Requesting SAML holder-of-key tokens with symmetric key from external security token service using WSS APIs
We can request an external security token service (STS) to issue SAML tokens with the holder-of-key subject confirmation method with symmetric key that is encrypted for a target service. Use the JAX-WS programming model and Web Services Security APIs (WSS APIs) to complete this task.
This task assumes that you are familiar with the JAX-WS programming model, the WSS API interfaces, SAML concepts, and the use of policy sets to configure and administer web services settings. Complete the following actions before you begin this task:
- Read about propagating self-issued SAML holder-of-key tokens with symmetric key by using WSS APIs.
- Become familiar with using embedded key materials in SAML tokens for message protection by using WSS APIs. Your usage scenario requires requesting SAML tokens from an external STS instead of using self-issued SAML tokens.
- Read about requesting SAML sender-vouches tokens from an external STS to propagate by using WSS APIs with message level protection.
- Read about requesting SAML sender-vouches tokens from an external STS to propagate by using WSS APIs with transport level protection.
- Read about requesting SAML bearer tokens from an external STS to propagate by using WSS APIs with transport level protection.
- Be familiar with accessing an external STS by using WSS APIs.
This task shows example code to request SAML tokens from an external STS, with holder-of-key subject confirmation method and embedded symmetric key that is encrypted for the target service by using WSS APIs. This task focuses on sending a WS-Trust request message to an external STS to request SAML holder-of-key tokens with symmetric keys.
- Specify an STS from which to request a SAML security token containing holder-of-key subject confirmation method; for example:
com.ibm.websphere.wssecurity.wssapi.WSSFactory factory = com.ibm.websphere.wssecurity.wssapi.WSSFactory.getInstance(); WSSGenerationContext gencont1 = factory.newWSSGenerationContext(); WSSConsumingContext concont1 = factory.newWSSConsumingContext(); HashMap<Object, Object> cbackMap1 = new HashMap<Object, Object>(); cbackMap1.put(SamlConstants.STS_ADDRESS, "https://www.example.com/sts"); //STS URL cbackMap1.put(SamlConstants.SAML_APPLIES_TO, "http://myhost:9080/myService"); //Target Service cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_SOAP_VERSION, "1.1"); cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_WSTRUST_NAMESPACE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512"); cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_COLLECTION_REQUEST, "true"); //RST or RSTC cbackMap1.put(SamlConstants.TOKEN_TYPE, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); cbackMap1.put(SamlConstants.CONFIRMATION_METHOD, "holder-of-key");To request a holder-of-key SAML security token from the STS, specify whether to embed a symmetric key or a public key by way of a KeyType element in a trust request. This example requires a symmetric key type as shown in the next step.
- Specify the symmetric key to be embedded in SAML security tokens; for example:
cbackMap1.put(SamlConstants.KEY_TYPE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey"); SAMLGenerateCallbackHandler cbHandler1 = new SAMLGenerateCallbackHandler(cbackMap1); cbHandler1.setWSSConsumingContextForTrustClient(concont1); cbHandler1.setWSSGenerationContextForTrustClient(gencont1); SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class, cbHandler1, "system.wss.generate.saml");The requested SAML token contains a symmetric key that is encrypted for the target service. The STS also returns the unencrypted symmetric key through the WS-Trust RequestedProofToken element. See the following example.
<wst:RequestedProofToken> <wst:BinarySecret xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="_27325D34CE4BCC83141288966548620">n68rFQba+XTZLNBfEc4prg==</wst:BinarySecret> </wst:RequestedProofToken>The RequestedProofToken element is shown here for the information. The detailed processing is not exposed to WSS APIs users. The RequestedProofToken element and the symmetric key are handled by the Web Services Security runtime environment, or more precisely by the SAMLGenerateLoginModule specified in the system.wss.geenrate.saml JAAS login configuration.
Results
You have learned key building blocks for requesting SAML tokens with holder-of-key subject confirmation method and symmetric key from an external STS by using WSS APIs. To use the SAML token to sign request messages, review the example code in the "Propagating self-issued SAML holder-of-key tokens with symmetric key by using WSS APIs" topic.
Related concepts
SAML concepts SAML assertions defined in the SAML Token Profile standard
Related tasks
Sending self-issued SAML holder-of-key tokens with symmetric key using WSS APIs Requesting SAML sender-vouches tokens from an external STS using WSS APIs and message level protection Requesting SAML bearer tokens from an external STS using WSS APIs and transport level protection Requesting SAML sender-vouches tokens from an external STS using WSS APIs and transport level protection Configure client and provider bindings for the SAML holder-of-key symmetric key token Tune Web Services Security for v8.5 applications
Web Services Security APIs SAML Issuer Config Properties