How to generate SAML 2.0 assertions with WSO2 Identity Server REST API
Security Assertion Markup Language 2.0 (SAML 2.0) is an XML based protocol for handling authentication and authorization. It enables service providers to let their users use different systems with one time sign on.
If you look at a typical SAML requirement, users are authenticated though Web browser redirects, as shown in the sequence diagram below. See how WSO2 Identity Server enables this though Service Provider configuration here.
As discussed above, usually the user will be redirected to identity provider and user can enter the credentials in login page presented by identity provider. But if you have an use case where, service provider will extract the SAML token on behalf of the user, without browser redirects, you have to send the user credentials with SAML request to the identity provider. Also in this case, service provider should be able to retrieve the token via an API. WSO2 Identity Server allows just that, with Request path authentication.
Above sequence diagram explains the use case where identity provider(WSO2 IS) directly responds with the SAML token, instead of presenting the login page. I have explained the steps to try out this with WSO2 IS 5.3.0.
Log in to WSO2 Identity server management console,
- Create a service provider from main menu by clicking Add. Give a name such as ‘SAMLProvider’ click Register.
- Expand the ‘Inbound Authentication Configuration’ section and then expand ‘SAML2 Web SSO Configuration’ in the service provider.
- Click Configure. A form appears, select ‘Manual Configuration’. Provide ‘travelocity.com’ as Issuer(or any issuer you like for your service provider), add your call back Url(e.g. http://localhost:8080/travelocity.com) at, ‘Assertion Consumer URLs’, and enable ‘Enable Idp initiated SSO’ option in the form using check box. You may enable other options as per your requirements. See below screenshot for an example,
- Click update.
- Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section.
- Select basic-auth from the drop down and click Add.
- Click update.
Curl command to test using basic admin credentials of WSO2 IS(admin:admin),
curl -k -X GET ‘https://localhost:9443/samlsso?spEntityID=travelocity.com' -H ‘authorization: Basic YWRtaW46YWRtaW4=’
If you want to achieve the same with OAuth token(instead of user credentials), you can just change or add to step #6 mentioned above. You may have both both Basic and Bearer(OAuth) authentication with request path authentication for same service provider.
You may configure a different service provider to get the OAuth token, or add OAuth configuration to the same service provider we created above(SAMLProvider), as explained here.
Once you have the OAuth token, you can test the API as follows,
curl -k -X GET ‘https://localhost:9443/samlsso?spEntityID=travelocity.com’ -H ‘authorization: Bearer ea4150d13baa70d9ab70b13910b7e68b’
Response for above Curl requests would a HTML. Example response would look like,
<!--
Variables https://asdas.com, $response, $relayState and $additionalParams will be replaced by the corrosponding values
-->
<html>
<body>
<p>You are now redirected back to https://asdas.com
If the redirection fails, please click the post button.
</p>
<form method='post' action='https://asdas.com'>
<p>
<!--$params-->
<input type='hidden' name='SAMLResponse'
value='PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGldGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4='/>
<!--$additionalParams-->
<button type='submit'>POST</button>
</p>
</form>
<script type='text/javascript'>
document.forms[0].submit();
</script>
</body>
</html>“value” parameter will include the SAML 2.0 token(shortened in the example for readability).
You can Base 64 decode the value and get the SAML assertion.
