Main Page
SAML Query Samples
1. Introduction
This sample is used to illustrate how to form a Query; how to write a
sample AttributeMapper ; how to send and process a SOAP message using
the SAML SDK. The following is the program flow:
- The application first obtains the
SSOToken
- It forms an
AuthenticationQuery using the info in the SSOToken
- It forms a SOAP message and send it to the
SAMLSOAPReceiver
(SAMLSOAPReceiver process the SOAP request and reply with a SAML
response.)
- It receives the
SOAP message reply and obtains Authentication
Assertion from it. In a real application, this Assertion can be obtained
from Single Sign on using artifact or POST profile, or SAMLClient .
- It forms an
AttributeQuery using the Authentication
Assertion obtained from last step as SubjectConfirmationData
- It forms a
SOAP message and sends it to the SAMLSOAPReceiver
(SAMLSOAPReceiver processes the SOAP request, finds matching
Attributes using the SampleAttributeMapper , and reply with a SAML
response.)
- It receives
SOAP reply and obtains the SAML Response from it.
For simplicity, this sample is designed to be run in the same JVM
that the Access Manager is running on. It is possible to run the sample in
a different JVM by modifying SAMLQueryServlet.java . The key is to
send the AuthenticationQuery to the server that issue the SSOToken ; send the
AttributeQuery to the server that produces Attributes; and the server that
issue the Authentication Assertion is on the Trusted Partner Sites of the
server that receives AttributeQuery .
2. Instructions on Building, Configuring and Running the Sample
If not specified, instructions listed below apply to both Solaris and
Windows machines. Solaris file path separator "/" is used in the
instruction. Change it to "\" for Windows. <INSTALL_DIR> is the
directory where Sun Java System Access Manager is installed.
- Go to
<INSTALL_DIR>/samples/saml/query
- Edit the
Makefile (make.bat for Windows) if needed. Modify
the following environment variables if you do not want to use the
default:
BASE - Set this Variable to installed directory for Sun Java System
Access Manager
CLASSPATH - Reference to all the needed jars to compile this sample
JAVA_HOME - Set this variable to your installation of JDK. It should
be newer than JDK 1.3.1
BASE_CLASS_DIR - Directory where all the compiled classes will be kept
- Run
gmake (make.bat for Windows)
- Deploy
SAMLQuerySample.jar in the web container.
a. Go to BASE_CLASS_DIR
b. Copy SAMLQuerySample.jar to <install-dir>/SUNWam/lib
c. Add <install-dir>/SUNWam/lib/SAMLQuerySample.jar to web container's
classpath. For example, for Express install, add to classpathsuffix of
file <install-dir>/servers/<instance>/config/server.xml
d. Add <servlet> and <servlet-mapping> to file
<install-dir>/web-apps/services/WEB-INF/web.xml
For example:
<servlet>
<servlet-name>querysample</servlet-name>
<description>querysample</description>
<servlet-class>SAMLQueryServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>querysample</servlet-name>
<url-pattern>/querysample</url-pattern>
</servlet-mapping>
- Restart the Sun Java System Access Manager.
On Solaris: <install-dir>/bin/amserver start
On Windows: <install-dir>\bin\amserver.bat restart
- Login to Administration Console as
amadmin
http://<server.domain>:port/amconsole
- Configure
SAML Service
a. Click on "Service Management" tab
b. Click on "SAML" under "Service Name"
c. Go to "SiteID and Site Issuer Name" attribute and copy the value
for siteid
d. Go to "Trusted Partner Sites" attribute
e. Add the following entry:
sourceid=<the one obtained from step 7.c>|
hostlist=<the ipaddress of the machine that Access Manager is running on>|
attributeMapper=SampleAttributeMapper
f. Click on "Save" to save the changes
- Invoke the servlet
http://<server.domain>:port/<service_deploy_URI>/querysample
- You may also logout and login as other user and then invoke the
servlet.
- You should see servlet response output similar to the following:
The SAML Request to be sent is:
<samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
RequestID="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
IssueInstant="2002-08-31T00:01:53Z">
<samlp:AuthenticationQuery>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
@neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</samlp:AuthenticationQuery>
</samlp:Request>
The SOAP endpoint is:
http://neuhome.red.iplanet.com:58080/amserver/SAMLSOAPReceiver
The response received is
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
ResponseID="IYQ5pYcm4sw8rE+mw81beABfnNA="
InResponseTo="ZadxB2mWot+mfSo7lQMU4MykzKw=" MajorVersion="1" MinorVersion="0"
IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
MinorVersion="0" AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw="
Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z">
<saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:com:sun:identity:LDAP"
AuthenticationInstant="2002-08-30T23:57:13Z">
<saml:Subject>
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
@neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality IPAddress="192.18.148.29" /></saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>
The SAML Request to be sent is:
<samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
RequestID="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
IssueInstant="2002-08-31T00:01:53Z">
<samlp:AttributeQuery>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData><saml:Assertion
AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2002-08-30T23:56:53Z"
NotOnOrAfter="2002-08-31T00:02:53Z">
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
AuthenticationMethod="urn:com:sun:identity:LDAP">
<saml:Subject>
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl/
bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
@neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality
IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
</saml:Assertion>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
</samlp:AttributeQuery>
</samlp:Request>
The response received is:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
ResponseID="slFcTqP6CFq26xs3pnlpfpRID2I="
InResponseTo="G/AUygEJazkTo0zQJg5tlP8R/T8=" MajorVersion="1" MinorVersion="0"
IssueInstant="2002-08-31T00:01:53Z" Recipient="192.18.148.29">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
MinorVersion="0" AssertionID="PhI5XH0rkUCNTlLBaIe4/Y5nT8w="
Issuer="neuhome.red.iplanet.com:58080" IssueInstant="2002-08-31T00:01:53Z"
>
<saml:Conditions NotBefore="2002-08-30T23:56:53Z" NotOnOrAfter="2002-08-31T00:02:53Z"
>
</saml:Conditions>
<saml:AttributeStatement >
<saml:Subject>
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData><saml:Assertion
AssertionID="92yF88dhd1K2+tGOzFs8jJvF7Mw=" IssueInstant="2002-08-31T00:01:53Z"
Issuer="neuhome.red.iplanet.com:58080" MajorVersion="1" MinorVersion="0"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2002-08-30T23:56:53Z"
NotOnOrAfter="2002-08-31T00:02:53Z">
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2002-08-30T23:57:13Z"
AuthenticationMethod="urn:com:sun:identity:LDAP">
<saml:Subject>
<saml:NameIdentifier
NameQualifier="dc=example,dc=com">uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:com:sun:identity</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>AQIC5wM2LY4SfcxkBK5+0S4DoN9U/
KHQ268NBt7ozAcWu4T2fgi4vKcz9h1imi6pl
bCqtgxS7RGdRvEpHXCKktFn7xI4cZw2TriUgfqMa7+f+c=
@neuhome.red.iplanet.com-0%3A3d700638%3A7d3e164a9afd89e8</
saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality
IPAddress="192.18.148.29"></saml:SubjectLocality></saml:AuthenticationStatement>
</saml:Assertion>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="userpassword" AttributeNamespace="iPlanetAMUserService">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
{SSHA}3/GreMuCxplJr518lWknB6wADY0vVcIZBFX8Pw==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="uid" AttributeNamespace="iPlanetAMUserService">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="cn" AttributeNamespace="iPlanetAMUserService">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="inetuserstatus"
AttributeNamespace="iPlanetAMUserService">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">Active</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="sn" AttributeNamespace="iPlanetAMUserService">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">amAdmin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
|