The SAML support currently in JBossESB is provided by the PicketLink Project via JAAS Login Modules that have the ability to issue and validate SAML security tokens.
There are basically two situations with regard to SAML token support currently in JBossESB :
1. Caller does not have a security token and needs to have one issued.
2. Caller already has a security token which should be validated.
We will discuss the two situations below.
Issueing a SAML Security Token
Issuing a SAML Security Token can be done by configuring org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule.
This LM is configured by using a properties file that is specified using the configFile property in the JAAS configuration.
Example of configuring a LM:
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
<module-option name="configFile">picketlink-sts-client.properties</module-option>
<module-option name="endpointURI">http://security_saml/goodbyeworld</module-option>
</login-module>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
<module-option name="configFile">picketlink-sts-client.properties</module-option>
</login-module>
</authentication>
</application-policy>
The above configuration uses stacked LM and the security token from the first LM is later used by the second LM which will validate the security token. Having two separate LMs for this can be useful as there can be situations where you only need to validate a security token which we will take a look at shortly.
Example of a picketlink-sts-client.properties
serviceName=PicketLinkSTS
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
username=admin
password=admin
Note that the username and password in this file is only used by the STSValidatingLoginModule. The username and password may also be stacked or provided by a callback. Please refer to STSLoginModules page for details about the different options available.
To use this LM in JBossESB you need to update your servers login-config.xml with the above application-policy and also configure the ESB service that were you want this LM to be used.
For example in jboss-esb.xml:
<service category="SamlSecurityQuickstart" name="issueTokenService" invmScope="GLOBAL"
description="This service demonstrates how a service can be configured to issue and validate a security token">
<security moduleName="saml-issue-token" callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSIssueCallbackHandler">
<!-- disable the security context timeout so that our security context is re-evaluated -->
<property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
</security>
...
</service>
Validating a SAML Security Token can be done by configuring org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule. Example of configuring the LM: And in jboss-esb.xml: <security moduleName="saml-validate-token" callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSTokenCallbackHandler"> For a working example of SAML support in JBossESB please refer to the security_saml quickstart.
Notice the callbackHandler that is is specified is specific to the ESB. This is because it requires access to the authentication request in the
ESB for retreiving the username and password of the user for whom a security token should be issued.Validating a SAML Security Token
Notice the callbackHandler that is specified is specific to the ESB. This is because it requires access to the authentication request in the ESB for retreiving the SAML Token which is to be validated.<application-policy name="saml-validate-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
<module-option name="configFile">picketlink-sts-client.properties</module-option>
</login-module>
</authentication>
</application-policy>
<service category="SamlSecurityQuickstart" name="securedSamlService" invmScope="GLOBAL"
description="This service demonstrates that an ESB service can be configured to only validate a security token.">
<!-- disable the security context timeout so that our security context is re-evaluated -->
<property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
</security>
...
</service>
More information about the the Login Modules provied by PicketLink can be found here.http://www.jboss.org/community/wiki/STSLoginModules
Comments