Inserting SAML attributes using WSS APIs
We can insert custom attributes into self-issued SAML tokens using the JAX-WS programming model and Web Services Security APIs (WSS APIs).
This task assumes that you are familiar with the JAX-WS programming model, the WSS API interfaces, SAML concepts, and the use of policy sets to configure and administer web services settings. Complete the following actions before you begin this task:
- Read about propagating self-issued SAML bearer tokens by using WSS APIs.
- Read about propagating self-issued SAML sender-vouches tokens by using WSS APIs with message level protection.
- Read about propagating self-issued SAML sender-vouches tokens by using WSS APIs with SSL transport protection.
- Read about propagating self-issued SAML holder-of-key tokens with symmetric key by using WSS APIs.
- Read about propagating self-issued SAML holder-of-key tokens with asymmetric key by using WSS APIs.
This task shows example code that inserts custom attributes into self-issued SAML security tokens. This particular example uses the bearer subject confirmation method. We can add attributes to any SAML security tokens, and the same code can be used with other subject confirmation methods.
Insert custom attributes when creating SAML security tokens; for example:
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken; import com.ibm.websphere.wssecurity.callbackhandler.SAMLGenerateCallbackHandler; import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken; import com.ibm.wsspi.wssecurity.core.token.config.WSSConstants; import com.ibm.wsspi.wssecurity.saml.config.SamlConstants; import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute; WSSFactory factory = WSSFactory.getInstance(); HashMap<Object, Object> map = new HashMap<Object, Object>(); map.put(SamlConstants.CONFIRMATION_METHOD, "Bearer"); map.put(SamlConstants.Token_REQUEST, "issue"); map.put(SamlConstants.TOKEN_TYPE, WSSConstants.SAML.SAML20_VALUE_TYPE); map.put(SamlConstants.SAML_NAME_IDENTIFIER, "Alice"); map.put(SamlConstants.SIGNATURE_REQUIRED, "true"); ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>(); String groups[] = {"IBMer", "Texan"}; SAMLAttribute sattribute = new SAMLAttribute("Membership", groups, null,null, null, null); al.add(sattribute); String gender[] = {"Female"}; sattribute = new SAMLAttribute("Gender", gender, null,null, null, null); al.add(sattribute); map.put(SamlConstants.SAML_ATTRIBUTES, al); SAMLGenerateCallbackHandler callbackHandler = new SAMLGenerateCallbackHandler(map); SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class, callbackHandler, "system.wss.generate.saml");
Results
You have inserted custom attributes to a SAML security token.
Example
The following example shows the custom attributes in the SAML Assertion:<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_E62A1CA3C2F21D9A9B1287772824570" IssueInstant="2010-10-22T18:40:24.531Z"> <saml2:Issuer>example.com</samls2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... </ds:Signature> <saml2:Subject> <saml2:NameID>Alice</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2010-10-22T18:40:24.531Z" NotOnOrAfter="2010-10-22T19:40:24.531Z"> </saml2:Conditions> <saml2:AttributeStatement> <saml2:Attribute Name="Membership"> <saml2:AttributeValue>IBMer</saml2:AttributeValue> <saml2:AttributeValue>Texan</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Gender"> <saml2:AttributeValue>Female</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
What to do next
Merge the code with the example code listed in the "Propagating self-issued SAML bearer tokens by using WSS APIs" topic to generate SAML security tokens. We can see SAML attributes in the SAML Assertions.
Related tasks
Sending self-issued SAML bearer tokens using WSS APIs Sending self-issued SAML sender-vouches tokens using WSS APIs with message level protection Sending self-issued SAML sender-vouches tokens using WSS APIs with SSL transport protection Sending self-issued SAML holder-of-key tokens with symmetric key using WSS APIs Sending self-issued SAML holder-of-key tokens with asymmetric key using WSS APIs