Create SAML attributes in SAML tokens

Use the SAML runtime API, we can create SAML tokens containing SAML attributes. We can also extract the SAML attributes from an existing SAML token.

Use WebSphere Application Server, we can create SAML attributes using the SAML token library APIs. The SAML attributes are added to a CredentialConfig object, which is used to generate a SAML token. The API also provides a function that extracts SAML attributes from an existing SAML token and processes the attributes.

To create a SAML token containing SAML attributes, perform the following steps:

1. Initialize a com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute object. This creates a SAML attribute based on an address, for example:

   SAMLAttribute sattribute =                    new SAMLAttribute("urn:oid:2.5.4.20", //Name
          new String[] {" any address"}, //Attribute Values
          null, /*XML Attributes empty on this example*/          "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace
          "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", //format
          "Address");

2. Use the SAMLTokenFactory to create a CredentialConfig object containing a SAML attribute. This method requires the Java security permisson wssapi.SAMLTokenFactory.newCredentialConfig.

   1. Create a com.ibm.wsspi.wssecurity.saml.config.CredentialConfig object and set a valid principal name.

   2. Create a SAML attribute.

   3. Create a list of SAML attributes and add the SAML attribute to the list.

   4. Add the SAML attribute list to the CredentialConfig object.
   See the following example:

   SAMLTokenFactory samlFactory =
     SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");//samlTokenType
                CredentialConfig credentialConfig = samlFactory.newCredentialConfig();
   credentialConfig.setRequesterNameID("any name");
              SAMLAttribute sattribute =                    new SAMLAttribute("urn:oid:2.5.4.20", //Name
          new String[] {" any address"}, //Attribute Values
          null, /*XML Attributes empty on this example*/          "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace
          "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", //format
          "Address");
                ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>();
   al.add(sattribute);
   credentialConfig.setSAMLAttributes(al);

3. Specify the CredentialConfig as a parameter, use the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory newSAMLToken method to create a SAML token containing the attributes. This step assumes that a RequesterConfig reqData object and a ProviderConfig samlIssuerCfg object have already been created. For more information on these objects, read about RequesterConfig and ProviderConfig.

   1. Obtain an instance of the SAMLTokenFactory.

   2. Create a SAML token using the newSAMLToken method from the SAMLTokenFactory, for example:

      SAMLTokenFactory samlFactory =
        SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
       SAMLToken aSamlToken = samlFactory.newSAMLToken(credentialConfig, reqData, samlIssuerCfg);

4. Optional: Extract SAML attributes from an existing SAML token. This step is useful to extract the SAML attributes from a received SAML token. We can use this step when a SAML assertion is received and the attributes contained in the assertion need to be processed.

   1. Invoke the getSAMLAttributes() method with the token as a parameter to obtain a list of the SAML attributes in the token. This method requires the Java security permission wssapi.SAMLToken.getSAMLAttributes.

   2. Apply an iterator to the list.

   3. Iterate through the list and perform any additional processing required for the application.
   See the following example:

   List<SAMLAttribute> aList = aSAMLToken.getSAMLAttributes();
   java.util.Iterator<SAMLAttribute> i = aList.iterator();
    while(i.hasNext()){
       SAMLAttribute anAttribute = i.next();
       //do something with namespace    String namespace = anAttribute.getAttributeNamespace();
       //do something with name    String name = anAttribute.getName();
       //do something with friendly name    String friendlyName = anAttribute.getFriendlyName();
       //process sring attribute values
      String[] stringAttributeValues = anAttribute.getStringAttributeValue();
       //process XML attribute values
      XMLStructure[] xmlAttributeValues = (XMLStructure[]) anAttribute.getXMLAttributeValue();
       }

Subtopics

• SAML user attributes
  A SAML assertion can contain user attributes relating to the principal of the SAML token. A SAML assertion can contain multiple user attributes.

• SAML user attributes
  A SAML assertion can contain user attributes relating to the principal of the SAML token. A SAML assertion can contain multiple user attributes.