Skip to main content

STS Issued Token - Get the Saml Explicitly

7 replies [Last post]
dharam1982
Offline
Joined: 2008-09-15

Hello,

Is there any way I can get the SAML inside the RSTR explicity?

-Dharam

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jdg6688
Offline
Joined: 2005-11-02

Can you explain your use case?

Do you want to get the SAML assertion issued from the STS and then use it
in securing the messages in your own context?

Do you need a proof key with the SAML assertion? etc ...

You may try this to call the STS and get back the SAML assertion:

String stsEndpoint = "http://localhost:8080/jaxws-fs-sts/sts";
String stsMexEndpoint = "http://localhost:8080/jaxws-fs-sts/sts/mex";
STSIssuedTokenConfiguration stsConfig = new DefaultSTSIssuedTokenConfiguration(
stsEndpoint, stsMexEndpoint);

IssuedTokenManager manager = IssuedTokenManager.getInstance();

String appliesTo = "https://localhost:8080/jaxws-fs/FinancialService";
IssuedTokenContext ctx = manager.createIssuedTokenContext(stsConfig, appliesTo);

manager.getIssuedToken(ctx);

Token issuedToken = ctx.getSecurityToken();

Element samlAsser = (Element)issuedToken.getTokenValue();

dharam1982
Offline
Joined: 2008-09-15

I am trying to hit the STS directly by creating RST and getting a RSTR in return(I am not using WSIT runtime, to do it for me). Now I want to see the SAML sent by the STS present inside RSTR.

I tried, what you asked me to do. But it is the Element is getting null.

-Dharam

BufferedReader consoleInput = new BufferedReader(new InputStreamReader( System.in ));
String stsEndpoint = "http://identity.biztalk.net/sts/JavaInteropTest1/username_for_certificate";
String stsMexAddress = "http://identity.biztalk.net/sts/JavaInteropTest1/mex";
String stsWsdlAddress = "http://identity.biztalk.net/sts/JavaInteropTest1/sts.wsdl";
String stsNamespace = "http://schemas.microsoft.com/ws/2008/02/servicebus/securitytokenservice";
String stsServiceName = "SecurityTokenService";
String stsPortName = "UserNameForCertificate";
Element root = null;
Element samlAssertion = null;

System.out.print("BizTalk Services Username:");
BizTalkServicesRelayCredentials.setUsername("JavaInteropTest1"); //consoleInput.readLine());
System.out.print("BizTalk Services Password:");
BizTalkServicesRelayCredentials.setPassword("zurich"); //consoleInput.readLine());

com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true;

DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration(
stsEndpoint,
stsWsdlAddress,
stsServiceName,
stsPortName,
stsNamespace);
config.setKeySize(256);
config.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
config.setKeyType("http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey");

DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
try {
DocumentBuilder builder =
factory.newDocumentBuilder();
Document document = builder.newDocument();

root =
(Element)
document.createElementNS("http://schemas.xmlsoap.org/ws/2006/12/authorization", "ClaimType");

document.appendChild(root);

root.setAttribute("Optional", "false");
root.setAttribute("Uri", "http://schemas.xmlsoap.org/ws/2006/12/authorization/claims/action");
root.setAttribute("xmlns:ns1", "http://schemas.xmlsoap.org/ws/2006/12/authorization");
root.setAttribute("xmlns:wsp", "http://www.w3.org/ns/ws-policy");
root.setAttribute("xmlns:wst", "http://schemas.xmlsoap.org/ws/2005/02/trust");
Element value = document.createElementNS("http://schemas.xmlsoap.org/ws/2006/12/authorization","Value");
root.appendChild(value);

} catch (ParserConfigurationException pce) {
// Parser with specified options can't be built
pce.printStackTrace();
}

ClaimsImpl claims = new ClaimsImpl(claimsType);
config.setClaims(claims);

try{
IssuedTokenManager manager = IssuedTokenManager.getInstance();

String appliesTo = "http://localhost:8080/StandaloneService/EchoService";
IssuedTokenContext ctx = manager.createIssuedTokenContext(config, appliesTo);
manager.getIssuedToken(ctx);
Token issuedToken = ctx.getSecurityToken();
Element samlAsser = (Element)issuedToken.getTokenValue();

}catch(Exception ex){
throw new RuntimeException(ex);
}

jdg6688
Offline
Joined: 2005-11-02

Did you get any exceptions on the client side?

Can you print out the RST and RSTR by setting -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true?

Have you confiogure the security for the messages on the client side with
wsit-client.xml?

You need to set up the alias of the biztalk STS certificate in the client trust store
and also the ways to get the username/password for the sts.

jdg6688
Offline
Joined: 2005-11-02

Of course you need to get the BizTalk STS certificate to import it in the client trust store.
If you can provide me the cert of the STS, I can try with it.

dharam1982
Offline
Joined: 2008-09-15

It works. Thanks for prompt reply. Minor problem with certificate.

-Dharam

sagarshah1983
Offline
Joined: 2013-04-30

Hello,
I know this is a very old post, but I thought to share my issue here as it very closely matches with the solution indicated above on this thread.
I am trying to create a direct client that will hit STS and get the token in return.
I have used metro latest jar files for the same.
Here's code snippet.

STSIssuedTokenConfiguration stsConfig = null;
String stsServiceName="SecurityTokenService";
String stsPortName="UserNameWSTrustBinding_IWSTrust13Sync";
String stsNamespace="http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice";
stsConfig = new DefaultSTSIssuedTokenConfiguration(stsEndpoint, stsWSDLLocation, stsServiceName, stsPortName, stsNamespace);
((DefaultSTSIssuedTokenConfiguration) stsConfig)
.setTokenType("urn:oasis:names:tc:SAML:1.0:assertion");

((DefaultSTSIssuedTokenConfiguration) stsConfig)
.setProtocol(STSIssuedTokenConfiguration.PROTOCOL_13);

IssuedTokenManager manager = IssuedTokenManager.getInstance();

com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true;

stsConfig.getOtherOptions().put(BindingProvider.USERNAME_PROPERTY,
userName);
stsConfig.getOtherOptions().put(BindingProvider.PASSWORD_PROPERTY,
password);

String appliesTo = "http://testing/test/";

IssuedTokenContext ctx = manager.createIssuedTokenContext(stsConfig,
appliesTo);
manager.getIssuedToken(ctx);

Token issuedToken = ctx.getSecurityToken();
Element samlAsser = (Element)issuedToken.getTokenValue();

System.out.println(samlAsser);

It shows me response with saml:Assertion in raw xml format. But when I am printing value on last line of samlAsser, it prints only this.
[saml:Assertion: null]

Here's soap response that I get in return.

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
</a:Action>
<a:RelatesTo>uuid:ecb72221-0d57-4269-a3cb-f423617122bb</a:RelatesTo>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2013-05-01T06:40:23.150Z</u:Created>
<u:Expires>2013-05-01T06:45:23.150Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityTokenResponseCollection
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse>
<trust:KeySize>256</trust:KeySize>
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-05-01T06:40:23.150Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-05-01T08:40:23.150Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://testing/test/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_9a70953e-e2fd-4e67-9fd5-31e262acc255"
Issuer="https://[Server IP Address here]/CoreSTS/Issue.svc"
IssueInstant="2013-05-01T06:40:23.150Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-05-01T06:40:23.150Z"
NotOnOrAfter="2013-05-01T08:40:23.150Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://testing/test/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<trust:BinarySecret>peYYks3BRnEYZv0DHhM8KZifwtp0y75cax0vbpvxRT8=
</trust:BinarySecret>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="name"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>[User name here]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="userfullname"
AttributeNamespace="http://schemas.3m.com/his/2013/03/identity/claims/user">
<saml:AttributeValue>System Administrator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="userrole"
AttributeNamespace="http://schemas.3m.com/his/2013/03/identity/claims/user">
<saml:AttributeValue />
</saml:Attribute>
<saml:Attribute AttributeName="userkey"
AttributeNamespace="http://schemas.3m.com/his/2013/03/identity/claims/user">
<saml:AttributeValue>1e836120-7c9b-45f2-9ed3-9bbb1ff495df
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="domainkey"
AttributeNamespace="http://schemas.3m.com/his/2013/03/identity/claims/domain">
<saml:AttributeValue>7fd4f562-6b80-434b-b223-c6763a498024
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="domainshortname"
AttributeNamespace="http://schemas.3m.com/his/2013/03/identity/claims/domain">
<saml:AttributeValue>System</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_9a70953e-e2fd-4e67-9fd5-31e262acc255">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>z/V0ebeBYmVRc2lAHAR2DuQpzeCuA5RST3aN0P9FhXU=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WnAC7PiWFCCp52NyCLSfEd0tdCh2YBBNwjX9AE29fuuZvHwZFT+ld5VQblFMfCs+Yg6j83pwOraF1bHHrRba38kMi7dnEs9EdhW85Sf02qhaK5WWzQhGliGhK0p032oSi2klPraB6lmeXicpOmVWskP7Got2VobQ7YT+p6Lc1EeeCS0Ng87br+gyj6Aeg0dBCD1RMRiYPjXQF8JHBQl82DGVkNLDygd9flrVVnpQAB7fBBBHYGr4qPjVZXllktVrHip6hUojOhV+YkK4RAx1cDSyrReuUzqMq2paVncgrMUitMn4eV3GYJEchJPk4dQb7hiFCvU8yxc1gmz9USTy+g==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBzCCAe+gAwIBAgIQ0U58Uc3zo5lDnp6y/qaFEzANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhTdXBlciBDQTAeFw0xMzAyMjYxODM3MjZaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCVN1cGVyQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgHHvjzTDyu6MTeiqGvBlKcxVwi50BqXAXpZXCks8u/zomMMDonY/Iu+Qe4TQHMM8TfKWah2vEQKTVVwQR4bBrzSb587Jyo8crw2JxtE5G7uLzn4Y5OLgowoMYwhO2pUgCfril4c97UhbcM0Dw/idgqfBAn0n1wRDcI13dxJv9w3rv7pLlpNbhVEWvTB/8xAoYoj3xa62lA2AZTY6UwcQ0vrTcwypF7C3cf7T5Ux2ovj209kicbVPcGIOHDgfkkHbois8eNLy4BZcNXgoqRuFS3Znav7wZA4KV5h9d8RgDiTXViQEzCEn67MBMCuOeLcBZk7zD1Wc9j4V0woDi345sCAwEAAaNWMFQwDAYDVR0TAQH/BAIwADBEBgNVHQEEPTA7gBCUyYSKFDuNUJFUbKDI2igwoRUwEzERMA8GA1UEAxMIU3VwZXIgQ0GCEIZzARODVEqORvB5vxIMPNMwDQYJKoZIhvcNAQELBQADggEBAFUWdVxeIri6iALme2FKMBEfFI41rRVNWkxvczS2SkIDv+47NDbn0Z3oOG1vZY6TUUM4ukZc677fSanu+KzAj9cST35Z4hx5txKG8WToij340iHAT8ltwvnOW7CDJD6NMKyoztCRqtWuDSGM0p3xHeSeMqXI++mP8TkgCMmrDLuYic2Mthsp8L+eEvErAqrqD1AygeMe81zejsnv0cGTgJNDMhDYk1QVBF49eu81I0Iq0R2iAucBjpKNG0F5CbjnQs9A6CqYHca8Ri0XdQk4bEsbQblwr9/eY4zTSOHYCT1PPYRCYCWMFl6dQ2fptHscEi9pRgBys7btp0mPCMq3Wlc=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedProofToken>
<trust:BinarySecret>peYYks3BRnEYZv0DHhM8KZifwtp0y75cax0vbpvxRT8=
</trust:BinarySecret>
</trust:RequestedProofToken>
<trust:RequestedAttachedReference>
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_9a70953e-e2fd-4e67-9fd5-31e262acc255</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<o:SecurityTokenReference
k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_9a70953e-e2fd-4e67-9fd5-31e262acc255</o:KeyIdentifier>
</o:SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion
</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>

I am not sure how should I get this soap response in java object.
Any help is very much appreciated.
Thanks.

sergey.fedechkin
Offline
Joined: 2014-05-13

Hi! Did you resolve your issue? I`ve faced exactly same things. Thanks in advance for your help.
Thanks.