> Security Guide > Using SAML for Authentication

Security Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Using SAML for Authentication

Security Assertion Markup Language (SAML) defines a framework for exchanging authentication and authorization information between online business partners. AquaLogic Service Bus enables the following techniques for using SAML:

For an overview of SAML, see the OASIS technical overview at the following URL:

http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

The complete SAML specification set of documents are available at the following URL:

http://www.oasis-open.org/committees/download.php/3400/oasis-sstc-saml-1.1-pdf-xsd.zip

 

Configuring SAML Credential Mapping: Main Steps

If your clients to do not provide SAML tokens but your business services require them, you can configure a proxy service to map the client's identity to a SAML token.

This technique requires the business service to be a Web service with WS-Policy statements that require authentication using SAML tokens.

To configure SAML credential mapping:

  1. Configure a trust relationship between AquaLogic Service Bus and the system (message consumer) that the business service represents.

    2. The message consumer acts as a relying party and must have a trust relationship with AquaLogic Service Bus.

  2. Configure the WebLogic SAML Identity Assertion Provider V2 and the WebLogic SAML Credential Mapping Provider V2 in your security domain. See Configuring a SAML Identity Assertion Provider and Configuring a SAML Credential Mapping Provider in Securing WebLogic Server.
  3. Configure a proxy service to authenticate clients using any of the following techniques:
    • HTTP or HTTPS BASIC (client provides user name and password in the request)
    • HTTPS Client certificate
    • Message-level authentication (using any of the supported token profiles)

      • If a client request includes a WS-Security security header, you must configure the proxy service to process this header on the inbound side of the message. In AquaLogic Service Bus, you cannot add a SAML header (or any other WS-Security header) to a SOAP envelope that already contains a WS-Security header, neither can you add SAML (or other) security tokens to an existing security header.

    • Third-party authentication
  4. Configure the proxy service to include a SAML token in the WS-Security header of its outbound request.
    5. Note: If you configured the proxy service for dynamic routing, the message context determines the target URL for the request. If the assertion is signed, you must configure the certificate. For more information, see Configuring a SAML Credential Mapping Provider in Securing WebLogic Server.

When the proxy service sends its outbound request, it generates a SAML assertion on behalf of the client. When the business service processes the WS-Security header, it validates the SAML assertion, creates a security context for the identity in the SAML assertion, and invokes the Web service with this security context.

 

Configuring SAML Pass-Through Identity Propagation

If your clients provide SAML tokens to a pass-through proxy service, you can propagate the client's SAML token to the business service.

This technique requires the business service to be a Web service with WS-Policy statements that require authentication using SAML tokens.

To configure SAML pass-through identity propagation:

  1. Configure a trust relationship between AquaLogic Service Bus and the back-end service.
  2. Configure the back-end service acts as a SAML relying party.

    3. See Create a SAML Relying Party in WebLogic Server Administration Console Online Help.

  3. Configure a pass-through proxy service.

    4. See Creating a Pass-Through Proxy Service: Main Steps.

  4. Configure a SOAP-HTTP or SOAP-JMS business service with WS-Policy statements that require authentication using SAML tokens.

    5. Configuring Outbound Message-Level Security: Main Steps.

 

Authenticating SAML Tokens in Inbound Requests

If your clients provide SAML tokens to an active intermediary proxy service, you can configure the proxy service to assert the client's identity.

To configure a proxy service to use SAML tokens to authenticate clients:

  1. Configure a trust relationship between the client software and AquaLogic Service Bus.

    2. AquaLogic Service Bus relies on SAML assertions issued by the client, or on behalf of the client.

  2. Configure the WebLogic SAML Identity Assertion Provider V2 to validate tokens issued by the client's SAML authority. See Configuring a SAML Identity Assertion Provider in Securing WebLogic Server.

    3. When configuring the identity assertion provider, note the following requirements:

    • The confirmation method from the WS-Policy must match the SAML profile in the SAML asserting party.
    • Specify the asserting party target URL to be the relative URL of the proxy (not including the protocol and host information).
    • For signed assertions, add the certificate to the Identity Asserter registry.
  3. Configure the WebLogic SAML Credential Mapping Provider V2 in your security domain. See Configuring a SAML Credential Mapping Provider in Securing WebLogic Server.
  4. Create an active intermediary proxy service that communicates over the HTTP, HTTPS, or JMS protocol. The proxy service must be a Web service with a WS-Policy statement that requires authentication and accepts SAML tokens.

    5. A proxy service that communicates over the "local" transport type cannot use a SAML token profile to authenticate.

 

Troubleshooting SAML Web Services Security

Question: I am trying to propagate my inbound transport identity to a destination business service and keep receiving error, Unable to add security token for identity. What does this mean?

Answer: There are various causes for this error. Generally this means one of the following problems:

Question: I am trying to propagate my inbound transport identity to a destination business service using SAML holder-of-key and keep receiving error, Failure to add signature. What does this mean?

Answer: There are various causes for this error, but most likely is that the credentials are not configured for the business service's proxy service provider. When AquaLogic Service Bus generates an outbound holder-of-key assertion, it generally also generates a digital signature over the message contents, so that the recipient can verify not only that a message is received from a particular user, but that the message has not been tampered with. To generate the signature, the business service must have a proxy service provider with a digital signature credential associated with it. For more information on configuring credentials, see "Adding a Credential" in Security Configuration in Using the AquaLogic Service Bus Console.

Question: I am trying to configure an active intermediary proxy service that receives SAML identity tokens and keep receiving errors that look like: The SAML token is not valid. How do I fix this?

Answer: This is generally caused by a lack of a SAML Identity Asserter or SAML Identity Asserter asserting party configuration for the proxy. For a proxy service to receive SAML assertions in active intermediary mode, it must have a SAML Identity Asserter configured. For more details, see Configuring a SAML Identity Assertion Provider in Securing WebLogic Server.


  Back to Top       Previous  Next