December 8, 2016

SAML Assertion Query/Request Profile- WSO2 IS Client Configuration

10:12 AM Unknown assertion, client, IS, saml2.0, soap, WSO2 No comments

In this post I will explain you how to test Assertion Query/Request profile feature in WSO2 Identity server v 5.3.0 and onward.First you need to clone or download client application from the below git repository.
https://github.com/gayangithub/wso2-is-assertion-query-client

Start Identity Server, select Service Providers---> Add and create new service provider. Here I create travelocity.com as service provider.

WSO2 IS Create Service Provider

Now go to Home > Manage > Keystores > List and click on import cert. Browse to below path and import certificate into Identity Server.

CERTIFICATE_FILE_PATH : wso2-is-assertion-query-client\src\test\resources\soa.cert

Now you need to configure newely created service provider. So go to Home> Identity > Service Providers > List> SAML SSO Configuration and add aseertion consumers URL, certificate alias and so on as below.

Configure service Provider

Go to WSO2IS_HOME/repository/conf/identity/identity.xml and check the Assertion builder class. For this profile we use custom assertion builder which has capability to persist Assertions on database.Check for SAMLSSOAssertionBuilder element and value should be org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder

When users login, created assertions persist in IDN_SAML2_ASSERTION_STORE table on H2 database. You can verify, is that table available on database server referring below tutorial. http://www.vitharana.org/2012/04/how-to-browse-h2-database-of-wso2.html

You can try a test login using travelocity.com service provide by accessing this URL

https://localhost:9443/samlsso?spEntityID=travelocity.com with 'admin' username and 'admin' password. Check database for newely created assertion.

Assertion Query Request feature support below request message types.

1. AssertionID Request - require to store assertions
2. AttributeQuery - not required to store assertions
3. AuthnQuery - required
4. AuthzDecision - required
5. SubjectQuery -not required

Now we are ready to test a scenario. I select AssertionID Request to test. Now open above repository source codes using your IDE and go to wso2-is-assertion-query-client\src\test\java\org\wso2\carbon\identity\query\saml\test . Open SAMLAssertionIDRequestClient.java

Copy a AssertionID from your database--> table-->column IDN_SAML2_ASSERTION_STORE.SAML2_ID and assign value to ASSERTION_ID variable in above class. Run the main() of SAMLAssertionIDRequestClient class.

Here you can see generated request message.

And the response message from IS

As above you can try other messages also with changing SessionIndex, subject, attributes and so on.

SAML2 Assertion Query Request / Response Messages - part 3

5:01 AM Unknown assertion, authzdecision, error, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, query, request, response, SAML, WSO2 No comments

AuthzDecision Query is used to determine some actions on some resources be allowed to a particular subject. This request message present Evidence such as AssertionIDRef , Assertion to verify subject.

AuthzDecision Query Request Message

AuthzDecision Query Response Message

Customized Error Response Message

IDP must return Response message for each and every request which received from the SP. IDP can report errors in request message or server failures of it self.

Invalid Issuer Error Response

Invalid SAML Version Error Response

Invalid Subject Error Response

Invalid SessionIndex or Auth-Context Error Response

SAML2 Assertion Query Request / Response Messages - part 2

4:44 AM Unknown assertion, authnquery, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, sessionindex, WSO2 No comments

AuthnQuery Request message is used to check Assertions which match with given Subject and Authentication statements such as SessionIndex, Auth-context.

AuthnQuery-SessionIndex Request Message

AuthnQuery-SessionIndex Response Message

AuthnQuery-AuthContext Request Message

AuthnQuery-AuthContext Response Message

SAML2 Assertion Query Request / Response Messages - part 1

12:27 AM Unknown assertion, attribute, gayan, GSoc, GSoc2016, identity provide, identity server, IS, JAVA, liyanaarachchi, request, response, SAML, WSO2 No comments

Service Providers are able to query dynamic or existing assertions from Identity Provider by following SAML2 specification, using standard request messages.Identity Provider need to issue Response message for each request. If the request message contains errors, then IDP should add error status and message into the Response message.Response message may contain one or more assertions or no any assertion.

Attribute Query Request Message

Attribute Query Response Message

AssertionIDRequest Request Message

AssertionIDRequest Response Message

GSoC 2016 : SAML Assertion Query/Request Profile support for WSO2 Identity Server

7:24 PM Unknown assertion, GSoc2016, identity server, JAVA, profile, query, SAML, WSO2 No comments

Introduction

WSO2 Identity Server is an open standards based Identity and Access Management system. It supports some of the major SAML2 based profiles such as Web Browser based SAML2 SSO, Single logout, Basic attribute profile and also WS-Trust. Therefore Identity Server issues SAML2 Assertion to requested entities. It can act as “SAML Authority” according specification. Although Identity Server can issue SAML2 Assertions based on various standards, currently it does not support for Assertion Query/Request Profile. So, implementing this profile, will add more value to Identity Server. "Assertion Query/Request Profile" defines a protocol for requesting dynamic or existing Assertions from SAML Authority by reference or by querying on the basis of a subject and additional statement-specific criteria. Assertion Query/Request Profile is based on five Assertion request messages.

Workload

Assertion Request Messages Processing

SAML Authority (WSO2 Identity Server) receive five types of requests to query Assertions. I Implemented new component with service end point to receive these request messages and validate messages. Then according to the request message type query assertions from databases, build response message and return response message to requester.

Assertion Store Feature in WSO2 Identity Server

I implemented custom assertion builder to persist assertions before return assertions to the Service Providers.

Code Contribution

PR-inbound-auth-saml

(SAML Assertion Query Profile as a component)

PR-product-is

(Integration Tests)

PR-carbon-identity-framework

(Assertion Persistence Feature)

Commits-personal repository

(SAML Assertion Query Profile Implementation )

Future Works

WSO2 Identity Server does not support to persist assertions in database. So writing new component to store assertions and mount a new table for assertions in carbon-identity-framework is challengeable. The technique of storing assertions is directly affect server performance. So it is required to use cache and background processes to reduce server delay on read and writes as a future work.

Useful Links

Final Documentation

Presentation

Dev Mail Thread

Architecture Mail Thread
Jira Feature

Conclusion

I would like to thank my mentor Omindu Rathnaweera, Asela Pathberiya and WSO2 IS team for the great support and help they provided for the success of this project. Thank you very much Google for the great opportunity given to me.

SAML2.0 Assertion Query/Request Profile - Introduction

6:38 PM Unknown assertion, authentication, client, gayan, GSoc, identity provide, identity server, idp, liyanaarachchi, open source, other, principal, redirects, SAML, service provider, sp, SSO, technical, WSO2 No comments

What is SAML

SAML is the short form of Security Assertion Markup Language. It is a universal standard for authentication request messages and response messages. SAML consist with two profiles

Active Profile - Process through web browser using redirects
Passive Profile - Process directly using API calls (Mostly in mobile applications)

Use case of SSO with SAML is when a Service Provider (SP) has multiple services (Example Google has Gmail, Google Drive, Keep, Google Doc and etc.) users had to logging several times for that services with different credentials. So it is bad experience. Then service provider had to keep multiple database instances to manage users for multiple services. It is worst design for administrative tasks. Security issues can be occur at service provider’s methodology. So SSO separate user credential information from service provider and add it to a separate server called Identity Provider (IDP).It holds user credentials, user roles on multiple services of particular Service provider and other attributes of user like email, contact no, date of register and etc. Service providers can have multiple IDPs and identity provides can have multiple service providers.

Message Flow

According to the order of initiating authentication process there are two types.

IDP Initiative – client directly contact IDP then SP
SP Initiative – client connect with SP first and redirect to IDP

SAML is better for authentication message passing because it eliminate opportunities to phishing attack, eliminate administrative effort, high level of binding with different entities.

SAML Response is consist with Assertion. This SAML response has two sections

Payload format – Content of the message (receiver, sender, signature, user’s attributes and etc.)
Transport format – Relevant information for message transport (IP addresses, protocols, status)

There are three major components are used for SSO functionality with SAML standard.
1. Client/Principal
2. Service Provider (SP)
3. Identity Provider (IDP)

Information flow of client

Information flow of IDP

Information flow of SP

Assertion is a part of the Response message. We can discuss about Assertion in next tutorial.