You can request an external security token service (STS)
to issue SAML tokens with the holder-of-key subject confirmation method
with symmetric key that is encrypted for a target service. Use the Java API for XML-Based Web Services
(JAX-WS) programming model and Web Services Security APIs (WSS APIs)
to complete this task.
Before you begin
This task assumes that you are familiar with the JAX-WS
programming model, the WSS API interfaces, SAML concepts, and the
use of policy sets to configure and administer web services settings.
Complete the following actions before you begin this task:
- Read about propagating self-issued SAML holder-of-key tokens with
symmetric key by using WSS APIs.
- Become familiar with using embedded key materials in SAML tokens
for message protection by using WSS APIs. Your usage scenario requires
requesting SAML tokens from an external STS instead of using self-issued
SAML tokens.
- Read about requesting SAML sender-vouches tokens from an external
STS to propagate by using WSS APIs with message level protection.
- Read about requesting SAML sender-vouches tokens from an external
STS to propagate by using WSS APIs with transport level protection.
- Read about requesting SAML bearer tokens from an external STS
to propagate by using WSS APIs with transport level protection.
- Be familiar with accessing an external STS by using WSS APIs.
About this task
This task shows example code to request SAML tokens from
an external STS, with holder-of-key subject confirmation method and
embedded symmetric key that is encrypted for the target service by
using WSS APIs. This task focuses on sending a WS-Trust request message
to an external STS to request SAML holder-of-key tokens with symmetric
keys.
Procedure
- Specify an STS from which to request a SAML security token
that contains holder-of-key subject confirmation method; for example:
com.ibm.websphere.wssecurity.wssapi.WSSFactory factory =
com.ibm.websphere.wssecurity.wssapi.WSSFactory.getInstance();
WSSGenerationContext gencont1 = factory.newWSSGenerationContext();
WSSConsumingContext concont1 = factory.newWSSConsumingContext();
HashMap<Object, Object> cbackMap1 = new HashMap<Object, Object>();
cbackMap1.put(SamlConstants.STS_ADDRESS, "https://www.example.com/sts"); //STS URL
cbackMap1.put(SamlConstants.SAML_APPLIES_TO, "http://myhost:9080/myService"); //Target Service
cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_SOAP_VERSION, "1.1");
cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_WSTRUST_NAMESPACE,
"http://docs.oasis-open.org/ws-sx/ws-trust/200512");
cbackMap1.put(IssuedTokenConfigConstants.TRUST_CLIENT_COLLECTION_REQUEST,
"true"); //RST or RSTC
cbackMap1.put(SamlConstants.TOKEN_TYPE,
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
cbackMap1.put(SamlConstants.CONFIRMATION_METHOD, "holder-of-key");
To
request a holder-of-key SAML security token from the STS, you must
specify whether to embed a symmetric key or a public key by way of
a KeyType element in a trust request. This example
requires a symmetric key type as shown in the next step.
- Specify the symmetric key to be embedded in SAML security
tokens; for example:
cbackMap1.put(SamlConstants.KEY_TYPE,
"http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey");
SAMLGenerateCallbackHandler cbHandler1 = new SAMLGenerateCallbackHandler(cbackMap1);
cbHandler1.setWSSConsumingContextForTrustClient(concont1);
cbHandler1.setWSSGenerationContextForTrustClient(gencont1);
SecurityToken samlToken = factory.newSecurityToken(SAMLToken.class,
cbHandler1, "system.wss.generate.saml");
The
requested SAML token contains a symmetric key that is encrypted for
the target service. The STS also returns the unencrypted symmetric
key through the
WS-Trust RequestedProofToken element.
See the following example.
<wst:RequestedProofToken>
<wst:BinarySecret
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="_27325D34CE4BCC83141288966548620">n68rFQba+XTZLNBfEc4prg==</wst:BinarySecret>
</wst:RequestedProofToken>
The RequestedProofToken element
is shown here for your information. The detailed processing is not
exposed to WSS APIs users. The RequestedProofToken element
and the symmetric key are handled by the Web Services Security runtime
environment, or more precisely by the SAMLGenerateLoginModule that
is specified in the system.wss.geenrate.saml JAAS
login configuration.
Results
You have learned key building blocks for requesting SAML
tokens with holder-of-key subject confirmation method and symmetric
key from an external STS by using WSS APIs. To use the SAML token
to sign request messages, review the example code in the “Propagating
self-issued SAML holder-of-key tokens with symmetric key by using
WSS APIs” topic.