+

Search Tips   |   Advanced Search

Customize the NameID for self-issued SAML tokens using the API

The SAML library API can be used to create a SAML token that has a custom NameID.

When self-issued SAML tokens are created using the SAML token generator there is no way to customize the NameID using callback handler properties. However, using the SAML library API, a custom SAML NameID callback handler defined in the SAMLIssuerConfig.properties file can be created that can customize the NameID of a self-issued SAML token. A SAML NameID callback handler can also be used by applications that use the newSAMLToken method.

The SAML NameID callback handler will run for all SAML tokens created from the application server with the modified SAMLIssuerConfig.properties file.

  1. Develop a custom SAML NameID callback handler. For example:
    package test.saml;
     import java.io.IOException;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.UnsupportedCallbackException;
    import com.ibm.websphere.wssecurity.callbackhandler.NameIDCallback;
    import com.ibm.wsspi.wssecurity.saml.data.SAMLNameID;
     public class NameIDProvider implements javax.security.auth.callback.CallbackHandler {
        @Override
        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            if (callbacks == null || callbacks.length == 0) {
                throw new UnsupportedCallbackException(null, "There is no callback.");
            }
            for (int i = 0; i < callbacks.length; i++) {
                if (callbacks[i] instanceof NameIDCallback) {
                    NameIDCallback callback = (NameIDCallback)callbacks[i];
                    SAMLNameID nameid = new SAMLNameID("newNameID", null, null, null, null);
                    callback.setSAMLNameID(nameid);
                }
            }
        }
    }

  2. Add the NameIDProvider custom property to the (cellRoot)/sts/SAMLIssuerConfig.properties file. For example: NameIDProvider =test.saml.NameIDProvider


Results

When this task is completed using the sample code provided, the following element will be added to all SAML tokens:
<saml:Subject>
<saml:NameID>newNameID</saml:NameID>
</saml:Subject>


Related concepts

  • Security token


    Related tasks

  • Develop web services clients that retrieve tokens from the JAAS Subject in an application
  • Protecting system resources and APIs (Java 2 security) for developing applications
  • Configure Java 2 security policy files