http://nallaa.wordpress.com/2013/04/04/saml2-bearer-assertion-profile-for-oauth-2-0-with-wso2-identity-server/
on how to use the SAML OAuth grant type with OpenID Connect
1. Create SAML2 assertion
Download the java client here.
But use this jar which is modifed to send claim attributes.
https://svn.wso2.org/repos/wso2/people/chamaraa/SAML2AssertionCreator.jar SAML2AssertionCreator.jar
The command to use the client is
java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/chamara/isrelease/14082013/wso2is-4.5.0-SNAPSHOT-AD/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
The result will be
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Assertion String: <?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="opgehlkjdppnfmpjpgolbekkghdjkpbjhpjggbbl" IssueInstant="2013-08-16T11:26:19.710Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SAML2AssertionCreator</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#opgehlkjdppnfmpjpgolbekkghdjkpbjhpjggbbl">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Yu1RAlCuatR035v/zsy1jbJaa2g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Bom3LNNumJhwdB/grQqsDIRB17mMLFouoYc7JLce9yQNiagres4bmkyAWBq74uFxitMJJbgdnTUK
PQ5NoDMp3Zw0tjo+cjXZNhHXbEJY8uGvSDC/dI6QOhzCWSPvvb4rwG1JKYSFtNCfuCricFH6Y0JQ
xRr3KtwD7ehMpWxU/pY=
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2013-08-16T11:31:19.710Z" Recipient="https://localhost:9443/oauth2/token"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-08-16T11:26:19.710Z" NotOnOrAfter="2013-08-16T11:31:19.710Z"><saml:AudienceRestriction><saml:Audience>https://localhost:9443/oauth2/token</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-08-16T11:26:19.869Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">/</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
base64-url Encoded Assertion String: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDpBc3NlcnRpb24geG1s%0AbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Im9wZ2Vo%0AbGtqZHBwbmZtcGpwZ29sYmVra2doZGprcGJqaHBqZ2diYmwiIElzc3VlSW5zdGFudD0iMjAxMy0w%0AOC0xNlQxMToyNjoxOS43MTBaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVy%0AbjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI%2BU0FNTDJBc3Nl%0AcnRpb25DcmVhdG9yPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8v%0Ad3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8%2BCjxkczpDYW5vbmlj%0AYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwt%0AZXhjLWMxNG4jIi8%2BCjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz%0ALm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNvcGdl%0AaGxramRwcG5mbXBqcGdvbGJla2tnaGRqa3BiamhwamdnYmJsIj4KPGRzOlRyYW5zZm9ybXM%2BCjxk%0AczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj%0AZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3%0Ady53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4%0AbWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhM%0AaXN0PSJkcyBzYW1sIHhzIHhzaSIvPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM%2BCjxk%0AczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRz%0AaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU%2BWXUxUkFsQ3VhdFIwMzV2L3pzeTFqYkphYTJnPTwv%0AZHM6RGlnZXN0VmFsdWU%2BCjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8%2BCjxkczpTaWdu%0AYXR1cmVWYWx1ZT4KQm9tM0xOTnVtSmh3ZEIvZ3JRcXNESVJCMTdtTUxGb3VvWWM3SkxjZTl5UU5p%0AYWdyZXM0Ym1reUFXQnE3NHVGeGl0TUpKYmdkblRVSwpQUTVOb0RNcDNadzB0am8rY2pYWk5oSFhi%0ARUpZOHVHdlNEQy9kSTZRT2h6Q1dTUHZ2YjRyd0cxSktZU0Z0TkNmdUNyaWNGSDZZMEpRCnhScjNL%0AdHdEN2VoTXBXeFUvcFk9CjwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5%0ARGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNOVENDQVo2Z0F3SUJBZ0lFUzM0M2dqQU5CZ2tx%0AaGtpRzl3MEJBUVVGQURCVk1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUUKQ0F3Q1EwRXhGakFV%0AQmdOVkJBY01EVTF2ZFc1MFlXbHVJRlpwWlhjeERUQUxCZ05WQkFvTUJGZFRUekl4RWpBUUJnTlZC%0AQU1NQ1d4dgpZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlN%0AalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3CkNRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05U%0AVzkxYm5SaGFXNGdWbWxsZHpFTk1Bc0dBMVVFQ2d3RVYxTlBNakVTTUJBR0ExVUUKQXd3SmJHOWpZ%0AV3hvYjNOME1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ1VwL29WMXZXYzgv%0AVGtRU2lBdlRvdQpzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxK%0AdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41Ckhwd3ZuSC9EVzhaY2NHdms1M0k2T3JxN2hM%0AQ3YxWkh0dU9Db2tnaHovQVRyaHlQcStRa3RNZlhuUlM0SHJLR0pUenhhQ2NVN09RSUQKQVFBQm94%0ASXdFREFPQmdOVkhROEJBZjhFQkFNQ0JQQXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFXNXdQUjdj%0AcjFMQWRxK0lyUjQ0aQpRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3lo%0ATTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSCk80ZDFEZUdIVC9ZbklqczlKb2dSS3Y0%0AWEhFQ3dMdElWZEFiSWRXSEV0VlpKeU1Ta3RjeXlzRmN2dWhQUUs4UWMvRS9XcTh1SFNDbz08L2Rz%0AOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVy%0AZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT%0AQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI%2BYWRtaW48L3NhbWw6TmFtZUlEPjxz%0AYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoy%0ALjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89%0AIjAiIE5vdE9uT3JBZnRlcj0iMjAxMy0wOC0xNlQxMTozMToxOS43MTBaIiBSZWNpcGllbnQ9Imh0%0AdHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJt%0AYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDgt%0AMTZUMTE6MjY6MTkuNzEwWiIgTm90T25PckFmdGVyPSIyMDEzLTA4LTE2VDExOjMxOjE5LjcxMFoi%0APjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BaHR0cHM6Ly9sb2NhbGhv%0Ac3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWw6QXVkaWVuY2U%2BPC9zYW1sOkF1ZGllbmNlUmVzdHJp%0AY3Rpb24%2BPC9zYW1sOkNvbmRpdGlvbnM%2BPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50%0APSIyMDEzLTA4LTE2VDExOjI2OjE5Ljg2OVoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRo%0AbkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQ%0AYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwv%0Ac2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmli%0AdXRlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAx%0AL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1p%0AbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BLzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3Nh%0AbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj4%3D
You have to extract the base64-url Encoded Assertion String and use it in a http POST request;
Jmeter script is attached here
For this POST request to work you have to add the Trusted Identity Provider to IS.
For that first export the trusted certificate from the wso2carbon.jks
wso2is-4.5.0/repository/resources/security$ keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file mycert.pem
Add this certificate in the IS -> Configure -> Trusted Idps -> Add New Trusted Identity Provider ->
Identity Provider Name: test
Identity Provider Issuer: SAML2AssertionCreator
Identity Provider Public Certificate: attach the certificate
Identity Provider Audience: https://localhost:9443/oauth2/token
The Jmeter response will be your access token and refresh token
{"token_type":"bearer","expires_in":2947,"refresh_token":"74a77731f314f641f98c2470af1b879","id_token":"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=\r\n.eyJleHAiOi01MzEzNjg4MDQsImF6cCI6IkNqZ2dmaW1yNWNneFFSOFpQNkRseEZmTlVpY2EiLCJz\r\ndWIiOiJhZG1pbiIsImVtYWlsIjoiY2hhbWFyYUB3c28yLmNvbSIsImF1ZCI6IkNqZ2dmaW1yNWNn\r\neFFSOFpQNkRseEZmTlVpY2EiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRo\r\nMmVuZHBvaW50c1wvdG9rZW4iLCJ0ZWxlcGhvbmUiOiIrOTQ3NTUwMTIwNjAiLCJpYXQiOi01MzQ5\r\nNjg4MDQsImNvdW50cnkiOiJTcmkgTGFua2EifQ==\r\n.","access_token":"edec914a3decfbfcf32d2573dc540c0"}
In that response you can extract the id_token which is
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=\r\n.eyJleHAiOi01MzEzNjg4MDQsImF6cCI6IkNqZ2dmaW1yNWNneFFSOFpQNkRseEZmTlVpY2EiLCJz\r\ndWIiOiJhZG1pbiIsImVtYWlsIjoiY2hhbWFyYUB3c28yLmNvbSIsImF1ZCI6IkNqZ2dmaW1yNWNn\r\neFFSOFpQNkRseEZmTlVpY2EiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRo\r\nMmVuZHBvaW50c1wvdG9rZW4iLCJ0ZWxlcGhvbmUiOiIrOTQ3NTUwMTIwNjAiLCJpYXQiOi01MzQ5\r\nNjg4MDQsImNvdW50cnkiOiJTcmkgTGFua2EifQ==\r\n.
And if you decode this with a base64 decoder, You will get the result as
{"alg":"none","typ":"JWT"}
{"exp":-531368804,"azp":"Cjggfimr5cgxQR8ZP6DlxFfNUica","sub":"admin","email":"chamara@wso2.com","aud":"Cjggfimr5cgxQR8ZP6DlxFfNUica","iss":"https:\/\/localhost:9443\/oauth2endpoints\/token","telephone":"+94755012060","iat":-534968804,"country":"Sri Lanka"}
This comment has been removed by the author.
ReplyDelete