Create SAML attributes in SAML tokens
Use the SAML runtime API, we can create SAML tokens containing SAML attributes. We can also extract the SAML attributes from an existing SAML token.
Use WebSphere Application Server, we can create SAML attributes using the SAML token library APIs. The SAML attributes are added to a CredentialConfig object, which is used to generate a SAML token. The API also provides a function that extracts SAML attributes from an existing SAML token and processes the attributes.
To create a SAML token containing SAML attributes, perform the following steps:
- Initialize a com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute object. This creates a SAML attribute based on an address, for example:
SAMLAttribute sattribute = new SAMLAttribute("urn:oid:2.5.4.20", //Name new String[] {" any address"}, //Attribute Values null, /*XML Attributes empty on this example*/ "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", //format "Address");
- Use the SAMLTokenFactory to create a CredentialConfig object containing a SAML attribute. This method requires the Java security permisson wssapi.SAMLTokenFactory.newCredentialConfig.
See the following example:
- Create a com.ibm.wsspi.wssecurity.saml.config.CredentialConfig object and set a valid principal name.
- Create a SAML attribute.
- Create a list of SAML attributes and add the SAML attribute to the list.
- Add the SAML attribute list to the CredentialConfig object.
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");//samlTokenType CredentialConfig credentialConfig = samlFactory.newCredentialConfig(); credentialConfig.setRequesterNameID("any name"); SAMLAttribute sattribute = new SAMLAttribute("urn:oid:2.5.4.20", //Name new String[] {" any address"}, //Attribute Values null, /*XML Attributes empty on this example*/ "urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500", //NameSpace "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", //format "Address"); ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>(); al.add(sattribute); credentialConfig.setSAMLAttributes(al);
- Specify the CredentialConfig as a parameter, use the com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory newSAMLToken method to create a SAML token containing the attributes. This step assumes that a RequesterConfig reqData object and a ProviderConfig samlIssuerCfg object have already been created. For more information on these objects, read about RequesterConfig and ProviderConfig.
- Obtain an instance of the SAMLTokenFactory.
- Create a SAML token using the newSAMLToken method from the SAMLTokenFactory, for example:
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"); SAMLToken aSamlToken = samlFactory.newSAMLToken(credentialConfig, reqData, samlIssuerCfg);
- Optional: Extract SAML attributes from an existing SAML token. This step is useful to extract the SAML attributes from a received SAML token. We can use this step when a SAML assertion is received and the attributes contained in the assertion need to be processed.
See the following example:
- Invoke the getSAMLAttributes() method with the token as a parameter to obtain a list of the SAML attributes in the token. This method requires the Java security permission wssapi.SAMLToken.getSAMLAttributes.
- Apply an iterator to the list.
- Iterate through the list and perform any additional processing required for the application.
List<SAMLAttribute> aList = aSAMLToken.getSAMLAttributes(); java.util.Iterator<SAMLAttribute> i = aList.iterator(); while(i.hasNext()){ SAMLAttribute anAttribute = i.next(); //do something with namespace String namespace = anAttribute.getAttributeNamespace(); //do something with name String name = anAttribute.getName(); //do something with friendly name String friendlyName = anAttribute.getFriendlyName(); //process sring attribute values String[] stringAttributeValues = anAttribute.getStringAttributeValue(); //process XML attribute values XMLStructure[] xmlAttributeValues = (XMLStructure[]) anAttribute.getXMLAttributeValue(); }
Subtopics
- SAML user attributes
A SAML assertion can contain user attributes relating to the principal of the SAML token. A SAML assertion can contain multiple user attributes.
- SAML user attributes
A SAML assertion can contain user attributes relating to the principal of the SAML token. A SAML assertion can contain multiple user attributes.