Map a JSON Web Token to a SAML2 token example (Federation)
We can map a base64 encoded JSON string to a SAML 2 token using a JavaScript mapping rule.
- Create a JavaScript mapping rule using the local management interface.
- Select...
Federation > Global Settings > Mapping Rules > Add
- In the Content field, copy and paste the following code:
importClass(com.tivoli.am.fim.base64.BASE64Utility); importClass(com.tivoli.am.fim.trustserver.sts.uuser.Attribute); var jwtElement = stsrequest.getRequestSecurityToken().getBase(); var jwtText = jwtElement.getTextContent(); var jwtString = new java.lang.String(BASE64Utility.decode(jwtText), "UTF-8"); var jwt = JSON.parse(jwtString); for (var name in jwt) { if (jwt.hasOwnProperty(name)) { if ("sub".equals(name)) { stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", jwt[name])); } else { stsuu.addAttribute(new Attribute(name, "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", jwt[name])); } } }
- In the Name field, enter jwt_saml.
- In the Category field, select SAML2_0.
- Click Save and deploy the changes.
- Assemble the Security Token Service (STS) template.
- Select Federation > Manage > Security Token Service.
- Click Templates.
- Click Add and name the template JSON to SAML2. Click OK.
- Select the JSON to SAML2 template and add the Default Map Module in Map mode and a Default SAML 2.0 token in Issue mode.
- Save and deploy the changes.
- Create an STS chain that references the mapping rule and template we created in the previous steps.
- Within the Security Token Service panel, select Module Chains.
- Click Add to create the module chain, with the following values:
Use the defaults for all of the fields that are not specified in the table.
Tab Field Value Overview Name JSON to SAML2 Overview Description base64 encoded JSON string to SAML2 conversion STS chain Overview Template JSON to SAML2 Lookup Request Type Validate Lookup Applies to Address jwtappliesto Lookup Issuer Address jwtissuer Properties Default Map Module (JavaScript file containing the identity mapping rule jwt_saml Properties Default SAML 2.0 Token (Name of the organization issuing the assertions) isam Properties Default SAML 2.0 Token (Amount of time before the issue date that an assertion is considered valid) 60 Properties Default SAML 2.0 Token (Amount of time the assertion is valid after being issued) 60 Properties Default SAML 2.0 Token (List of attribute types to include) * - Save and deploy the changes.
- Use curl to test the chain.
- Send the following WS-Trust 1.2 message:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <ns1:RequestSecurityToken xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestType xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Issuer xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">jwtissuer</wsa:Address> </wst:Issuer> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>jwtappliesto</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Base xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <JWT>ewogICJlbWFpbCI6ICJqb2huLmRvZUBleGFtcGxlLmNvbSIsIAogICJmYW1pbHlfbmFtZSI6ICJkb2UiLCAK ICAiZ2l2ZW5fbmFtZSI6ICJqb2huIiwgCiAgImlzcyI6ICJpc2FtIiwgCiAgInN1YiI6ICIwMTIzNDU2Nzg5Igp9</JWT> </wst:Base> </ns1:RequestSecurityToken> </SOAP-ENV:Body> </SOAP-ENV:Envelope>The bold embedded element, <JWT> </JWT>, is the input to the chain. This is a Base64 encoded JSON string containing the following data::
{ "email": "john.doe@example.com", "family_name": "doe", "given_name": "john", "iss": "isam", "sub": "0123456789" }- Save this file as jwt.xml.
- Run the following curl command, where jwt.xml is the WS-Trust 1.2 message:
curl -k -v -u "easuser:passw0rd" -H "Content-Type: text/xml" --data-binary @jwt.xml https://ip-rte/TrustServer/SecurityTokenService
The following results are returned:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header> <soap:Body> <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuidc1288a62-0153-1f8b-bf2a-b4c46f51cd03"> <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference> <wsa:Address>jwtappliesto</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Lifetime xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsu:Created>2016-03-29T06:56:13Z</wsu:Created> <wsu:Expires>2016-03-29T06:57:13Z</wsu:Expires> </wst:Lifetime> <wst:RequestedSecurityToken> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03" IssueInstant="2016-03-29T06:56:13Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">isam</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> 0123456789</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2016-03-29T06:57:13Z"></saml:SubjectConfirmationData> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2016-03-29T06:55:13Z" NotOnOrAfter="2016-03-29T06:57:13Z"> <saml:AudienceRestriction> <saml:Audience>jwtappliesto</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-03-29T06:56:13Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john.doe@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="iss" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">isam</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">doe</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </wst:RequestedSecurityToken> <wst:RequestedAttachedReference xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wss:SecurityTokenReference xmlns:wss11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" wss11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"> <wss:KeyIdentifier xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"> Assertion-uuidc1288ae8-0153-10bd-b7ef-b4c46f51cd03</wss:KeyIdentifier> </wss:SecurityTokenReference> </wst:RequestedAttachedReference> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Status> <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid</wst:Code> </wst:Status> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </soap:Body> </soap:Envelope>The JSON string is mapped into the SAML assertion. The attributes in the SAML2 assertion are mapped from JSON attributes.
Parent topic: STSRequest and STSResponse access using a JavaScript mapping rule
Related tasks