WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Develop SAML applications

Propagation of SAML tokens using the API

The SAML propagation function is useful for applications that interact across multiple servers. The propagation feature communicates token information from the originating server downstream to other servers.

We can propagate SAML tokens using administrative commands, or programmatically using the SAML API. Propagation through administrative commands is discussed in the topics Propagating SAML tokens and SAML token propagation methods.

Programmatic propagation of SAML tokens is achieved through a combination of explicit programming and use of the Web Services Security runtime environment. For example, we can extract the SAMLToken from the org.apache.axis2.jaxws.BindingProvider object. The token is then used for outbound calls. In this example, since WebSphere security is not required, programmatically propagating the SAML token allows you to exploit SAML security at the application level. The SAML token can be communicated downstream using any protocol.

Use the following sample code to extract the SAMLToken on the client side after the first request is completed.

Create a Dispatch object and invoke the request:

javax.xml.ws.Dispatch dispatch = ...;
dispatch.invoke();
Obtain a response context and extract the SAMLToken:
Map<String, Object> responseContext = dispatch.getResponseContext();
   SAMLToken samlToken = 
       (SAMLToken ) responseContext.get(com.ibm.wsspi.wssecurity.saml.config.SamlConstants.
    SAMLTOKEN_OUT_MESSAGECONTEXT);

The following sample code shows how to reuse a SAMLToken for subsequent web services requests.

The web services client program creates a dispatch instance to invoke a service:

The web services client then uses this code to pass a SAMLToken to the Web Services Security handler:
Map<String, Object> requestContext = dispatch.getRequestContext();
     requestContext.put(com.ibm.wsspi.wssecurity.saml.config.SamlConstants.
     SAMLTOKEN_IN_MESSAGECONTEXT, samlToken);           

The web services provider (receiver) can use the following code to extract a SAMLToken from an incoming web services request.

Extract a SAMLToken from the requestContext:

Subject subject = (Subject) context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_WSSSUBJECT);
 SAMLToken samlToken = null;
     try      {
      samlToken = (SAMLToken) AccessController.doPrivileged(
        new java.security.PrivilegedExceptionAction() {
         public Object run() throws 
             java.lang.Exception
         {
          final java.util.Iterator authIterator = 
                subject.getPrivateCredentials(SAMLToken.class)
                .iterator();
          if ( authIterator.hasNext() ) {
           final SAMLToken token = (SAMLToken) 
                  authIterator.next();
           
           return token;
          }
          return null;
         }
        });
 } catch (Exception ex) {
  // Error handling

Extract the SAML attributes:

List<SAMLAttribute> allAttributes;
allAttributes = ((SAMLToken) samlToken).getSAMLAttributes();

The web services client runtime environment can cache the SAML token. On subsequent client requests within the application, the security runtime environment retrieves the SAML token from the cache for use with the target.


Related


Propagating SAML tokens


+

Search Tips   |   Advanced Search