Inserting SAML attributes using WSS APIs

WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level > Secure messages at the request generator using WSS APIs > Secure messages at the request generator using WSS APIs
Inserting SAML attributes using WSS APIs

We can insert custom attributes into self-issued SAML tokens using JAX-WS and Web Services Security APIs (WSS APIs).

This task assumes that you are familiar with JAX-WS, the WSS API interfaces, SAML concepts, and the use of policy sets to configure and administer web services settings. Complete the following actions before you begin this task:

Read about propagating self-issued SAML bearer tokens using WSS APIs.
Read about propagating self-issued SAML sender-vouches tokens using WSS APIs with message level protection.
Read about propagating self-issued SAML sender-vouches tokens using WSS APIs with SSL transport protection.
Read about propagating self-issued SAML holder-of-key tokens with symmetric key using WSS APIs.
Read about propagating self-issued SAML holder-of-key tokens with asymmetric key using WSS APIs.

This task shows example code that inserts custom attributes into self-issued SAML security tokens. This particular example uses the bearer subject confirmation method. We can add attributes to any SAML security tokens, and the same code can be used with other subject confirmation methods.

Insert custom attributes when creating SAML security tokens; for example:
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.callbackhandler.SAMLGenerateCallbackHandler;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.wsspi.wssecurity.core.token.config.WSSConstants;
import com.ibm.wsspi.wssecurity.saml.config.SamlConstants;
import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;

WSSFactory factory = WSSFactory.getInstance();
HashMap<Object, Object> map = new HashMap<Object, Object>();
map.put(SamlConstants.CONFIRMATION_METHOD, "Bearer");
map.put(SamlConstants.Token_REQUEST, "issue");
map.put(SamlConstants.TOKEN_TYPE, WSSConstants.SAML.SAML20_VALUE_TYPE);
map.put(SamlConstants.SAML_NAME_IDENTIFIER, "Alice");
map.put(SamlConstants.SIGNATURE_REQUIRED, "true");
ArrayList<SAMLAttribute> al = new ArrayList<SAMLAttribute>();
String groups[] = {"IBMer", "Texan"};
SAMLAttribute sattribute = new SAMLAttribute("Membership", groups, null,null, null, null);
al.add(sattribute);
String gender[] = {"Female"};
sattribute = new SAMLAttribute("Gender", gender, null,null, null, null);
al.add(sattribute);
map.put(SamlConstants.SAML_ATTRIBUTES, al);
SAMLGenerateCallbackHandler callbackHandler = new SAMLGenerateCallbackHandler(map); 
SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class, callbackHandler,
                                                  "system.wss.generate.saml");
Results

You have inserted custom attributes to a SAML security token.

Example
The following example shows the custom attributes in the SAML Assertion:
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  Version="2.0"
                       ID="_E62A1CA3C2F21D9A9B1287772824570"
                       IssueInstant="2010-10-22T18:40:24.531Z">     <saml2:Issuer>example.com</samls2:Issuer>     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     ...
    </ds:Signature>     <saml2:Subject>         <saml2:NameID>Alice</saml2:NameID>         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml2:SubjectConfirmation>     </saml2:Subject>     <saml2:Conditions NotBefore="2010-10-22T18:40:24.531Z"
                    NotOnOrAfter="2010-10-22T19:40:24.531Z">     </saml2:Conditions>     <saml2:AttributeStatement>         <saml2:Attribute Name="Membership">             <saml2:AttributeValue>IBMer</saml2:AttributeValue>             <saml2:AttributeValue>Texan</saml2:AttributeValue>         </saml2:Attribute>         <saml2:Attribute Name="Gender">             <saml2:AttributeValue>Female</saml2:AttributeValue>         </saml2:Attribute>     </saml2:AttributeStatement> </saml2:Assertion>
Merge the code with the example code listed in the “Propagating self-issued SAML bearer tokens using WSS APIs” topic to generate SAML security tokens. We can see SAML attributes in the SAML Assertions.

Related

Sending self-issued SAML bearer tokens using WSS APIs
Sending self-issued SAML sender-vouches tokens using WSS APIs with message level protection
Sending self-issued SAML sender-vouches tokens using WSS APIs with SSL transport protection
Sending self-issued SAML holder-of-key tokens with symmetric key using WSS APIs
Sending self-issued SAML holder-of-key tokens with asymmetric key using WSS APIs

+
Search Tips | Advanced Search