Map a SAML2 token to a base64 encoded JSON string example
We can map a SAML 2 token to a base64 encoded JSON string using a JavaScript mapping rule.
The steps show an end-to-end SAML to JSON mapping. STSRequest and STSResponse access using a JavaScript mapping rule provides a description of this support.
Steps
- Create a JavaScript mapping rule using the local management interface.
- Select Federation > Global Settings > Mapping Rules.
- Click Add.
- In the Content field, copy and paste the following code:
importClass(com.tivoli.am.fim.base64.BASE64Utility); importClass(com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils) var jwt = {}; var it = stsuu.getPrincipalAttributes(); var jt = stsuu.getAttributes(); while (it.hasNext()) { var attribute = it.next(); var name = new String(attribute.getName()); var value = new String(attribute.getValues()[0]); if ("name".equals(name)) { jwt["sub"] = value; } else { jwt[name] = value; } } while (jt.hasNext()) { var attribute = jt.next(); var name = new String(attribute.getName()); var value = new String(attribute.getValues()[0]); jwt[name] = value; } var document = IDMappingExtUtils.newXMLDocument(); var jwtString = JSON.stringify(jwt); var jwtText = document.createTextNode(BASE64Utility.encode((new java.lang.String(jwtString)).getBytes("UTF-8"))); var jwtElement = document.createElement("JWT"); jwtElement.appendChild(jwtText); stsresponse.getRequestSecurityTokenResponse().setRequestedSecurityToken(jwtElement);
- In the Name field, enter saml_jwt.
- In the Category field, select SAML2_0.
- Click Save and deploy the changes.
- Assemble the Security Token Service (STS) template.
- Select Federation > Manage > Security Token Service.
- Click Templates.
- Click Add and name the template SAML2 to JSON. Click OK.
- Select the SAML2 to JSON template and add the Default SAML 2.0 Token in Validate mode and a Default Map Module in Map mode.
- Save and deploy the changes.
- Create an STS chain that references the mapping rule and template we created in the previous steps.
- Within the Security Token Service panel, select Module Chains.
- Click Add to create a module chain, with the following values:
Tab: Field Value Overview: Name SAML2 to JSON Overview: Description SAML2 to base64 encoded JSON string conversion STS chain Overview: Template SAML2 to JSON Lookup: Request Type Validate Lookup: Applies to Address SAML2_AppliesTo Lookup: Issuer Address SAML2_Issuer Properties: Default Map Module (JavaScript file containing the identity mapping rule saml_jwt Use the defaults for all of the fields not in the table.
- Save and deploy the changes.
- Use curl to test the chain.
- Send the following WS-Trust 1.2 message:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <ns1:RequestSecurityToken xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestType xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Issuer xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">SAML2_Issuer</wsa:Address> </wst:Issuer> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>SAML2_AppliesTo</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:Base xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="Assertion-uuidbcb46a39-0153-1337-8efa-fec506fb7461" IssueInstant="2016-03-28T10:10:53Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">isam</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">0123456789</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2016-03-28T10:11:53Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2016-03-28T10:09:53Z" NotOnOrAfter="2016-03-29T10:11:53Z"> <saml:AudienceRestriction> <saml:Audience>jwt_saml</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-03-28T10:10:53Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">john.doe@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="iss" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">isam</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">doe</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </wst:Base> </ns1:RequestSecurityToken> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
The bold element in the SAML2 assertion is mapped to the JSON attributes in the result.
- Save this file as saml2.xml.
- Run the following curl command, where saml2.xml is the WS-Trust 1.2 message:
curl -k -v -u "easuser:passw0rd" -H "Content-Type: text/xml" --data-binary @saml2.xml https://ip-rte/TrustServer/SecurityTokenService
The following results are returned:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"></SOAP-ENV:Header> <soap:Body> <wst:RequestSecurityTokenResponseCollection xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <wst:RequestSecurityTokenResponse xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="uuidc1676e30-0153-16a8-86b5-c34fd1aca7a8"> <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference> <wsa:Address>SAML2_AppliesTo</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:RequestedSecurityToken> <JWT>eyJzdWIiOiIwMTIzNDU2Nzg5IiwiZ2l2ZW5fbmFtZSI6ImpvaG4iLCJOb3RPbk9yQWZ0ZXIiOiIyMDE2LTAz LTI5VDEwOjExOjUzWiIsIkF1dGhlbnRpY2F0aW9uTWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4w OmFtOnBhc3N3b3JkIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIkF1ZGllbmNlUmVzdHJpY3Rpb25 Db25kaXRpb24uQXVkaWVuY2UiOiJqd3Rfc2FtbCIsImlzcyI6ImlzYW0iLCJJc3N1ZUluc3RhbnQiOiIyMDE2LT AzLTI4VDEwOjEwOjUzWiIsImZhbWlseV9uYW1lIjoiZG9lIiwiTm90QmVmb3JlIjoiMjAxNi0wMy0yOFQxMDowO To1M1oiLCJBdXRoZW50aWNhdGlvbkluc3RhbnQiOiIyMDE2LTAzLTI4VDEwOjEwOjUzWiIsImlzc3VlciI6Iml zYW0ifQ==</JWT> </wst:RequestedSecurityToken> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</wst:RequestType> <wst:Status> <wst:Code>http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid</wst:Code> </wst:Status> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection> </soap:Body> </soap:Envelope>The bold embedded element, <JWT> </JWT>) , is the result in a Base64 encoded JSON Web Token:{ "sub": "0123456789", "given_name": "john", "NotOnOrAfter": "2016-03-29T10:11:53Z", "AuthenticationMethod": "urn:oasis:names:tc:SAML:1.0:am:password", "email": "john.doe@example.com", "AudienceRestrictionCondition.Audience": "jwt_saml", "iss": "isam", "IssueInstant": "2016-03-28T10:10:53Z", "family_name": "doe", "NotBefore": "2016-03-28T10:09:53Z", "AuthenticationInstant": "2016-03-28T10:10:53Z", "issuer": "isam“ }
Parent topic: STSRequest and STSResponse access using a JavaScript mapping rule
Related tasks