GSoC 2016 : SAML Assertion Query/Request Profile support for WSO2 Identity Server

Introduction

WSO2 Identity Server is an open standards based Identity and Access Management system. It supports some of the major SAML2 based profiles such as Web Browser based SAML2 SSO, Single logout, Basic attribute profile and also WS-Trust.  Therefore Identity Server issues SAML2 Assertion to requested entities.  It can act as “SAML Authority” according specification. Although Identity Server can issue SAML2 Assertions based on various standards, currently it does not support for Assertion Query/Request Profile.  So, implementing this profile, will add more value to Identity Server. "Assertion Query/Request Profile" defines a protocol for requesting dynamic or existing Assertions from SAML Authority by reference or by querying on the basis of a subject and additional statement-specific criteria. Assertion Query/Request Profile is based on five Assertion request messages. 

Workload

Assertion Request Messages Processing

SAML Authority (WSO2 Identity Server) receive five types of requests to query Assertions. I Implemented new component with service end point to receive these request messages and validate messages. Then according to the request message type  query assertions from databases, build response message and return response message to requester. 

Assertion Store Feature in WSO2 Identity Server

I implemented custom assertion builder to persist assertions before return assertions to the Service Providers.

Code Contribution

PR-inbound-auth-saml 

(SAML Assertion Query Profile as a component)

PR-product-is

 (Integration Tests)

PR-carbon-identity-framework

 (Assertion Persistence Feature)

Commits-personal repository 

(SAML Assertion Query Profile Implementation )

Future Works

WSO2 Identity Server does not support to persist assertions in database. So writing new component to store assertions and mount a new table for assertions in carbon-identity-framework is challengeable. The technique of storing assertions is directly affect server performance. So it is required to use cache and background processes to reduce server delay on read and writes as a future work.

Useful Links

Final Documentation

Presentation

Dev Mail Thread

Architecture Mail Thread
Jira Feature

Conclusion

I would like to thank my mentor Omindu Rathnaweera,  Asela Pathberiya and WSO2 IS team for the great support and help they provided for the success of this project. Thank you very much Google for the great opportunity given to me.