Accepting Access Manager SAML Assertions
Access Manager Configuration and settings
Please see installation and administration guides for assistance in configuring Access Manager. This sample makes the following assumptions:
- Roles are sent in the saml using the attribute name http://www.bandit-project.org/ontologies/2008/otis/sampleroles
- all role values are in their own attribute value, not sent as part of a concatenated string.
General Configuration
Please see the general XML File Configuration Format for details on base configuration
Authentication Methods
Following the general Configuration for Authentication Methods we set up the following authentication methods.
<Setting Name="authMethods" Type="htf:list">
<Setting Name="urn:bandit-project:otis:authmethod:1.0:usernamePassword" Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:usernamePassword</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.UsernamePasswordAuthMethod</Setting>
</Setting>
<Setting Name="urn:bandit-project:otis:authmethod:1.0:anonymous" Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:anonymous</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.AnonymousAuthMethod</Setting>
</Setting>
<Setting Name="urn:bandit-project:otis:authmethod:1.0:infocard" Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:infocard</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.InfocardAuthMethod</Setting>
</Setting>
<Setting Name="urn:bandit-project:otis:authmethod:1.0:samlpolicy" Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:samlpolicy</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.SAMLPolicyAuthMethod</Setting>
<Setting Name="authMethodCtxID" Type="xsd:string">urn:InMemoryCache</Setting>
<Setting Name="UseForOpen" Type="xsd:boolean">false</Setting>
<Setting Name="ValidateSAML" Type="xsd:boolean">true</Setting>
<Setting Name="JSSharedScope" Type="htf:ref">/JSSharedScope</Setting>
<Setting Name="AuthEntityId" Type="htf:jscriptexec">
RESULT = getAuthEntityId(saml);
</Setting>
<Setting Name="InjectEntity" Type="xsd:boolean">true</Setting>
<Setting Name="InjectEntityAttrMap" Type="htf:jscriptexec">
RESULT = getMappedAttrURI(saml, samlURI);
</Setting>
<Setting Name="InjectEntityAttrValueMap" Type="htf:jscriptexec">
RESULT = getMappedAttrValue(saml, samlURI, idasURI, samlvalue);
</Setting>
</Setting>
</Setting>
Role Configuration
The roles configuration for this is based on the general Configuration For Roles. In this case there are no roles assumed automatically at authentication time and only values from the default role name in the saml are use. Please not in this sample the role values are not transformed or modified. That could happen at two different places.
- During the authentication using InjectEntityAttrValueMap configuration to map the values/
- During the role configuration, checking the issuer, the attribute and then mapping the values to something meaningful. I prefer mapping here because it allows me to have rules that span attributes, and preserves the data in it's original form.
The role configuration looks like this:
<Setting Name="Roles" Type="htf:map">
<!-- Root most role configuration element, should be located under the OtisConfiguration element -->
<Setting Name="Assumable Roles" Type="htf:map">
<Setting Name="Role Rule 1" Type="htf:map">
<Setting Name="Enabled" Type="xsd:boolean">true</Setting>
<Setting Name="EntityAttrs" Type="htf:list">
<Setting Type="xsd:anyURI">http://www.bandit-project.org/ontologies/2008/otis/sampleroles</Setting>
</Setting>
<Setting Name="RoleInstantiation" Type="htf:jscriptexec">
RESULT = new Packages.org.bandit.otis.impl.CommonRole( String(data));
RESULT.addPropertyValue(Packages.org.bandit.otis.api.IRole.roleTypes,
attribute.getAttrID().toString());
</Setting>
</Setting>
</Setting> <!-- End Assumable Roles -->
</Setting> <!-- End Roles -->
Sample
Below is a full sample of the minimal system described above which allows specific saml assertions to be accepted and to be used for entities and roles.
<Configuration
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://higgins.eclipse.org/sts/Configuration"
xmlns:htf="http://higgins.eclipse.org/sts/Configuration"
xsd:schemaLocation="http://higgins.eclipse.org/sts/Configuration Configuration.xsd ">
<!-- The setting handlers are classes that consume Setting elements where the Type matches and generate an object of the Class -->
<SettingHandlers>
<SettingHandler Type="htf:map" Class="java.util.Map" Handler="org.eclipse.higgins.configuration.xml.MapHandler"/>
<SettingHandler Type="htf:list" Class="java.util.List" Handler="org.eclipse.higgins.configuration.xml.ListHandler"/>
<SettingHandler Type="xsd:string" Class="java.lang.String" Handler="org.eclipse.higgins.configuration.xml.StringHandler"/>
<SettingHandler Type="xsd:boolean" Class="java.lang.Boolean" Handler="org.eclipse.higgins.configuration.xml.BooleanHandler"/>
<SettingHandler Type="xsd:anyURI" Class="java.net.URI" Handler="org.eclipse.higgins.configuration.xml.URIHandler"/>
<SettingHandler Type="htf:file" Class="java.io.FileInputStream" Handler="org.eclipse.higgins.configuration.xml.FileHandler"/>
<SettingHandler Type="htf:keystore" Class="java.security.KeyStore" Handler="org.eclipse.higgins.configuration.xml.KeyStoreHandler"/>
<SettingHandler Type="htf:certificate" Class="java.lang.String" Handler="org.eclipse.higgins.configuration.xml.CertificateHandler"/>
<SettingHandler Type="htf:privatekey" Class="java.security.PrivateKey" Handler="org.eclipse.higgins.configuration.xml.PrivateKeyHandler"/>
<SettingHandler Type="htf:singleton" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.SingletonHandler"/>
<SettingHandler Type="htf:instance" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.InstanceHandler"/>
<SettingHandler Type="htf:classinstance" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.ClassInstanceHandler"/>
<SettingHandler Type="htf:classsingleton" Class="java.lang.Object" Handler="org.eclipse.higgins.configuration.xml.ClassSingletonHandler"/>
<SettingHandler Type="htf:jscriptexec" Class="org.eclipse.higgins.util.jscript.JScriptExec" Handler="org.eclipse.higgins.util.idas.cp.jscript.JScriptExecSettingHandler"/>
<SettingHandler Type="htf:jscriptscope" Class="org.eclipse.higgins.util.jscript.JScriptScope" Handler="org.eclipse.higgins.util.idas.cp.jscript.JScriptScopeSettingHandler"/>
<SettingHandler Type="htf:include" Class="java.util.Map" Handler="org.eclipse.higgins.configuration.xml.IncludeHandler"/>
<SettingHandler Type="htf:ref" Class="Object" Handler="org.eclipse.higgins.configuration.xml.ReferenceHandler"/>
<SettingHandler Type="htf:remoteEndPointHandler" Class="org.bandit.otis.impl.RemoteEndPointClient" Handler="org.bandit.otis.impl.RemoteEndPointClientHandler"/>
</SettingHandlers>
<Setting Name="OTISConfiguration" Type="htf:map">
<Setting Name="defaultContextId" Type="xsd:string">urn:Corporate-LDAP-Server</Setting>
<!-- The various assertion types that are handled -->
<Setting Name="JSSharedScope" Type="htf:jscriptscope">
// TODO fix so it looks at the issuer
function getAuthEntityId(saml)
{
if ( saml != null)
{
Temp = saml.getSubject();
id = Temp.getNameID();
if ( !id || id == null)
id = saml.getID();
}
return id;
}
//based on the issuer map the attribute uris
function getMappedAttrURI(saml, uri)
{
// should look at the saml issuer and make adjustments
return uri;
}
//based on the issuer map the attribute uris
function getMappedAttrValue(saml, oldURI, newURI, value)
{
// should look at the saml issuer and make adjustments
return value;
}
</Setting> <!-- end of JSSharedScope-->
<Setting Name="authMethods" Type="htf:list">
<Setting Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:usernamePassword</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.UsernamePasswordAuthMethod</Setting>
</Setting>
<Setting Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:anonymous</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.AnonymousAuthMethod</Setting>
</Setting>
<Setting Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:infocard</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.InfocardAuthMethod</Setting>
</Setting>
<Setting Type="htf:map">
<Setting Name="authMethodID" Type="xsd:string">urn:bandit-project:otis:authmethod:1.0:samlpolicy</Setting>
<Setting Name="authMethodClass" Type="xsd:string">org.bandit.otis.impl.SAMLPolicyAuthMethod</Setting>
<Setting Name="authMethodCtxID" Type="xsd:string">urn:InMemoryCache</Setting>
<Setting Name="UseForOpen" Type="xsd:boolean">false</Setting>
<Setting Name="ValidateSAML" Type="xsd:boolean">true</Setting>
<Setting Name="JSSharedScope" Type="htf:ref">/JSSharedScope</Setting>
<Setting Name="AuthEntityId" Type="htf:jscriptexec">
RESULT = getAuthEntityId(saml);
</Setting>
<Setting Name="InjectEntity" Type="xsd:boolean">true</Setting>
<Setting Name="ClearEntity" Type="xsd:boolean">true</Setting>
<Setting Name="InjectEntityAttrMap" Type="htf:jscriptexec">
RESULT = getMappedAttrURI(saml, samlURI);
</Setting>
<Setting Name="InjectEntityAttrValueMap" Type="htf:jscriptexec">
RESULT = getMappedAttrValue(saml, samlURI, idasURI, samlvalue);
</Setting>
</Setting>
</Setting>
<!-- Other components - mainly IdASRegistry -->
<Setting Name="ComponentSettings" Type="htf:map">
<Setting Name="IdASRegistry" Type="htf:map">
<Setting Name="ComponentSettings" Type="htf:map">
<Setting Name="InMemoryContextFactory" Type="htf:map" />
</Setting>
<Setting Name="InMemoryContextFactory" Type="htf:classinstance">org.eclipse.higgins.idas.cp.inmem.InMemoryContextFactory</Setting>
<Setting Name="ContextFactoryInstancesList" Type="htf:list">
<Setting Name="InMemoryContextFactory" Type="htf:map">
<Setting Name="Instance" Type="xsd:string">InMemoryContextFactory</Setting>
<Setting Name="ContextTypes" Type="htf:list">
<Setting Name="InMemContextType" Type="xsd:string">$context+inmem</Setting>
</Setting>
</Setting>
</Setting>
<Setting Name="ContextIdsList" Type="htf:list">
<Setting Name="urn:InMemoryCache" Type="htf:map" >
<Setting Name="ContextId" Type="xsd:string">urn:InMemoryCache</Setting>
<Setting Name="ContextTypes" Type="htf:list">
<Setting Name="LDAPContextType" Type="xsd:string">$context+inmem</Setting>
</Setting>
<Setting Name="ContextUris" Type="htf:list">
<Setting Name="DefaultContextUri" Type="xsd:anyURI">urn:InMemoryCache</Setting>
</Setting>
</Setting>
</Setting>
</Setting>
</Setting>
<!-- The name of the class that provides the factory for the class that implements the IdASRegistry -->
<Setting Name="IdASRegistry" Type="htf:classinstance">org.eclipse.higgins.idas.registry.IdASRegistry</Setting>
<Setting Name="Roles" Type="htf:map">
<!-- Root most role configuration element, should be located under the OtisConfiguration element -->
<Setting Name="Assumable Roles" Type="htf:map">
<Setting Name="Role Rule 1" Type="htf:map">
<Setting Name="Enabled" Type="xsd:boolean">true</Setting>
<Setting Name="EntityAttrs" Type="htf:list">
<Setting Type="xsd:anyURI">http://www.bandit-project.org/ontologies/2008/otis/sampleroles</Setting>
</Setting>
<Setting Name="RoleInstantiation" Type="htf:jscriptexec">
RESULT = new Packages.org.bandit.otis.impl.CommonRole(
String(data));
RESULT.addPropertyValue(Packages.org.bandit.otis.api.IRole.roleTypes,
attribute.getAttrID().toString());
</Setting>
</Setting>
</Setting> <!-- End Assumable Roles -->
</Setting> <!-- End Roles -->
</Setting>
</Configuration>
