DocTeger

OpenSSO Technical Information

And a Spoonful of Music

To Make the Medicine Go Down

Sweeping SAMLv2 Assertions from the 7th Floor

The following information was just put in the Sun OpenSSO Enterprise 8.0 Administration Guide but the new version won't be published until next week. Read the information here first. (There might be some changes to this entry based on answers to questions I have sent the engineer. I will update as necessary.)

• Requesting Identity Attributes via a SAMLv2 Assertion
• Requesting a Cached SAMLv2 Assertion
• Requesting SAMLv2 Authentication Context Information
• Mapping SAMLv2 Name Identifiers

Requesting Identity Attributes via a SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting attributes (and the corresponding values) from a specific identity profile. A successful response is the return of an assertion containing the requested information. The identity provider acting as the attribute authority uses the com.sun.identity.saml2.plugins.AttributeAuthorityMapper to process queries. This default implementation uses the attribute map table configured in the identity provider's extended metadata; this table maps the requested SAMLv2 attributes to the user profile attributes in the identity data store. (If an attribute map is not configured, no attributes will be returned.)

To set OpenSSO to use a customized attribute mapper implementation, modify the values of the default_attributeAuthorityMapper and the x509Subject_attributeAuthorityMapper properties in the extended metadata of the provider defined as the attribute authority. The default_attributeAuthorityMapper value is used for a standard attribute queries and the x509Subject_attributeAuthorityMapper value is used for attribute queries with an X509 subject. The X509 mapper maps an X509 subject to a user by searching the identity data store for a specified attribute. (The specified attribute is defined as the value of the x509SubjectDataStoreAttrName property in the identity provider extended metadata of the attribute authority.) If the user has the specified attribute and the attribute's value is the same as that of the X509 subject in the attribute query, the user will be used.

Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the providers acting as the attribute requester and the attribute authority is configured.

• To send an attribute query from the requester use the method of com.sun.identity.saml2.profile.AttributeQueryUtil.
  public static Response sendAttributeQuery(
AttributeQuery attrQuery,
String attrAuthorityEntityID,
String realm,
String attrQueryProfile,
String attrProfile, String binding)
throws SAML2Exception;
• To construct an AttributeQuery object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.

Requesting a Cached SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting existing assertions using a unique identifier. The requester initiates the profile by sending an assertion request, referenced by the identifier, to a SAMLv2 authority. The SAMLv2 authority processes the request, checks the assertion cache for the identifier, and issues a response to the requester.

NOTE - In the metadata file of the identity provider acting as the SAMLv2 authority, add the following attribute to enable it to store assertions generated in the single sign-on, authentication query or attribute query process.

<IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>

com.sun.identity.saml2.plugins.AssertionIDRequestMapper is the default implementation used to process the assertion request. To define a customized mapper, change the value of the assertionIDRequestMapper property in the extended metadata of the provider acting as SAMLv2 attribute authority or authentication authority.

• To send a request for an assertion from a provider use either of the methods of com.sun.identity.saml2.profile.AssertionIDRequestUtil as below.

  public static Response sendAssertionIDRequest(
AssertionIDRequest assertionIDRequest,
String samlAuthorityEntityID,
String role,
String realm,
String binding)
throws SAML2Exception;

  public static Assertion sendAssertionIDRequestURI(
String assertionID,
String samlAuthorityEntityID,
String role,
String realm)
throws SAML2Exception;

• To construct an assertion request object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.* .

If SOAP binding is used, signing is required so the Signing Certificate Alias attribute of the service provider, identity provider, attribute authority and authentication authority metadata must be configured. In order to implement URI binding, you must write a custom mapper so that authenticateRequesterURI will not throw an exception.

Requesting SAMLv2 Authentication Context Information

A SAMLv2 assertion contains information regarding the context of a principal's authentication. The requesting party may require this additional information (for example, the authenticating technology or protocol used) in order to assess the level of confidence they can place in the assertion. To retrieve authentication context information, the service provider issues a query to the authentication authority.

Only SOAP binding is supported for this request And signing is required so make sure the Signing Certificate Alias attribute of the service provider and the authentication authority is configured.

To Configure for Authentication Context Query

1. Create and load the metadata for the service provider.
2. Create the metadata for the identity provider using ssoadm and specifying the following additional options.
   • -C Defines the meta Alias for the hosted authentication authority to be created. The format must be realm name/identifier.
   • -D Defines the authentication authority signing certificate alias.
   • -E Defines the authentication authority encryption certificate alias.
   For example:
   ssoadm create-metadata-templ -u amadmin -f /tmp/pw -m /home/user1/tmp/mm -x /home/usr1/tmp/xx -s /idp -a test -r test -C /authna -D test2 -E test2 -y example.com
3. Add the following attribute to the identity provider metadata file just created. This allows the identity provider to store assertions generated during the SAMLv2 single sign-on process.

   <IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>

4. Configure for SAMLv2 single sign-on.
5. Do either of the following:
   • To send an authentication query from the service provider use the com.sun.identity.saml2.profile.AuthnQueryUtil method.

     public static Response sendAuthnQuery( AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, String binding) throws SAML2Exception;

   • To construct an AuthnQuery object, use com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.*.

Mapping SAMLv2 Name Identifiers

The NameID Mapping Protocol allows a service provider that shares an identifier for a principal with an identity provider to obtain a name identifier for said principal in another format or that is in another federation name space (for example, is shared between the identity provider and another service provider). The requester initiates the profile by sending a NameIDMappingRequest message to the identity provider. After processing the request, the identity provider issues a NameIdMappingResponse message to the requester.

Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the identity provider and the service provider is configured.

To send a NameIDMappingRequest message from the service provider, use the method of the com.sun.identity.saml2.profile.NameIDMapping.

public static NameIDMappingResponse initiateNameIDMappingRequest( Object session,
String realm,
String spEntityID,
String idpEntityID,
String targetSPEntityID,
String targetNameIDFormat,
Map paramsMap) throws SAML2Exception;

And now that we are finished sweeping the floor, how about some dancing on the floor? Here's a home-made video to Paul Nicholas' number 7 hit from 1977, Heaven on the 7th Floor.

Posted at 03:14PM Nov 26, 2008 by Michael Teger in Sun  |  Comments[1]