How to validate WS-Federation SAML tokens with Java Service Provider

StackOverflow https://stackoverflow.com/questions/16311625

Question

I am working on a project that uses ws_federation and SAML to authenticate to a Identity Provider running on a IIS server running on .net called thinktecture

I need to write a Java Service Provider that sends a SAML authentication request to the Identity Provider and get the SAML response back on my java web app.

I need to know if there are any good libraries to validate SAML and mabye some direction on setting it up or links to a tutorial on getting started. I have tries spring_security-saml_extensions, but I keep getting errors when I try to put my Identitiy Providers meta-data link into the config files.

Any help would be greatly appreciated!

Also: It would be great if the solution could be integrated into an existing java web application!

Some Additional info:

Below is the XML I can get from the response returned by the IDP in my SP I am working on I was under the impression that this was a SAML token.

<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=0&amp;id=passive&amp;ru=%2fApplicant%2fMyAccount%2fHome">
    <trust:Lifetime>
        <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T19:37:18.399Z</wsu:Created>
        <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T20:07:18.399Z</wsu:Expires>
    </trust:Lifetime>
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
            <wsa:Address>https://[SP Server]/</wsa:Address>
        </wsa:EndpointReference>
    </wsp:AppliesTo>
    <trust:RequestedSecurityToken>
        <Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <Issuer>http://[IDP Server]/trust/idp</Issuer>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                    <Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <DigestValue>pVpyzVN6Cz7NRNsp+jSVQP4ILt1J8y/4KBPzAtbllMg=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>NnTCfQE7p1FmrdbmYk+wRpbaZ5Rr4Opk67mI2Y6+PTdQlUErv5Bt8C/iBA398CwAgZyREqZfobd47QnxZYOvnFjiMSsQAndmPejZ9PEGwdu8hVrYyhV2VpcPtcaew/tOGWBvTdUKH5YjGmTHLtLxny0WaGYIquYVWoO3S68duy6DWXr/rxMzOEjNhY3s/3alCYMSYqDrhB8jKY8M9M2jruZa2KjIziumW6bzksizYSEFAcn4LfVhACaucrBAVch+r31vKAxO0BpkU7wSRBTaQV+/ALmA1HJAVO/mecujHJnhpizF4GDNdsnbIxck3r/2X9gt7WgMhfwBW+6Xvd2whQ==</SignatureValue>
                <KeyInfo>
                    <X509Data>
                        <X509Certificate>MIIC5TCCAc2gAwIBAgIQSuU/gl5tP49ARSN2SkVRKzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwHhcNMTAxMDAxMTI1MjUxWhcNMjAwOTI4MTI1MjUxWjAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgytRM5b2B35ydz+zxt59fklaT02z4AXUd9zm3h7Clq8LZYPMYvHOkzv7tgY38rD+NvmELAzeESBTbHN/wJyFkVbdD3mHVvE/vARGLxZB1lx+JN+gNjrrXT90FQtyWEchWoUcO6eFTAUdLgLonSn7SvI7lze2YUIS9BBc0OdpZzhDnWecUA1N0c5CeMZcjxroZYTuXH1YDGqOacphtZ7TMwCV2V5i7k9Jj4xY8uuSX92l7cW+EIqoqp26XTWmfon/jvDvWe3Dhe/mdtLXKQ2Lu8KCiN+zqA91fiGwezTkoeyDrWh/8/jqoz7Ep/4BN9cNLrbk75ngiryPlGLOCQK7vAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVTHuMl7Tr+ZAQOLf9nPbAlFabec8DFb+3jzbo4qUfGD/DYGuDg4gFNfr09s2Ft82DzXf1BQJDprRIRtrQOE8hDpOeM6c5sOXk7xKh0QjPzqE4n7ZJUP8X+NW+Zu9D7OaFSJ0/mUffw/PugoYTusfCEudrKzo2CDgtrQjaTrm7zkxksJdH/DY+YCF1g+ljpUDKR9SYwRaGQ5fj9dn+SMibhcXqDXod+BGKW9xaTo3CLFKSbMRt97LjF+P8sfnq8IGTpHqHR3pFDjdbIQ4ixRCygEpbVZJgXPvcTk2Nnvi3SyLZPeTRTGnZM0R7KMhLji2JnHYEXArC46fVwHtjLGbGw==</X509Certificate>
                    </X509Data>
                </KeyInfo>
            </Signature>
            <Subject>
                <NameID>e8f279d7-cbd8-468d-a6df-97419729fe59</NameID>
                <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
            </Subject>
            <Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z">
                <AudienceRestriction>
                    <Audience>https://[SP Server]</Audience>
                </AudienceRestriction>
            </Conditions>
            <AttributeStatement>
                <!-- Data from my database-->
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z">
                <AuthnContext>
                    <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
                </AuthnContext>
            </AuthnStatement>
        </Assertion>
    </trust:RequestedSecurityToken>
    <trust:RequestedAttachedReference>
        <SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
        </SecurityTokenReference>
    </trust:RequestedAttachedReference>
    <trust:RequestedUnattachedReference>
        <SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
        </SecurityTokenReference>
    </trust:RequestedUnattachedReference>
    <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>

Was it helpful?

Solution

I found a great library on github that both handles validation of the SAML Token and if you are feeling adventurous is a good tutorial on how to use OpenSAML. The library is called Auth10-Java and it does a great job of breaking down SAML token validation. FYI it also handles WS-Federation protocol.

Public List<Claim> validateAuthenticationResponse(String yourToken){
    SamlTokenValidator validator = new SamlTokenValidator();

    validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using");

    validator.getAudienceUris().add(new URI(“http://localhost:8080/javafederationtest”);

    //validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token.

    List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid

    System.out.println(claims.toString()); //This will show the claims asserted by the token!
}

This worked great for me and better yet I am learning heaps about SAML and OpenSAML from this library! Just be sure to include all dependencies in your projects build path!

OTHER TIPS

The good news is there are open-source Java SAML stacks such as the Java Oracle OpenSSO Fedlet.

The bad news is that the IdentityServer product that you are using has no support for SAML.

It has support for SAML tokens but not the SAML protocol.

Please look at Shibboleth: http://shibboleth.net/products/service-provider.html. The easiest way to integrate Java with Shibboleth is to setup Apache httpd with Shibboleth and to take the HTTP REMOTE_USER header from the request: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall. Shibboleth is great framework and fully supports SAML protocol.

You can also use the Java code and to create SP code by yourself using OpenSAML code. OpenSAML is library used by Shibboleth (link above). The instructions how to start to develop: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoDeveloperManual

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top