Map a base64 encoded JSON string to a SAML2 token example

We can map a base64 encoded JSON string to a SAML 2 token using a JavaScript mapping rule.

The steps show an end-to-end JSON to SAML2 mapping. STSRequest and STSResponse access using a JavaScript mapping rule provides a description of this support.

Steps

  1. Create a JavaScript mapping rule using the local management interface.

    1. Select Federation > Global Settings > Mapping Rules.

    2. Click Add.

    3. In the Content field, copy and paste the following code:

            importClass(com.tivoli.am.fim.base64.BASE64Utility);
            importClass(com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
        
            var jwtElement = stsrequest.getRequestSecurityToken().getBase();
            var jwtText    = jwtElement.getTextContent();
            var jwtString  = new java.lang.String(BASE64Utility.decode(jwtText), "UTF-8");
            var jwt        = JSON.parse(jwtString);
        
            for (var name in jwt) {
              if (jwt.hasOwnProperty(name)) {
                if ("sub".equals(name)) {
                  stsuu.addPrincipalAttribute(new Attribute("name",
        "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", jwt[name])); } else { stsuu.addAttribute(new Attribute(name,
        "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", jwt[name])); } } }

    4. In the Name field, enter jwt_saml.

    5. In the Category field, select SAML2_0.

    6. Click Save and deploy the changes.

  2. Assemble the Security Token Service (STS) template.

    1. Select Federation > Manage > Security Token Service.

    2. Click Templates.

    3. Click Add and name the template JSON to SAML2. Click OK.

    4. Select the JSON to SAML2 template and add the Default Map Module in Map mode and a Default SAML 2.0 token in Issue mode.

    5. Save and deploy the changes.

  3. Create an STS chain that references the mapping rule and template we created in the previous steps.

    1. Within the Security Token Service panel, select Module Chains.

    2. Click Add to create the module chain, with the following values:

      Tab: Field Value
      Overview: Name JSON to SAML2
      Overview: Description base64 encoded JSON string to SAML2 conversion STS chain
      Overview: Template JSON to SAML2
      Lookup: Request Type Validate
      Lookup: Applies to Address jwtappliesto
      Lookup: Issuer Address jwtissuer
      Properties: Default Map Module (JavaScript file containing the identity mapping rule jwt_saml
      Properties: Default SAML 2.0 Token (Name of the organization issuing the assertions) isam
      Properties: Default SAML 2.0 Token (Amount of time before the issue date that an assertion is considered valid) 60
      Properties: Default SAML 2.0 Token (Amount of time the assertion is valid after being issued) 60
      Properties: Default SAML 2.0 Token (List of attribute types to include) *

      Use the defaults for all of the fields that are not specified in the table.

    3. Save and deploy the changes.

  4. Use curl to test the chain.

    1. Send the following WS-Trust 1.2 message:

        <?xml version="1.0" encoding="UTF-8"?>
        <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
        xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <SOAP-ENV:Header/>
          <SOAP-ENV:Body>
            <ns1:RequestSecurityToken xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <wst:RequestType xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType>
              <wst:Issuer xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">jwtissuer</wsa:Address>
              </wst:Issuer>
              <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                  <wsa:Address>jwtappliesto</wsa:Address>
                </wsa:EndpointReference>
              </wsp:AppliesTo>
              <wst:Base xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">       
        <JWT>ewogICJlbWFpbCI6ICJqb2huLmRvZUBleGFtcGxlLmNvbSIsIAogICJmYW1pbHlfbmFtZSI6ICJkb2UiLCAK
        ICAiZ2l2ZW5fbmFtZSI6ICJqb2huIiwgCiAgImlzcyI6ICJpc2FtIiwgCiAgInN1YiI6ICIwMTIzNDU2Nzg5Igp9</JWT>
              </wst:Base>
            </ns1:RequestSecurityToken>
          </SOAP-ENV:Body>
        </SOAP-ENV:Envelope>
        

      The bold embedded element, <JWT> </JWT>, is the input to the chain. This is a Base64 encoded JSON string containing the following data::

        { 
         "email": "john.doe@example.com", 
          "family_name": "doe", 
          "given_name": "john", 
          "iss": "isam", 
          "sub": "0123456789"
        }

    2. Save this file as jwt.xml.
    3. Run the following curl command, where jwt.xml is the WS-Trust 1.2 message:

        curl -k -v -u "easuser:passw0rd" -H "Content-Type: text/xml" --data-binary 
        @jwt.xml https://ip-rte/TrustServer/SecurityTokenService

      The following results are returned:

        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
            <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header>
            <soap:Body>
                <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                    <wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                    wsu:Id="uuidc1288a62-0153-1f8b-bf2a-b4c46f51cd03">
                        <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                            <wsa:EndpointReference>
                                <wsa:Address>jwtappliesto</wsa:Address>
                            </wsa:EndpointReference>
                        </wsp:AppliesTo>
                        <wst:Lifetime xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                            <wsu:Created>2016-03-29T06:56:13Z</wsu:Created>
                            <wsu:Expires>2016-03-29T06:57:13Z</wsu:Expires>
                        </wst:Lifetime>
                       <wst:RequestedSecurityToken>
                            <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03" 
                            IssueInstant="2016-03-29T06:56:13Z" Version="2.0">
                                <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">isam</saml:Issuer>
                                <saml:Subject>
                                    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                                    0123456789</saml:NameID>
                                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                        <saml:SubjectConfirmationData NotOnOrAfter="2016-03-29T06:57:13Z"></saml:SubjectConfirmationData>
                                    </saml:SubjectConfirmation>
                                </saml:Subject>
                                <saml:Conditions NotBefore="2016-03-29T06:55:13Z" NotOnOrAfter="2016-03-29T06:57:13Z">
                                    <saml:AudienceRestriction>
                                        <saml:Audience>jwtappliesto</saml:Audience>
                                    </saml:AudienceRestriction>
                                </saml:Conditions>
                                <saml:AuthnStatement AuthnInstant="2016-03-29T06:56:13Z">
                                    <saml:AuthnContext>
                                        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                                        </saml:AuthnContextClassRef>
                                    </saml:AuthnContext>
                                </saml:AuthnStatement>
                                <saml:AttributeStatement>
                                    <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                        <saml:AttributeValue xsi:type="xs:string">john</saml:AttributeValue>
                                    </saml:Attribute>
                                    <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                        <saml:AttributeValue xsi:type="xs:string">john.doe@example.com</saml:AttributeValue>
                                    </saml:Attribute>
                                    <saml:Attribute Name="iss" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                        <saml:AttributeValue xsi:type="xs:string">isam</saml:AttributeValue>
                                    </saml:Attribute>
                                    <saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                                        <saml:AttributeValue xsi:type="xs:string">doe</saml:AttributeValue>
                                    </saml:Attribute>
                                </saml:AttributeStatement>
                            </saml:Assertion>
                        </wst:RequestedSecurityToken>
        

      The JSON string is mapped into the SAML assertion, as shown by the previous bold text. The attributes in the SAML2 assertion are mapped from JSON attributes.

      <wst:RequestedAttachedReference xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                          <wss:SecurityTokenReference xmlns:wss11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
                          wss11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
                              <wss:KeyIdentifier xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
                              xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
                              ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">
                              Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03</wss:KeyIdentifier>
                          </wss:SecurityTokenReference>
                      </wst:RequestedAttachedReference>
                      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType>
                      <wst:Status>
                          <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid</wst:Code>
                      </wst:Status>
                  </wst:RequestSecurityTokenResponse>
              </wst:RequestSecurityTokenResponseCollection>
          </soap:Body>
      </soap:Envelope>
      

Parent topic: STSRequest and STSResponse access using a JavaScript mapping rule

Related tasks