Search This Blog

Friday, August 16, 2013

SAML OAuth Grant Type with OpenID Connect

This is an extenstion on the blog provided by Johann at
http://nallaa.wordpress.com/2013/04/04/saml2-bearer-assertion-profile-for-oauth-2-0-with-wso2-identity-server/

on how to use the SAML OAuth grant type with OpenID Connect

1. Create SAML2 assertion

Download the java client here. 
But use this jar which is modifed to send claim attributes.
https://svn.wso2.org/repos/wso2/people/chamaraa/SAML2AssertionCreator.jar SAML2AssertionCreator.jar

The command to use the client is

 java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://localhost:9443/oauth2/token https://localhost:9443/oauth2/token /home/chamara/isrelease/14082013/wso2is-4.5.0-SNAPSHOT-AD/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon  

The result will be

 SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".  
 SLF4J: Defaulting to no-operation (NOP) logger implementation  
 SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.  
 Assertion String: <?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="opgehlkjdppnfmpjpgolbekkghdjkpbjhpjggbbl" IssueInstant="2013-08-16T11:26:19.710Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SAML2AssertionCreator</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
 <ds:SignedInfo>  
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>  
 <ds:Reference URI="#opgehlkjdppnfmpjpgolbekkghdjkpbjhpjggbbl">  
 <ds:Transforms>  
 <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/></ds:Transform>  
 </ds:Transforms>  
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>  
 <ds:DigestValue>Yu1RAlCuatR035v/zsy1jbJaa2g=</ds:DigestValue>  
 </ds:Reference>  
 </ds:SignedInfo>  
 <ds:SignatureValue>  
 Bom3LNNumJhwdB/grQqsDIRB17mMLFouoYc7JLce9yQNiagres4bmkyAWBq74uFxitMJJbgdnTUK  
 PQ5NoDMp3Zw0tjo+cjXZNhHXbEJY8uGvSDC/dI6QOhzCWSPvvb4rwG1JKYSFtNCfuCricFH6Y0JQ  
 xRr3KtwD7ehMpWxU/pY=  
 </ds:SignatureValue>  
 <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE  
 CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv  
 Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw  
 CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE  
 AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou  
 sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5  
 HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID  
 AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i  
 QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR  
 O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2013-08-16T11:31:19.710Z" Recipient="https://localhost:9443/oauth2/token"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-08-16T11:26:19.710Z" NotOnOrAfter="2013-08-16T11:31:19.710Z"><saml:AudienceRestriction><saml:Audience>https://localhost:9443/oauth2/token</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-08-16T11:26:19.869Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">/</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>  
 base64-url Encoded Assertion String: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDpBc3NlcnRpb24geG1s%0AbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Im9wZ2Vo%0AbGtqZHBwbmZtcGpwZ29sYmVra2doZGprcGJqaHBqZ2diYmwiIElzc3VlSW5zdGFudD0iMjAxMy0w%0AOC0xNlQxMToyNjoxOS43MTBaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciBGb3JtYXQ9InVy%0AbjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI%2BU0FNTDJBc3Nl%0AcnRpb25DcmVhdG9yPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8v%0Ad3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8%2BCjxkczpDYW5vbmlj%0AYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwt%0AZXhjLWMxNG4jIi8%2BCjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3Lncz%0ALm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNvcGdl%0AaGxramRwcG5mbXBqcGdvbGJla2tnaGRqa3BiamhwamdnYmJsIj4KPGRzOlRyYW5zZm9ybXM%2BCjxk%0AczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj%0AZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3%0Ady53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyB4%0AbWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiBQcmVmaXhM%0AaXN0PSJkcyBzYW1sIHhzIHhzaSIvPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM%2BCjxk%0AczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRz%0AaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU%2BWXUxUkFsQ3VhdFIwMzV2L3pzeTFqYkphYTJnPTwv%0AZHM6RGlnZXN0VmFsdWU%2BCjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8%2BCjxkczpTaWdu%0AYXR1cmVWYWx1ZT4KQm9tM0xOTnVtSmh3ZEIvZ3JRcXNESVJCMTdtTUxGb3VvWWM3SkxjZTl5UU5p%0AYWdyZXM0Ym1reUFXQnE3NHVGeGl0TUpKYmdkblRVSwpQUTVOb0RNcDNadzB0am8rY2pYWk5oSFhi%0ARUpZOHVHdlNEQy9kSTZRT2h6Q1dTUHZ2YjRyd0cxSktZU0Z0TkNmdUNyaWNGSDZZMEpRCnhScjNL%0AdHdEN2VoTXBXeFUvcFk9CjwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5%0ARGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNOVENDQVo2Z0F3SUJBZ0lFUzM0M2dqQU5CZ2tx%0AaGtpRzl3MEJBUVVGQURCVk1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUUKQ0F3Q1EwRXhGakFV%0AQmdOVkJBY01EVTF2ZFc1MFlXbHVJRlpwWlhjeERUQUxCZ05WQkFvTUJGZFRUekl4RWpBUUJnTlZC%0AQU1NQ1d4dgpZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlN%0AalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3CkNRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05U%0AVzkxYm5SaGFXNGdWbWxsZHpFTk1Bc0dBMVVFQ2d3RVYxTlBNakVTTUJBR0ExVUUKQXd3SmJHOWpZ%0AV3hvYjNOME1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ1VwL29WMXZXYzgv%0AVGtRU2lBdlRvdQpzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxK%0AdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41Ckhwd3ZuSC9EVzhaY2NHdms1M0k2T3JxN2hM%0AQ3YxWkh0dU9Db2tnaHovQVRyaHlQcStRa3RNZlhuUlM0SHJLR0pUenhhQ2NVN09RSUQKQVFBQm94%0ASXdFREFPQmdOVkhROEJBZjhFQkFNQ0JQQXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFXNXdQUjdj%0AcjFMQWRxK0lyUjQ0aQpRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3lo%0ATTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSCk80ZDFEZUdIVC9ZbklqczlKb2dSS3Y0%0AWEhFQ3dMdElWZEFiSWRXSEV0VlpKeU1Ta3RjeXlzRmN2dWhQUUs4UWMvRS9XcTh1SFNDbz08L2Rz%0AOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVy%0AZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT%0AQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI%2BYWRtaW48L3NhbWw6TmFtZUlEPjxz%0AYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoy%0ALjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89%0AIjAiIE5vdE9uT3JBZnRlcj0iMjAxMy0wOC0xNlQxMTozMToxOS43MTBaIiBSZWNpcGllbnQ9Imh0%0AdHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJt%0AYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTMtMDgt%0AMTZUMTE6MjY6MTkuNzEwWiIgTm90T25PckFmdGVyPSIyMDEzLTA4LTE2VDExOjMxOjE5LjcxMFoi%0APjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BaHR0cHM6Ly9sb2NhbGhv%0Ac3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWw6QXVkaWVuY2U%2BPC9zYW1sOkF1ZGllbmNlUmVzdHJp%0AY3Rpb24%2BPC9zYW1sOkNvbmRpdGlvbnM%2BPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50%0APSIyMDEzLTA4LTE2VDExOjI2OjE5Ljg2OVoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRo%0AbkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQ%0AYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwv%0Ac2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmli%0AdXRlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAx%0AL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1p%0AbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BLzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3Nh%0AbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj4%3D  


You have to extract the base64-url Encoded Assertion String and use it in a http POST request;

Jmeter script is attached here

For this POST request to work you have to add the Trusted Identity Provider to IS.
For that first export the trusted certificate from the wso2carbon.jks

 wso2is-4.5.0/repository/resources/security$ keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file mycert.pem  

Add this certificate in the IS -> Configure -> Trusted Idps -> Add New Trusted Identity Provider ->

Identity Provider Name: test
Identity Provider Issuer: SAML2AssertionCreator
Identity Provider Public Certificate: attach the certificate
 Identity Provider Audience: https://localhost:9443/oauth2/token 

The Jmeter response will be your access token and refresh token

 {"token_type":"bearer","expires_in":2947,"refresh_token":"74a77731f314f641f98c2470af1b879","id_token":"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=\r\n.eyJleHAiOi01MzEzNjg4MDQsImF6cCI6IkNqZ2dmaW1yNWNneFFSOFpQNkRseEZmTlVpY2EiLCJz\r\ndWIiOiJhZG1pbiIsImVtYWlsIjoiY2hhbWFyYUB3c28yLmNvbSIsImF1ZCI6IkNqZ2dmaW1yNWNn\r\neFFSOFpQNkRseEZmTlVpY2EiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRo\r\nMmVuZHBvaW50c1wvdG9rZW4iLCJ0ZWxlcGhvbmUiOiIrOTQ3NTUwMTIwNjAiLCJpYXQiOi01MzQ5\r\nNjg4MDQsImNvdW50cnkiOiJTcmkgTGFua2EifQ==\r\n.","access_token":"edec914a3decfbfcf32d2573dc540c0"}  

In that response you can extract the id_token which is

 eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=\r\n.eyJleHAiOi01MzEzNjg4MDQsImF6cCI6IkNqZ2dmaW1yNWNneFFSOFpQNkRseEZmTlVpY2EiLCJz\r\ndWIiOiJhZG1pbiIsImVtYWlsIjoiY2hhbWFyYUB3c28yLmNvbSIsImF1ZCI6IkNqZ2dmaW1yNWNn\r\neFFSOFpQNkRseEZmTlVpY2EiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRo\r\nMmVuZHBvaW50c1wvdG9rZW4iLCJ0ZWxlcGhvbmUiOiIrOTQ3NTUwMTIwNjAiLCJpYXQiOi01MzQ5\r\nNjg4MDQsImNvdW50cnkiOiJTcmkgTGFua2EifQ==\r\n.  

And if you decode this with a base64 decoder, You will get the result as

 {"alg":"none","typ":"JWT"}  
 {"exp":-531368804,"azp":"Cjggfimr5cgxQR8ZP6DlxFfNUica","sub":"admin","email":"chamara@wso2.com","aud":"Cjggfimr5cgxQR8ZP6DlxFfNUica","iss":"https:\/\/localhost:9443\/oauth2endpoints\/token","telephone":"+94755012060","iat":-534968804,"country":"Sri Lanka"}  


1 comment: