Map a base64 encoded JSON string to a SAML2 token example
We can map a base64 encoded JSON string to a SAML 2 token using a JavaScript mapping rule.
The steps show an end-to-end JSON to SAML2 mapping. STSRequest and STSResponse access using a JavaScript mapping rule provides a description of this support.
Steps
- Create a JavaScript mapping rule using the local management interface.
- Select Federation > Global Settings > Mapping Rules.
- Click Add.
- In the Content field, copy and paste the following code:
importClass(com.tivoli.am.fim.base64.BASE64Utility); importClass(com.tivoli.am.fim.trustserver.sts.uuser.Attribute); var jwtElement = stsrequest.getRequestSecurityToken().getBase(); var jwtText = jwtElement.getTextContent(); var jwtString = new java.lang.String(BASE64Utility.decode(jwtText), "UTF-8"); var jwt = JSON.parse(jwtString); for (var name in jwt) { if (jwt.hasOwnProperty(name)) { if ("sub".equals(name)) { stsuu.addPrincipalAttribute(new Attribute("name",
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", jwt[name])); } else { stsuu.addAttribute(new Attribute(name,
"urn:oasis:names:tc:SAML:2.0:attrname-format:basic", jwt[name])); } } }
- In the Name field, enter jwt_saml.
- In the Category field, select SAML2_0.
- Click Save and deploy the changes.
- Assemble the Security Token Service (STS) template.
- Select Federation > Manage > Security Token Service.
- Click Templates.
- Click Add and name the template JSON to SAML2. Click OK.
- Select the JSON to SAML2 template and add the Default Map Module in Map mode and a Default SAML 2.0 token in Issue mode.
- Save and deploy the changes.
- Create an STS chain that references the mapping rule and template we created in the previous steps.
- Within the Security Token Service panel, select Module Chains.
- Click Add to create the module chain, with the following values:
Tab: Field Value Overview: Name JSON to SAML2 Overview: Description base64 encoded JSON string to SAML2 conversion STS chain Overview: Template JSON to SAML2 Lookup: Request Type Validate Lookup: Applies to Address jwtappliesto Lookup: Issuer Address jwtissuer Properties: Default Map Module (JavaScript file containing the identity mapping rule jwt_saml Properties: Default SAML 2.0 Token (Name of the organization issuing the assertions) isam Properties: Default SAML 2.0 Token (Amount of time before the issue date that an assertion is considered valid) 60 Properties: Default SAML 2.0 Token (Amount of time the assertion is valid after being issued) 60 Properties: Default SAML 2.0 Token (List of attribute types to include) * Use the defaults for all of the fields that are not specified in the table.
- Save and deploy the changes.
- Use curl to test the chain.
- Send the following WS-Trust 1.2 message:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <ns1:RequestSecurityToken xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestType xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Issuer xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">jwtissuer</wsa:Address> </wst:Issuer> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>jwtappliesto</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Base xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <JWT>ewogICJlbWFpbCI6ICJqb2huLmRvZUBleGFtcGxlLmNvbSIsIAogICJmYW1pbHlfbmFtZSI6ICJkb2UiLCAK ICAiZ2l2ZW5fbmFtZSI6ICJqb2huIiwgCiAgImlzcyI6ICJpc2FtIiwgCiAgInN1YiI6ICIwMTIzNDU2Nzg5Igp9</JWT> </wst:Base> </ns1:RequestSecurityToken> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
The bold embedded element, <JWT> </JWT>, is the input to the chain. This is a Base64 encoded JSON string containing the following data::
{ "email": "john.doe@example.com", "family_name": "doe", "given_name": "john", "iss": "isam", "sub": "0123456789" }
- Save this file as jwt.xml.
- Run the following curl command, where jwt.xml is the WS-Trust 1.2 message:
curl -k -v -u "easuser:passw0rd" -H "Content-Type: text/xml" --data-binary @jwt.xml https://ip-rte/TrustServer/SecurityTokenService
The following results are returned:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header> <soap:Body> <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuidc1288a62-0153-1f8b-bf2a-b4c46f51cd03"> <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference> <wsa:Address>jwtappliesto</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Lifetime xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsu:Created>2016-03-29T06:56:13Z</wsu:Created> <wsu:Expires>2016-03-29T06:57:13Z</wsu:Expires> </wst:Lifetime> <wst:RequestedSecurityToken> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03" IssueInstant="2016-03-29T06:56:13Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">isam</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 0123456789</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2016-03-29T06:57:13Z"></saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2016-03-29T06:55:13Z" NotOnOrAfter="2016-03-29T06:57:13Z"> <saml:AudienceRestriction> <saml:Audience>jwtappliesto</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-03-29T06:56:13Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john.doe@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="iss" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">isam</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">doe</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </wst:RequestedSecurityToken>The JSON string is mapped into the SAML assertion, as shown by the previous bold text. The attributes in the SAML2 assertion are mapped from JSON attributes.
<wst:RequestedAttachedReference xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wss:SecurityTokenReference xmlns:wss11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wss11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"> <wss:KeyIdentifier xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"> Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03</wss:KeyIdentifier> </wss:SecurityTokenReference> </wst:RequestedAttachedReference> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Status> <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid</wst:Code> </wst:Status> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </soap:Body> </soap:Envelope>
Parent topic: STSRequest and STSResponse access using a JavaScript mapping rule
Related tasks