JBossESB SAML Support

Version 11

    The SAML support currently in JBossESB is provided by the PicketLink Project via JAAS Login Modules that have the ability to issue and validate SAML security tokens.

     

    There are basically two situations with regard to SAML token support currently in JBossESB :
    1. Caller does not have a security token and needs to have one issued.
    2. Caller already has a security token which should be validated.

     

    We will discuss the two situations below.

     

    Issueing a SAML Security Token

    Issuing a SAML Security Token can be done by configuring org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule.

    This LM is configured by using a properties file that is specified using the configFile property in the JAAS configuration.
    Example of configuring a LM:

    <application-policy name="saml-issue-token">
         <authentication>
             <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
                 <module-option name="configFile">picketlink-sts-client.properties</module-option>
                 <module-option name="endpointURI">http://security_saml/goodbyeworld</module-option>
             </login-module>
             <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                 <module-option name="configFile">picketlink-sts-client.properties</module-option>
             </login-module>
         </authentication>
    </application-policy>

    The above configuration uses stacked LM and the security token from the first LM is later used by the second LM which will validate the security token. Having two separate LMs for this can be useful as there can be situations where you only need to validate a security token which we will take a look at shortly.


    Example of a picketlink-sts-client.properties

    serviceName=PicketLinkSTS
    portName=PicketLinkSTSPort
    endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS
    username=admin
    password=admin

    Note that the username and password in this file is only used by the STSValidatingLoginModule. The username and password may also be stacked or provided by a callback. Please refer to STSLoginModules page for details about the different options available.

     

     

    To use this LM in JBossESB you need to update your servers login-config.xml with the above application-policy and also configure the ESB service that were you want this LM to be used.

     

    For example in jboss-esb.xml:

    <service category="SamlSecurityQuickstart" name="issueTokenService" invmScope="GLOBAL"
        description="This service demonstrates how a service can be configured to issue and validate a security token">

     

        <security moduleName="saml-issue-token" callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSIssueCallbackHandler">
            <!-- disable the security context timeout so that our security context is re-evaluated -->
            <property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
        </security>
        ...
    </service>



    Notice the callbackHandler that is is specified is specific to the ESB. This is because it requires access to the authentication request in the
    ESB for retreiving the username and password of the user for whom a security token should be issued.

    Validating a SAML Security Token


    Validating a SAML Security Token can be done by configuring org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule.


    Example of configuring the LM:

    <application-policy name="saml-validate-token">
        <authentication>
            <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule" flag="required">
                <module-option name="configFile">picketlink-sts-client.properties</module-option>
            </login-module>
        </authentication>
    </application-policy>

     


    And in jboss-esb.xml:
    <service category="SamlSecurityQuickstart" name="securedSamlService" invmScope="GLOBAL"
        description="This service demonstrates that an ESB service can be configured to only validate a security token.">


        <security moduleName="saml-validate-token" callbackHandler="org.jboss.soa.esb.services.security.auth.login.JBossSTSTokenCallbackHandler">
            <!-- disable the security context timeout so that our security context is re-evaluated -->
            <property name="org.jboss.soa.esb.services.security.contextTimeout" value="0"/>
        </security>
        ...
    </service>

    Notice the callbackHandler that is specified is specific to the ESB. This is because it requires access to the authentication request in the ESB for retreiving the SAML Token which is to be validated.

     


    For a working example of SAML support in JBossESB please refer to the security_saml quickstart.
    More information about the the Login Modules provied by PicketLink can be found here.http://www.jboss.org/community/wiki/STSLoginModules