Sun Java System Identity Server 2004Q2
Sample
 

Main Page

SAML Query Samples

This sample is used to illustrate how to form a Query; how to write a sample AttributeMapper; how to send and process a SOAP message using the SAML SDK.

The following is the program flow:

  1. The application first obtains the SSOToken
  2. It forms an AuthenticationQuery using the info in the SSOToken
  3. It forms a SOAP message and send it to the SAMLSOAPReceiver (SAMLSOAPReceiver process the SOAP request and reply with a SAML response.)
  4. It receives the SOAP message reply and obtains Authentication Assertion from it. In a real application, this Assertion can be obtained from Single Sign on using artifact or POST profile, or SAMLClient.
  5. It forms an AttributeQuery using the Authentication Assertion obtained from last step as SubjectConfirmationData
  6. It forms a SOAP message and sends it to the SAMLSOAPReceiver (SAMLSOAPReceiver processes the SOAP request, finds matching Attributes using the SampleAttributeMapper, and reply with a SAML response.)
  7. It receives SOAP reply and obtains the SAML Response from it.

For simplicity, this sample is designed to be run in the same JVM that the Identity Server 2004Q2 is running on. It is possible to run the sample in a different JVM by modifying SAMLQueryServlet.java. The key is to send the AuthenticationQuery to the server that issue the SSOToken; send the AttributeQuery to the server that produces Attributes; and the server that issue the Authentication Assertion is on the Trusted Partner Sites of the server that receives AttributeQuery.

Instructions on Building, Configuring and Running the Sample:

If not specified, instructions listed below apply to both Solaris and Windows2000 machines. Solaris file path separator "/" is used in the instruction. Change it to "\" for Windows2000. <install dir> is the directory where Sun Java System Identity Server 2004Q2 is installed.

  1. Go to <install dir>/samples/saml/query
  2. Edit the Makefile (make.bat for Windows2000) if needed. Modify the following environment variables if you don't want to use the default:
    • BASE - Set this Variable to installed directory for Sun Java System Identity Server
    • CLASSPATH - Reference to all the needed jars to compile this sample
    • JAVA_HOME - Set this variable to your installation of JDK. It should be newer than JDK 1.3.1
    • BASE_CLASS_DIR - Directory where all the compiled classes will be kept
  3. Run gmake (make.bat for Windows2000)
  4. Deploy SAMLQuerySample.jar in the web container.
    1. Go to BASE_CLASS_DIR
    2. Copy SAMLQuerySample.jar to <install-dir>/SUNWam/lib
    3. Add <install-dir>/SUNWam/lib/SAMLQuerySample.jar to web container's classpath. For example, for Express install, add to classpathsuffix of file <install-dir>/servers/<instance>/config/server.xml
    4. Add <servlet> and <servlet-mapping> to file <install-dir>/web-apps/services/WEB-INF/web.xml For example:
      <servlet>
          <servlet-name>querysample</servlet-name>
          <description>querysample</description>
          <servlet-class>SAMLQueryServlet</servlet-class>
      </servlet>
      <servlet-mapping>
          <servlet-name>querysample</servlet-name>
          <url-pattern>/querysample</url-pattern>
      </servlet-mapping>
  5. Restart the Sun Java System Identity Server 2004Q2.
    On Solaris: <install-dir>/bin/amserver start
    On Windows2000: <install-dir>\bin\amserver.bat restart
  6. Login to Administration Console as amadmin
    http://<server.domain>:port/amconsole
  7. Configure SAML Service
    1. Click on "Service Management" tab
    2. Click on "SAML" under "Service Name"
    3. Go to "SiteID and Site Issuer Name" attribute and copy the value for siteid
    4. Go to "Trusted Partner Sites" attribute and add the following entry:
      sourceid=<the one obtained from step 7.c>|
      hostlist=<the ipaddress of the machine that IS is running on>|
      attributeMapper=SampleAttributeMapper
    5. Click on "Save" to save the changes
  8. Invoke the servlet http://<server.domain>:port/<service_deploy_URI>/querysample
  9. You may also logout and login as other user and then invoke the servlet.
  10. You should see servlet response output similar to the following:

    The SAML Request to be sent is:

    <samlp:Request
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    RequestID="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
    IssueInstant="2002-08-31T00:01:53Z">
    <samlp:AuthenticationQuery>
    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
    KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
    bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
    @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
    saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </samlp:AuthenticationQuery>
    </samlp:Request>

    The SOAP endpoint is: http://neuhome.red.iplanet.com:58080/amserver/SAMLSOAPReceiver

    The response received is

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    ResponseID="IYQ5pYcm4sw8rE+mw81beABfnNA="
    InResponseTo="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
    IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
    <samlp:Status>
    <samlp:StatusCode Value="samlp:Success">
    </samlp:StatusCode>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
    MinorVersion="0" AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw="
    Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z">
    <saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
    >
    </saml:Conditions>
    <saml:AuthenticationStatement AuthenticationMethod="urn:com:sun:identity:LDAP"
    AuthenticationInstant="2002-08-30T23:57:13Z">
    <saml:Subject>
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
    KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
    bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
    @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
    saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:SubjectLocality IPAddress="192.18.148.29" /></saml:AuthenticationStatement>
    </saml:Assertion>
    </samlp:Response>

    The SAML Request to be sent is:

    <samlp:Request
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    RequestID="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
    IssueInstant="2002-08-31T00:01:53Z">
    <samlp:AttributeQuery>
    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData><saml:Assertion
    AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
    Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2002-08-30T23:56:53Z"
    NotOnOrAfter="2002-08-31T00:02:53Z">
    </saml:Conditions>
    <saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
    AuthenticationMethod="urn:com:sun:identity:LDAP">
    <saml:Subject>
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
    KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
    bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
    @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
    saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:SubjectLocality
    IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
    </saml:Assertion>
    </saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </samlp:AttributeQuery>
    </samlp:Request>

    The response received is:

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    ResponseID="slFcTqP6CFq26xs3pnlpfpRID2I="
    InResponseTo="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
    IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
    <samlp:Status>
    <samlp:StatusCode Value="samlp:Success">
    </samlp:StatusCode>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
    MinorVersion="0" AssertionID="PhI5XH0rkUCNTlLBaIe4/Y5nT8w="
    Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z"
    >
    <saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
    >
    </saml:Conditions>
    <saml:AttributeStatement >
    <saml:Subject>
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData><saml:Assertion
    AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
    Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2002-08-30T23:56:53Z"
    NotOnOrAfter="2002-08-31T00:02:53Z">
    </saml:Conditions>
    <saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
    AuthenticationMethod="urn:com:sun:identity:LDAP">
    <saml:Subject>
    <saml:NameIdentifier
    NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
    <saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
    KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl
    bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
    @neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
    saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:SubjectLocality
    IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
    </saml:Assertion>
    </saml:SubjectConfirmationData>
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Attribute AttributeName="userpassword" AttributeNamespace="iPlanetAMUserService">
    <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    {SSHA}3/GreMuCxplJr518lWknB6wADY0vVcIZBFX8Pw==</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute AttributeName="uid" AttributeNamespace="iPlanetAMUserService">
    <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute AttributeName="cn" AttributeNamespace="iPlanetAMUserService">
    <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute AttributeName="inetuserstatus"
    AttributeNamespace="iPlanetAMUserService">
    <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">Active</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute AttributeName="sn" AttributeNamespace="iPlanetAMUserService">
    <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>
    </samlp:Response>