How to validate WS-Federation SAML tokens with Java Service Provider
I am working on a project that uses ws_federation and SAML to authenticate to a Identity Provider running on a IIS server running on .net called thinktecture
I need to write a Java Service Provider that sends a SAML authentication request to the Identity Provider and get the SAML response back on my java web app.
I need to know if there are any good libraries to validate SAML and mabye some direction on setting it up or links to a tutorial on getting started. I have tries spring_security-saml_extensions, but I keep getting errors when I try to put my Identitiy Providers meta-data link into the config files.
Any help would be greatly appreciated!
Also: It would be great if the solution could be integrated into an existing java web application!
Some Additional info:
Below is the XML I can get from the response returned by the IDP in my SP I am working on I was under the impression that this was a SAML token.
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="rm=0&id=passive&ru=%2fApplicant%2fMyAccount%2fHome">
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T19:37:18.399Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-04-17T20:07:18.399Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://[SP Server]/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<Assertion ID="_b4c87094-9557-419f-92fd-714a2b9cd8af" IssueInstant="2013-04-17T19:37:18.399Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://[IDP Server]/trust/idp</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_b4c87094-9557-419f-92fd-714a2b9cd8af">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>pVpyzVN6Cz7NRNsp+jSVQP4ILt1J8y/4KBPzAtbllMg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NnTCfQE7p1FmrdbmYk+wRpbaZ5Rr4Opk67mI2Y6+PTdQlUErv5Bt8C/iBA398CwAgZyREqZfobd47QnxZYOvnFjiMSsQAndmPejZ9PEGwdu8hVrYyhV2VpcPtcaew/tOGWBvTdUKH5YjGmTHLtLxny0WaGYIquYVWoO3S68duy6DWXr/rxMzOEjNhY3s/3alCYMSYqDrhB8jKY8M9M2jruZa2KjIziumW6bzksizYSEFAcn4LfVhACaucrBAVch+r31vKAxO0BpkU7wSRBTaQV+/ALmA1HJAVO/mecujHJnhpizF4GDNdsnbIxck3r/2X9gt7WgMhfwBW+6Xvd2whQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC5TCCAc2gAwIBAgIQSuU/gl5tP49ARSN2SkVRKzANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwHhcNMTAxMDAxMTI1MjUxWhcNMjAwOTI4MTI1MjUxWjAaMRgwFgYDVQQDEw9XTVN2Yy1VU0FKLURFVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgytRM5b2B35ydz+zxt59fklaT02z4AXUd9zm3h7Clq8LZYPMYvHOkzv7tgY38rD+NvmELAzeESBTbHN/wJyFkVbdD3mHVvE/vARGLxZB1lx+JN+gNjrrXT90FQtyWEchWoUcO6eFTAUdLgLonSn7SvI7lze2YUIS9BBc0OdpZzhDnWecUA1N0c5CeMZcjxroZYTuXH1YDGqOacphtZ7TMwCV2V5i7k9Jj4xY8uuSX92l7cW+EIqoqp26XTWmfon/jvDvWe3Dhe/mdtLXKQ2Lu8KCiN+zqA91fiGwezTkoeyDrWh/8/jqoz7Ep/4BN9cNLrbk75ngiryPlGLOCQK7vAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAAADANBgkqhkiG9w0BAQUFAAOCAQEAVTHuMl7Tr+ZAQOLf9nPbAlFabec8DFb+3jzbo4qUfGD/DYGuDg4gFNfr09s2Ft82DzXf1BQJDprRIRtrQOE8hDpOeM6c5sOXk7xKh0QjPzqE4n7ZJUP8X+NW+Zu9D7OaFSJ0/mUffw/PugoYTusfCEudrKzo2CDgtrQjaTrm7zkxksJdH/DY+YCF1g+ljpUDKR9SYwRaGQ5fj9dn+SMibhcXqDXod+BGKW9xaTo3CLFKSbMRt97LjF+P8sfnq8IGTpHqHR3pFDjdbIQ4ixRCygEpbVZJgXPvcTk2Nnvi3SyLZPeTRTGnZM0R7KMhLji2JnHYEXArC46fVwHtjLGbGw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>e8f279d7-cbd8-468d-a6df-97419729fe59</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2013-04-17T19:37:18.399Z" NotOnOrAfter="2013-04-17T20:07:18.399Z">
<AudienceRestriction>
<Audience>https://[SP Server]</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<!-- Data from my database-->
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-04-17T19:37:18.337Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</trust:RequestedSecurityToken>
<trust:RequestedAttachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedAttachedReference>
<trust:RequestedUnattachedReference>
<SecurityTokenReference d4p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d4p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_b4c87094-9557-419f-92fd-714a2b9cd8af</KeyIdentifier>
</SecurityTokenReference>
</trust:RequestedUnattachedReference>
<trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
Answer
I found a great library on github that both handles validation of the SAML Token and if you are feeling adventurous is a good tutorial on how to use OpenSAML. The library is called Auth10-Java and it does a great job of breaking down SAML token validation. FYI it also handles WS-Federation protocol.
Public List<Claim> validateAuthenticationResponse(String yourToken){
SamlTokenValidator validator = new SamlTokenValidator();
validator.setThumbprint("thumbprint from the thinktecture idp server or what ever idp you are using");
validator.getAudienceUris().add(new URI(“http://localhost:8080/javafederationtest”);
//validator.setValidateExpiration(false); //This can be used to stop validation of the expiration fields in the token.
List<Claim> claims = validator.validate(yourToken); //A Federation Exception is thrown if the token is invalid
System.out.println(claims.toString()); //This will show the claims asserted by the token!
}
This worked great for me and better yet I am learning heaps about SAML and OpenSAML from this library! Just be sure to include all dependencies in your projects build path!