SHYAM RAO
Wednesday Jul 23, 2008
How to implement SAMLAssertionValidator for custom validation of SAML Assetion ?
Metro Forum users were asking for custom validation of SAML Token on server side. This blog gives you the idea on how to archive the said title.
For custom validation of the SAML Token on server side, user must implement SAMLAssertionValidator interface. To enable the custom validator, the followingValidatorConfigurationelement has to be put in the service wsdl.
The format of defining Validator Configurations in the service wsdl is :
-
<sc:ValidatorConfiguration wspp:visibility="private"> -
<sc:
Validatorname="samlAssertionValidator" classname = {class name of a SAML Assertion Validator, should implement com.sun.xml.wss.impl.callback.SAMLAssertionValidator, Partial validation (in the form of verifying enveloped signature) occurs on SAML Assertion within the WSIT/XWSS 3.0 Runtime even if the validator is not specified} /> -
</
sc:ValidatorConfiguration> -
- In the custom validator, the following two method of SAMLAssertionValidator interface has to be implemented.
1) public void validate(Element domAssertion) throws SAMLValidationException; 2) public void validate(XMLStreamReader streamAssertion) throws SAMLValidationException; Only difference between the above two methods is : first method takes SAML assertion of type DOM element as argument and second method takes SAML Assertion of type XMLStreamReader. Note : By default, streaming security is enabled in Metro security runtime, which calls the validate method with SAML assertion of type XMLStreamReader as argument. In the implementation of second validate method, we need to create a saml assertion of type DOM element from saml assertion of type XMLStreamReader. For this, use the static method createSAMLAssertion(XMLStreamReader streamAssertion) of class SAMLUtil.
Element domSamlAssertion = SAMLUtil.createSAMLAssertion(streamAssertion); Then, create SAML assertion object of type com.sun.xml.wss.saml.Assertion from the above domSamlAssertion element. Here is the code snippet in bold on how to create a SAML assertion object from DOM element :
String samlVer = null;
if (samlAssertion.getNamespaceURI().equals("urn:oasis:names:tc:SAML:1.0:assertion")) {
samlVer = SAMLAssertionFactory.SAML1_1;
} else if (samlAssertion.getNamespaceURI().equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
samlVer = SAMLAssertionFactory.SAML2_0;
}
SAMLAssertionFactory samlAsserFac = SAMLAssertionFactory.newInstance(samlVer);
Assertion assertion = samlAsserFac.createAssertion(domSamlAssertion);
You can refer to com.sun.xml.wss.saml.Assertion api to know all methods available in it.
For example : to get the conditions values of the above saml assertion, do the following :
Conditions cond = assertion.getConditions(); Date _notBefore = cond.getNotBeforeDate(); Date _notOnOrAfter = cond.getNotOnOrAfterDate();
And now, you can compare _notBefore and _notOnOrAfter dates to complete the condition validation process. Similar way, you can use other methods of com.sun.xml.wss.saml.Assertion api for validation of other elements of the saml assertion.
Posted at 11:17AM Jul 23, 2008 by Shyam Rao in WebServicesSecurity | Comments[0]
Comments:
