attribute Values
           null,  /*XML Attributes empty on this example*/
           "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace
           "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",  //format
           "Address");
    

  2. Use the SAMLTokenFactory to create a CredentialConfig object containing a SAML attribute. This method requires the Java security permisson wssapi.SAMLTokenFactory.newCredentialConfig.

    1. Create a com.ibm.wsspi.wssecurity.saml.config.CredentialConfig object and set a valid principal name.

    2. Create a SAML attribute.

    3. Create a list of SAML attributes and add the SAML attribute to the list.

    4. Add the SAML attribute list to the CredentialConfig object.

    See the following example:

    SAMLTokenFactory samlFactory =
      SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");//samlTokenType
         
    CredentialConfig credentialConfig = samlFactory.newCredentialConfig();
    credentialConfig.setRequesterNameID("any name");
       
    SAMLAttribute sattribute =   
             new SAMLAttribute("urn:oid:2.5.4.20", //Name
           new String[] {" any address"}, //Attribute Values
           null,  /*XML Attributes empty on this example*/
           "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace
           "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",  //format
           "Address");
         
    ArrayList
    <SAMLAttribute> al = new ArrayList
    <SAMLAttribute>();
    al.add(sattribute);
    credentialConfig.setSAMLAttributes(al);
    

  3. Specify the CredentialConfig as a parameter, use the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory newSAMLToken method to create a SAML token containing the attributes. This step assumes that a RequesterConfig reqData object and a ProviderConfig samlIssuerCfg object have already been created. For more information on these objects, read about RequesterConfig and ProviderConfig.

    1. Obtain an instance of the SAMLTokenFactory.

    2. Create a SAML token using the newSAMLToken method from the SAMLTokenFactory, for example:
      SAMLTokenFactory samlFactory =
        SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
      
      SAMLToken aSamlToken = samlFactory.newSAMLToken(credentialConfig, reqData, samlIssuerCfg);
      
    Optional. Extract SAML attributes from an existing SAML token. This step is useful to extract the SAML attributes from a received SAML token. We can use this step when a SAML assertion is received and the attributes contained in the assertion need to be processed.

    1. Invoke the getSAMLAttributes() method with the token as a parameter to obtain a list of the SAML attributes in the token. This method requires the Java security permission wssapi.SAMLToken.getSAMLAttributes.
    2. Apply an iterator to the list.
    3. Iterate through the list and perform any additional processing required for the application.

    See the following example:

    List
    <SAMLAttribute> aList = aSAMLToken.getSAMLAttributes();
    java.util.Iterator
    <SAMLAttribute> i = aList.iterator();
    
    while(i.hasNext()){
    
       SAMLAttribute anAttribute = i.next();
    
       //do something with namespace
       String namespace = anAttribute.getAttributeNamespace();
    
       //do something with name    String name = anAttribute.getName();
    
       //do something with friendly name    String friendlyName = anAttribute.getFriendlyName();
    
       //process sring attribute values
       String[] stringAttributeValues = anAttribute.getStringAttributeValue();
    
       //process XML attribute values
       XMLStructure[] xmlAttributeValues = (XMLStructure[]) anAttribute.getXMLAttributeValue();
    
    
    


Related


SAML user attributes

+

Search Tips   |   Advanced Search