December 8, 2016

SAML Assertion Query/Request Profile- WSO2 IS Client Configuration

10:12 AM Unknown assertion, client, IS, saml2.0, soap, WSO2 No comments

In this post I will explain you how to test Assertion Query/Request profile feature in WSO2 Identity server v 5.3.0 and onward.First you need to clone or download client application from the below git repository.
https://github.com/gayangithub/wso2-is-assertion-query-client

Start Identity Server, select Service Providers---> Add and create new service provider. Here I create travelocity.com as service provider.

WSO2 IS Create Service Provider

Now go to Home > Manage > Keystores > List and click on import cert. Browse to below path and import certificate into Identity Server.

CERTIFICATE_FILE_PATH : wso2-is-assertion-query-client\src\test\resources\soa.cert

Now you need to configure newely created service provider. So go to Home> Identity > Service Providers > List> SAML SSO Configuration and add aseertion consumers URL, certificate alias and so on as below.

Configure service Provider

Go to WSO2IS_HOME/repository/conf/identity/identity.xml and check the Assertion builder class. For this profile we use custom assertion builder which has capability to persist Assertions on database.Check for SAMLSSOAssertionBuilder element and value should be org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder

When users login, created assertions persist in IDN_SAML2_ASSERTION_STORE table on H2 database. You can verify, is that table available on database server referring below tutorial. http://www.vitharana.org/2012/04/how-to-browse-h2-database-of-wso2.html

You can try a test login using travelocity.com service provide by accessing this URL

https://localhost:9443/samlsso?spEntityID=travelocity.com with 'admin' username and 'admin' password. Check database for newely created assertion.

Assertion Query Request feature support below request message types.

1. AssertionID Request - require to store assertions
2. AttributeQuery - not required to store assertions
3. AuthnQuery - required
4. AuthzDecision - required
5. SubjectQuery -not required

Now we are ready to test a scenario. I select AssertionID Request to test. Now open above repository source codes using your IDE and go to wso2-is-assertion-query-client\src\test\java\org\wso2\carbon\identity\query\saml\test . Open SAMLAssertionIDRequestClient.java

Copy a AssertionID from your database--> table-->column IDN_SAML2_ASSERTION_STORE.SAML2_ID and assign value to ASSERTION_ID variable in above class. Run the main() of SAMLAssertionIDRequestClient class.

Here you can see generated request message.

And the response message from IS

As above you can try other messages also with changing SessionIndex, subject, attributes and so on.

SAML2 Assertion Query Request / Response Messages - part 3

5:01 AM Unknown assertion, authzdecision, error, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, query, request, response, SAML, WSO2 No comments

AuthzDecision Query is used to determine some actions on some resources be allowed to a particular subject. This request message present Evidence such as AssertionIDRef , Assertion to verify subject.

AuthzDecision Query Request Message

AuthzDecision Query Response Message

Customized Error Response Message

IDP must return Response message for each and every request which received from the SP. IDP can report errors in request message or server failures of it self.

Invalid Issuer Error Response

Invalid SAML Version Error Response

Invalid Subject Error Response

Invalid SessionIndex or Auth-Context Error Response

SAML2 Assertion Query Request / Response Messages - part 2

4:44 AM Unknown assertion, authnquery, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, sessionindex, WSO2 No comments

AuthnQuery Request message is used to check Assertions which match with given Subject and Authentication statements such as SessionIndex, Auth-context.

AuthnQuery-SessionIndex Request Message

AuthnQuery-SessionIndex Response Message

AuthnQuery-AuthContext Request Message

AuthnQuery-AuthContext Response Message

SAML2 Assertion Query Request / Response Messages - part 1

12:27 AM Unknown assertion, attribute, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, WSO2 No comments

Service Providers are able to query dynamic or existing assertions from Identity Provider by following SAML2 specification, using standard request messages.Identity Provider need to issue Response message for each request. If the request message contains errors, then IDP should add error status and message into the Response message.Response message may contain one or more assertions or no any assertion.

Attribute Query Request Message

Attribute Query Response Message

AssertionIDRequest Request Message

AssertionIDRequest Response Message

GSoC 2016 : SAML Assertion Query/Request Profile support for WSO2 Identity Server

7:24 PM Unknown assertion, GSoc2016, identity server, JAVA, profile, query, SAML, WSO2 No comments

Introduction

WSO2 Identity Server is an open standards based Identity and Access Management system. It supports some of the major SAML2 based profiles such as Web Browser based SAML2 SSO, Single logout, Basic attribute profile and also WS-Trust. Therefore Identity Server issues SAML2 Assertion to requested entities. It can act as “SAML Authority” according specification. Although Identity Server can issue SAML2 Assertions based on various standards, currently it does not support for Assertion Query/Request Profile. So, implementing this profile, will add more value to Identity Server. "Assertion Query/Request Profile" defines a protocol for requesting dynamic or existing Assertions from SAML Authority by reference or by querying on the basis of a subject and additional statement-specific criteria. Assertion Query/Request Profile is based on five Assertion request messages.

Workload

Assertion Request Messages Processing

SAML Authority (WSO2 Identity Server) receive five types of requests to query Assertions. I Implemented new component with service end point to receive these request messages and validate messages. Then according to the request message type query assertions from databases, build response message and return response message to requester.

Assertion Store Feature in WSO2 Identity Server

I implemented custom assertion builder to persist assertions before return assertions to the Service Providers.

Code Contribution

PR-inbound-auth-saml

(SAML Assertion Query Profile as a component)

PR-product-is

(Integration Tests)

PR-carbon-identity-framework

(Assertion Persistence Feature)

Commits-personal repository

(SAML Assertion Query Profile Implementation )

Future Works

WSO2 Identity Server does not support to persist assertions in database. So writing new component to store assertions and mount a new table for assertions in carbon-identity-framework is challengeable. The technique of storing assertions is directly affect server performance. So it is required to use cache and background processes to reduce server delay on read and writes as a future work.

Useful Links

Final Documentation

Presentation

Dev Mail Thread

Architecture Mail Thread
Jira Feature

Conclusion

I would like to thank my mentor Omindu Rathnaweera, Asela Pathberiya and WSO2 IS team for the great support and help they provided for the success of this project. Thank you very much Google for the great opportunity given to me.

SAML2.0 Assertion Query/Request Profile - Introduction

6:38 PM Unknown assertion, authentication, client, gayan, GSoc, identity provide, identity server, idp, liyanaarachchi, open source, other, principal, redirects, SAML, service provider, sp, SSO, technical, WSO2 No comments

What is SAML

SAML is the short form of Security Assertion Markup Language. It is a universal standard for authentication request messages and response messages. SAML consist with two profiles

Active Profile - Process through web browser using redirects
Passive Profile - Process directly using API calls (Mostly in mobile applications)

Use case of SSO with SAML is when a Service Provider (SP) has multiple services (Example Google has Gmail, Google Drive, Keep, Google Doc and etc.) users had to logging several times for that services with different credentials. So it is bad experience. Then service provider had to keep multiple database instances to manage users for multiple services. It is worst design for administrative tasks. Security issues can be occur at service provider’s methodology. So SSO separate user credential information from service provider and add it to a separate server called Identity Provider (IDP).It holds user credentials, user roles on multiple services of particular Service provider and other attributes of user like email, contact no, date of register and etc. Service providers can have multiple IDPs and identity provides can have multiple service providers.

Message Flow

According to the order of initiating authentication process there are two types.

IDP Initiative – client directly contact IDP then SP
SP Initiative – client connect with SP first and redirect to IDP

SAML is better for authentication message passing because it eliminate opportunities to phishing attack, eliminate administrative effort, high level of binding with different entities.

SAML Response is consist with Assertion. This SAML response has two sections

Payload format – Content of the message (receiver, sender, signature, user’s attributes and etc.)
Transport format – Relevant information for message transport (IP addresses, protocols, status)

There are three major components are used for SSO functionality with SAML standard.
1. Client/Principal
2. Service Provider (SP)
3. Identity Provider (IDP)

Information flow of client

Information flow of IDP

Information flow of SP

Assertion is a part of the Response message. We can discuss about Assertion in next tutorial.

Install Oracle 12c in Linux(Ubuntu 14.04)

7:33 AM Unknown 12c, 14.04, configure, database, gayan, install, linux, liyanaarachchi, object, Oracle, SQL, sudo, ubuntu No comments

Installation Process

As the first step to install Oracle12c you need to make your Unix system up to date. So run below commands to upgrade packages in your computer. Open your terminal by pressing ALT+CTRL+T at same time.

sudo apt-get update

sudo apt-get dist-upgrade

sudo reboot

Now your computer will restart. After completing above commands your computer has newest version of repositories and packages.

Now you need to install dependencies for the Oracle package. You can complete that process by below command.

sudo apt-get -y install alien binutils build-essential \

cpp-4.4 debhelper g++-4.4 gawk gcc-4.4 gcc-4.4-base \

gettext html2text lib32z1 lib32ncurses5 intltool-debian \

ksh lib32z1-dev libaio-dev libaio1 libbeecrypt7 libc6 \

libc6-dev libc6-dev-i386 libelf-dev libelf1 libltdl-dev \

libltdl7 libmotif4 libodbcinstq4-1 libodbcinstq4-1:i386 \

libqt4-core libqt4-gui libsqlite3-0 libstdc++5 libstdc++6 \

libstdc++6-4.4-dev lsb lsb-core lsb-cxx lsb-desktop \

lsb-graphics make odbcinst pax po-debconf rpm \

rpm-common sysstat unixodbc unixodbc-dev unzip

installing dependencies

A special requirement in Oracle installation package is you can’t install it using root user. So you need to create non-root user with permission for directories. Create secondary user with below commands. To run these commands you need to be root/root equivalent to user. For that run below command.

sudo su

sudo addgroup oinstall

sudo addgroup dba

sudo addgroup nobody

sudo usermod -g nobody nobody

sudo useradd -g oinstall -G dba -p password -d /home/oracle -s /bin/bash oracle

sudo mkdir /home/oracle

sudo chown -R oracle:dba /home/oracle

sudo mkdir -p /u01/app/oracle

sudo mkdir -p /u01/binaries

sudo chown -R oracle:dba /u01

sudo passwd oracle

If you are done upto this point now you need to configure kernel parameters and resource limits.

echo 'Red Hat Linux release 6' | sudo tee -a /etc/redhat-release

sudo mkdir /usr/lib64

sudo ln -s /etc /etc/rc.d

sudo ln -s /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib64/

sudo ln -s /usr/bin/awk /bin/awk

sudo ln -s /usr/bin/basename /bin/basename

sudo ln -s /usr/bin/rpm /bin/rpm

sudo ln -s /usr/lib/x86_64-linux-gnu/libc_nonshared.a /usr/lib64/

sudo ln -s /usr/lib/x86_64-linux-gnu/libpthread_nonshared.a /usr/lib64/

sudo ln -s /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /lib64/

sudo ln -s /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib64/

sudo cp /etc/security/limits.conf /etc/security/limits.conf.original

echo "#Oracle 12C shell limits:" | sudo tee -a /etc/security/limits.conf

echo "oracle soft nproc 2048" | sudo tee -a /etc/security/limits.conf

echo "oracle hard nproc 16384"| sudo tee -a /etc/security/limits.conf

echo "oracle soft nofile 1024" | sudo tee -a /etc/security/limits.conf

echo "oracle hard nofile 65536" | sudo tee -a /etc/security/limits.conf

echo "#" | sudo tee -a /etc/sysctl.conf

echo "# Oracle 12C entries" | sudo tee -a /etc/sysctl.conf

echo "fs.aio-max-nr=1048576" | sudo tee -a /etc/sysctl.conf

echo "fs.file-max=6815744" | sudo tee -a /etc/sysctl.conf

echo "kernel.shmall=2097152" | sudo tee -a /etc/sysctl.conf

echo "kernel.shmmni=4096" | sudo tee -a /etc/sysctl.conf

echo "kernel.sem=250 32000 100 128" | sudo tee -a /etc/sysctl.conf

echo "net.ipv4.ip_local_port_range=9000 65500" | sudo tee -a /etc/sysctl.conf

echo "net.core.rmem_default=262144" | sudo tee -a /etc/sysctl.conf

echo "net.core.rmem_max=4194304" | sudo tee -a /etc/sysctl.conf

echo "net.core.wmem_default=262144" | sudo tee -a /etc/sysctl.conf

echo "net.core.wmem_max=1048586" | sudo tee -a /etc/sysctl.conf

Below command is specifying how much of physical memory you allocate for oracle processes. In this case it allocate 1GB in byte.

echo "kernel.shmmax=1073741824" | sudo tee -a /etc/sysctl.conf

You can see parameters you set using below command.

sudo sysctl –p

You need to change start-up script, for that run below command

for i in 0 1 2 3 4 5 6 S

do sudo ln -s /etc/rc$i.d /etc/rc.d/rc$i.d

done

Now your system is well configured for Oracle installation. You need to download Oracle setup file from oracle website. Please keep in mind to download Linux x86-64 distribution. Now you need to extract downloaded zip files.

cd /u01/binaries

cp  /linuxamd64_12102_database_se2_*of2.zip ./

unzip linuxamd64_12102_database_se2_1of2.zip

unzip linuxamd64_12102_database_se2_2of2.zip

 Before doing installation we need to grant permission to the user.For that run below command.

chown -Rf oracle:dba /u01/binaries

Now you need to switch to non root user. For that logoff and login as newly created oracle user.

After login run below command.

run installer

cd /u01/binaries/database

/u01/binaries/database/runInstaller –ignoreSysPrereqs

Now it will open a graphical interface for further configurations. At first it ask for your email address for support. It is optional to provide it .Move to next.

For The Installation Option select create and configure database.

For the System Class select desktop class or server class.It is better if you select server class.

For the Typical Installation select OSDBA as dba and select create container database and provide name for that database. You need to provide administrative passwords here. Keep it in mind.

Move to next step of installation.

You will get a error at 59% saying error in invoking target…. .For that you need to log into your root user without logoff oracle user and do some modifications in files.

59% error

Hint: Search for uppercase constant in below images and easily find the place and do required modification.

gedit /u01/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ins_rdbms.mk

gedit /u01/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/env_rdbms.mk

gedit /u01/app/oracle/product/12.1.0/dbhome_1/network/lib/ins_net_server.mk

Login to oracle user and press retry option in error message. Now error need to be disappear. It will prompt you to execute two script files. Run them as root user. Then finish the installation.

From here after you need to create a database. So move do below path and run given application.

Here you need to provide global database name

Select default listener and press next.

Here you need to enable archiving option.

Select character set as Unicode. Its better to keep default configurations.

Select create database.

Let application to complete process.

Now you have configured database management system and a database. you need to have flash configured to view Oracle GUI through your web browser.

Now type this URL on your browser

https://:5500/em

Provide username as SYS and your administrative password here to login.

After restart you need to run below commands.

To start listener:

export ORACLE_BASE=/u01/app/oracle

export ORACLE_HOME=/u01/app/oracle/product/12.1.0/dbhome_1

export ORACLE_OWNR=oracle

export PATH=$PATH:$ORACLE_HOME/bin

export ORACLE_SID=orcl

$ORACLE_HOME/bin/lsnrctl start

To start database:

sqlplus /nolog

connect sys as sysdba

STARTUP;

EXIT;

To stop database:

sqlplus /nolog

connect sys as sysdba

SHUTDOWN;

EXIT;

To stop listener:

$ORACLE_HOME/bin/lsnrctl stop