September 13, 2016

SAML2 Assertion Query Request / Response Messages - part 3

5:01 AM Unknown assertion, authzdecision, error, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, query, request, response, SAML, WSO2 No comments

AuthzDecision Query is used to determine some actions on some resources be allowed to a particular subject. This request message present Evidence such as AssertionIDRef , Assertion to verify subject.

AuthzDecision Query Request Message

AuthzDecision Query Response Message

Customized Error Response Message

IDP must return Response message for each and every request which received from the SP. IDP can report errors in request message or server failures of it self.

Invalid Issuer Error Response

Invalid SAML Version Error Response

Invalid Subject Error Response

Invalid SessionIndex or Auth-Context Error Response

SAML2 Assertion Query Request / Response Messages - part 2

4:44 AM Unknown assertion, authnquery, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, sessionindex, WSO2 No comments

AuthnQuery Request message is used to check Assertions which match with given Subject and Authentication statements such as SessionIndex, Auth-context.

AuthnQuery-SessionIndex Request Message

AuthnQuery-SessionIndex Response Message

AuthnQuery-AuthContext Request Message

AuthnQuery-AuthContext Response Message

SAML2 Assertion Query Request / Response Messages - part 1

12:27 AM Unknown assertion, attribute, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, WSO2 No comments

Service Providers are able to query dynamic or existing assertions from Identity Provider by following SAML2 specification, using standard request messages.Identity Provider need to issue Response message for each request. If the request message contains errors, then IDP should add error status and message into the Response message.Response message may contain one or more assertions or no any assertion.

Attribute Query Request Message

Attribute Query Response Message

AssertionIDRequest Request Message

AssertionIDRequest Response Message

GSoC 2016 : SAML Assertion Query/Request Profile support for WSO2 Identity Server

7:24 PM Unknown assertion, GSoc2016, identity server, JAVA, profile, query, SAML, WSO2 No comments

Introduction

WSO2 Identity Server is an open standards based Identity and Access Management system. It supports some of the major SAML2 based profiles such as Web Browser based SAML2 SSO, Single logout, Basic attribute profile and also WS-Trust. Therefore Identity Server issues SAML2 Assertion to requested entities. It can act as “SAML Authority” according specification. Although Identity Server can issue SAML2 Assertions based on various standards, currently it does not support for Assertion Query/Request Profile. So, implementing this profile, will add more value to Identity Server. "Assertion Query/Request Profile" defines a protocol for requesting dynamic or existing Assertions from SAML Authority by reference or by querying on the basis of a subject and additional statement-specific criteria. Assertion Query/Request Profile is based on five Assertion request messages.

Workload

Assertion Request Messages Processing

SAML Authority (WSO2 Identity Server) receive five types of requests to query Assertions. I Implemented new component with service end point to receive these request messages and validate messages. Then according to the request message type query assertions from databases, build response message and return response message to requester.

Assertion Store Feature in WSO2 Identity Server

I implemented custom assertion builder to persist assertions before return assertions to the Service Providers.

Code Contribution

PR-inbound-auth-saml

(SAML Assertion Query Profile as a component)

PR-product-is

(Integration Tests)

PR-carbon-identity-framework

(Assertion Persistence Feature)

Commits-personal repository

(SAML Assertion Query Profile Implementation )

Future Works

WSO2 Identity Server does not support to persist assertions in database. So writing new component to store assertions and mount a new table for assertions in carbon-identity-framework is challengeable. The technique of storing assertions is directly affect server performance. So it is required to use cache and background processes to reduce server delay on read and writes as a future work.

Useful Links

Final Documentation

Presentation

Dev Mail Thread

Architecture Mail Thread
Jira Feature

Conclusion

I would like to thank my mentor Omindu Rathnaweera, Asela Pathberiya and WSO2 IS team for the great support and help they provided for the success of this project. Thank you very much Google for the great opportunity given to me.

Velozit - Tutorials For All

This blog is for all the people who like to study technology related things.You can find blog posts related to java,android,mysql,oracle,php and so many tutorials in this blog.