SAML2 Attributes

Version 2

    SAML2 Attributes

     

    Sometime it is necessary to use the attributes for an Identity.  It is easy for the Identity Provider to issue statements on attributes.  The attributes can be roles and or other types such as email address, employee number etc.

     

    As of now, we provide an opportunity to use LDAP to get the attributes for an identity in JBoss Application Server.

     

    Ensure that you have JBoss Security Libraries 2.0.4+ in your version of JBossAS5.x  (Just replace jboss-security-spi.jar and jbosssx.jar in common/lib with the new libraries).

     

    Configuration on JBoss Application Server

     

    In the WEB-INF directory of the idp war file,  you should see the jboss-idfed.xml deployment descriptor.

    <JBossIDP xmlns="urn:jboss:identity-federation:config:1.0"
       AttributeManager="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager" >
    <IdentityURL>http://localhost:8080/idp/</IdentityURL>
    <Trust>
       <Domains>localhost,jboss.com,jboss.org</Domains>
    </Trust>
    </JBossIDP>
    

     

    Remember the attribute shown in red is absolutely essential.

     

     

    I have a file called as idp-jboss-beans.xml in the deploy directory.

     

    <?xml version="1.0" encoding="UTF-8"?>
    
    <deployment xmlns="urn:jboss:bean-deployer:2.0">
    
    <application-policy xmlns="urn:jboss:security-beans:1.0" name="idp"
    extends="other">
    
     <mapping>
       <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
         <module-option name="bindDN">cn=Manager,dc=jboss,dc=org</module-option>
         <module-option name="bindCredential">test</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
         <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
         <module-option name="baseCtxDN">ou=People,dc=jboss,dc=org</module-option>
         <module-option name="attributeList">mail,cn,commonname,givenname,surname,employeeType,employeeNumber,facsimileTelephoneNumber</module-option>
       </mapping-module>
     </mapping>
    </application-policy>
    </deployment>
    

     

    For more information on the module options, refer to the article on LdapExtLoginModule. We support the same options for LdapAttributeMappingProvider.

    .


    Of course, I have a jboss-web.xml  in the WEB-INF directory of the idp web application.

    <jboss-web>
      <security-domain>idp</security-domain>
    </jboss-web>
    

     

     

    Response from Identity Provider

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <ns3:Response Destination="http://localhost:8080/sales/"
         IssueInstant="2009-09-11T16:10:19.089-05:00"
         Version="2.0"
         ID="ID_80d06077-d254-4d6f-8376-e81432af12c3"
    xmlns:ns2="http://www.w3.org/2000/09/xmldsig#"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
    xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer>http://localhost:8080/idp/</Issuer>
    <ns3:Status>
    <ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </ns3:Status>
    <Assertion IssueInstant="2009-09-11T16:10:19.088-05:00"
    ID="ID_c1ac1cf8-e74f-47bf-9649-5b9e127fcb52"
    Version="2.0">
    <Issuer>http://localhost:8080/idp/</Issuer>
    
    <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">manager</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData Recipient="http://localhost:8080/sales/"
    NotOnOrAfter="2009-09-11T16:10:19.088-05:00"
    NotBefore="2009-09-11T16:10:19.088-05:00"/>
    </SubjectConfirmation>
    </Subject>
    
    
    <Conditions NotOnOrAfter="2009-09-11T16:15:19.088-05:00"
    NotBefore="2009-09-11T16:10:19.088-05:00"/>
    
    <AttributeStatement>
    <Attribute FriendlyName="role"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
    Name="role">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Employee</AttributeValue>
    </Attribute>
    
    <Attribute FriendlyName="role"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
    Name="role">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Sales</AttributeValue>
    </Attribute>
    
    <Attribute FriendlyName="role"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
    Name="role">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">employee</AttributeValue>
    </Attribute>
    
    <Attribute FriendlyName="role"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
    Name="role">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">manager</AttributeValue>
    </Attribute>
    
    
    <Attribute FriendlyName="role"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
    Name="role">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">sales</AttributeValue>
    </Attribute>
    </AttributeStatement>
    
    
    <AttributeStatement>
    <Attribute
    NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
    <AttributeValue xsi:type="xs:string"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">manager@somecastle.man</AttributeValue>
    </Attribute>
    </AttributeStatement>
    
    </Assertion>
    
    
    </ns3:Response>