Map a SAML2 token to a base64 encoded JSON string example

We can map a SAML 2 token to a base64 encoded JSON string using a JavaScript mapping rule.

The steps show an end-to-end SAML to JSON mapping. STSRequest and STSResponse access using a JavaScript mapping rule provides a description of this support.

Steps

  1. Create a JavaScript mapping rule using the local management interface.

    1. Select Federation > Global Settings > Mapping Rules.

    2. Click Add.

    3. In the Content field, copy and paste the following code:

            importClass(com.tivoli.am.fim.base64.BASE64Utility);
            importClass(com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils)
        
            var jwt = {};
        
            var it = stsuu.getPrincipalAttributes();
            var jt = stsuu.getAttributes();
        
            while (it.hasNext()) {
              var attribute = it.next();
              var name      = new String(attribute.getName());
              var value     = new String(attribute.getValues()[0]);
        
              if ("name".equals(name)) {
                jwt["sub"] = value;
              } else {
                jwt[name] = value;
              }    }    while (jt.hasNext()) {
              var attribute = jt.next();
              var name      = new String(attribute.getName());
              var value     = new String(attribute.getValues()[0]);
        
              jwt[name] = value;
            }    var document   = IDMappingExtUtils.newXMLDocument();
            var jwtString  = JSON.stringify(jwt);
            var jwtText    = document.createTextNode(BASE64Utility.encode((new java.lang.String(jwtString)).getBytes("UTF-8")));
            var jwtElement = document.createElement("JWT");
        
            jwtElement.appendChild(jwtText);
        
            stsresponse.getRequestSecurityTokenResponse().setRequestedSecurityToken(jwtElement);

    4. In the Name field, enter saml_jwt.

    5. In the Category field, select SAML2_0.

    6. Click Save and deploy the changes.

  2. Assemble the Security Token Service (STS) template.

    1. Select Federation > Manage > Security Token Service.

    2. Click Templates.

    3. Click Add and name the template SAML2 to JSON. Click OK.

    4. Select the SAML2 to JSON template and add the Default SAML 2.0 Token in Validate mode and a Default Map Module in Map mode.

    5. Save and deploy the changes.

  3. Create an STS chain that references the mapping rule and template we created in the previous steps.

    1. Within the Security Token Service panel, select Module Chains.

    2. Click Add to create a module chain, with the following values:

      Tab: Field Value
      Overview: Name SAML2 to JSON
      Overview: Description SAML2 to base64 encoded JSON string conversion STS chain
      Overview: Template SAML2 to JSON
      Lookup: Request Type Validate
      Lookup: Applies to Address SAML2_AppliesTo
      Lookup: Issuer Address SAML2_Issuer
      Properties: Default Map Module (JavaScript file containing the identity mapping rule saml_jwt

      Use the defaults for all of the fields not in the table.

    3. Save and deploy the changes.

  4. Use curl to test the chain.

    1. Send the following WS-Trust 1.2 message:

        <?xml version="1.0" encoding="UTF-8"?>
        <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <SOAP-ENV:Header/>
          <SOAP-ENV:Body>
            <ns1:RequestSecurityToken xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <wst:RequestType xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType>
              <wst:Issuer xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">SAML2_Issuer</wsa:Address>
              </wst:Issuer>
              <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                  <wsa:Address>SAML2_AppliesTo</wsa:Address>
                </wsa:EndpointReference>
              </wsp:AppliesTo>
        <wst:Base xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
                xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                ID="Assertion-uuidbcb46a39-0153-1337-8efa-fec506fb7461" IssueInstant="2016-03-28T10:10:53Z" Version="2.0">
                  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">isam</saml:Issuer>
                  <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">0123456789</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                      <saml:SubjectConfirmationData NotOnOrAfter="2016-03-28T10:11:53Z"/>
                    </saml:SubjectConfirmation>
                  </saml:Subject>
                  <saml:Conditions NotBefore="2016-03-28T10:09:53Z" NotOnOrAfter="2016-03-29T10:11:53Z">
                    <saml:AudienceRestriction>
                      <saml:Audience>jwt_saml</saml:Audience>
                    </saml:AudienceRestriction>
                  </saml:Conditions>
                  <saml:AuthnStatement AuthnInstant="2016-03-28T10:10:53Z">
                    <saml:AuthnContext>
                      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
                    </saml:AuthnContext>
                  </saml:AuthnStatement>
                  <saml:AttributeStatement>
        <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">john</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">john.doe@example.com</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="iss" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">isam</saml:AttributeValue>
                    </saml:Attribute>
                    <saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                      <saml:AttributeValue xsi:type="xs:string">doe</saml:AttributeValue>
                    </saml:Attribute>
                  </saml:AttributeStatement>
                </saml:Assertion>
              </wst:Base>
            </ns1:RequestSecurityToken>
          </SOAP-ENV:Body>
        </SOAP-ENV:Envelope>
        

      The bold element in the SAML2 assertion is mapped to the JSON attributes in the result.

    2. Save this file as saml2.xml.
    3. Run the following curl command, where saml2.xml is the WS-Trust 1.2 message:

        curl -k -v -u "easuser:passw0rd" -H "Content-Type: text/xml" --data-binary 
        @saml2.xml https://ip-rte/TrustServer/SecurityTokenService

      The following results are returned:

        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
            <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header>
            <soap:Body>
                <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                    <wst:RequestSecurityTokenResponse 
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                    wsu:Id="uuidc1676e30-0153-16a8-86b5-c34fd1aca7a8">
                        <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" 
                        xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                            <wsa:EndpointReference>
                                <wsa:Address>SAML2_AppliesTo</wsa:Address>
                            </wsa:EndpointReference>
                        </wsp:AppliesTo>
                        <wst:RequestedSecurityToken> 
        <JWT>eyJzdWIiOiIwMTIzNDU2Nzg5IiwiZ2l2ZW5fbmFtZSI6ImpvaG4iLCJOb3RPbk9yQWZ0ZXIiOiIyMDE2LTAz
                        LTI5VDEwOjExOjUzWiIsIkF1dGhlbnRpY2F0aW9uTWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4w
                        OmFtOnBhc3N3b3JkIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIkF1ZGllbmNlUmVzdHJpY3Rpb25
                        Db25kaXRpb24uQXVkaWVuY2UiOiJqd3Rfc2FtbCIsImlzcyI6ImlzYW0iLCJJc3N1ZUluc3RhbnQiOiIyMDE2LT
                        AzLTI4VDEwOjEwOjUzWiIsImZhbWlseV9uYW1lIjoiZG9lIiwiTm90QmVmb3JlIjoiMjAxNi0wMy0yOFQxMDowO
                        To1M1oiLCJBdXRoZW50aWNhdGlvbkluc3RhbnQiOiIyMDE2LTAzLTI4VDEwOjEwOjUzWiIsImlzc3VlciI6Iml
                        zYW0ifQ==</JWT>
                        </wst:RequestedSecurityToken>
                        <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType>
                        <wst:Status>
                            <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid</wst:Code>
                        </wst:Status>
                    </wst:RequestSecurityTokenResponse>
                </wst:RequestSecurityTokenResponseCollection>
            </soap:Body>
        </soap:Envelope>
        
        The bold embedded element, <JWT> </JWT>) , is the result in a Base64 encoded JSON Web Token:
        {
          "sub": "0123456789",	
          "given_name": "john",	
          "NotOnOrAfter": "2016-03-29T10:11:53Z",	
          "AuthenticationMethod": "urn:oasis:names:tc:SAML:1.0:am:password",
          "email": "john.doe@example.com",	
          "AudienceRestrictionCondition.Audience": "jwt_saml",	
          "iss": "isam",	
          "IssueInstant": "2016-03-28T10:10:53Z",	
          "family_name": "doe",	
          "NotBefore": "2016-03-28T10:09:53Z",	
          "AuthenticationInstant": "2016-03-28T10:10:53Z",	
          "issuer": "isam“
        }

Parent topic: STSRequest and STSResponse access using a JavaScript mapping rule

Related tasks