December 8, 2016

SAML Assertion Query/Request Profile- WSO2 IS Client Configuration

     , , , , ,  No comments

In this post I will explain you how to test Assertion Query/Request profile feature in WSO2 Identity server v 5.3.0 and onward.First you need to clone or download client application from the below git repository.
https://github.com/gayangithub/wso2-is-assertion-query-client

Start Identity Server, select Service Providers---> Add and create new service provider. Here I create travelocity.com as service provider.
WSO2 IS Create Service Provider 
Now go to Home > Manage > Keystores > List and click on import cert. Browse to below path and import certificate into Identity Server.

CERTIFICATE_FILE_PATH : wso2-is-assertion-query-client\src\test\resources\soa.cert

Now you need to configure newely created service provider. So go to Home> Identity > Service Providers > List> SAML SSO Configuration and add aseertion consumers URL, certificate alias and so on as below.
Configure service Provider
Go to WSO2IS_HOME/repository/conf/identity/identity.xml and check the Assertion builder class. For this profile we use custom assertion builder which has capability to persist Assertions on database.Check for SAMLSSOAssertionBuilder element and value should be org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder
When users login, created assertions persist in IDN_SAML2_ASSERTION_STORE table on H2 database. You can verify, is that table available on database server referring below tutorial. http://www.vitharana.org/2012/04/how-to-browse-h2-database-of-wso2.html

You can try a test login using travelocity.com service provide by accessing this URL
https://localhost:9443/samlsso?spEntityID=travelocity.com with 'admin' username and 'admin' password. Check database for newely created assertion.
Assertion Query Request feature support below request message types.

1. AssertionID Request - require to store assertions
2. AttributeQuery - not required to store assertions
3. AuthnQuery - required
4. AuthzDecision - required
5. SubjectQuery -not required
Now we are ready to test a scenario. I select AssertionID Request to test. Now open above repository source codes using your IDE and go to wso2-is-assertion-query-client\src\test\java\org\wso2\carbon\identity\query\saml\test . Open SAMLAssertionIDRequestClient.java
Copy a AssertionID from your database--> table-->column  IDN_SAML2_ASSERTION_STORE.SAML2_ID  and assign value to ASSERTION_ID variable in above class. Run the main() of  SAMLAssertionIDRequestClient class.
Here you can see generated request message.
And the response message from IS

As above you can try other messages also with changing SessionIndex, subject, attributes and so on.

September 13, 2016

SAML2 Assertion Query Request / Response Messages - part 3

     , , , , , , , , , , , , , , ,  No comments
AuthzDecision Query is used to determine some actions on some resources be allowed to a particular subject. This request message present Evidence such as AssertionIDRef , Assertion to verify subject.

AuthzDecision Query Request Message


AuthzDecision Query Response Message


Customized Error Response Message

IDP must return Response message for each and every request which received from the SP. IDP can report errors in request message or server failures of it self.

Invalid Issuer Error Response 


Invalid SAML Version Error Response 


Invalid Subject Error Response 


Invalid SessionIndex or Auth-Context Error Response 


SAML2 Assertion Query Request / Response Messages - part 2

     , , , , , , , , , , , , , ,  No comments

AuthnQuery Request message is used to check Assertions which match with given Subject and Authentication statements such as SessionIndex, Auth-context.

AuthnQuery-SessionIndex Request Message


AuthnQuery-SessionIndex Response Message


AuthnQuery-AuthContext Request Message


AuthnQuery-AuthContext Response Message


SAML2 Assertion Query Request / Response Messages - part 1

     , , , , , , , , , , , , ,  No comments

Service Providers are able to query dynamic or existing assertions from Identity Provider by following SAML2 specification, using standard request messages.Identity Provider need to issue Response message for each request. If the request message contains errors, then IDP should add error status and message into the Response message.Response message may contain one or more assertions or no any assertion.

Attribute Query Request Message


Attribute Query Response Message


AssertionIDRequest Request Message


AssertionIDRequest Response Message