public abstract class SAMLTokenFactory
extends java.lang.Object
This API is used for the creation of SAML security tokens conforming the SAML v1.1
and SAML v2.0 standards (both versions of the token are supported). Subject confirmation can be based
on holder of key (symmetric or public key) or bearer. Users can create and validate tokens or use
them to authenticate the token holder.
Code snippet that are shown below demonstrate how to use this API to generate and validate SAML tokens
as defined in:
OASIS Web Services Security:SAML Token Profile 1.1.
In those sample codes, it is assumed that the ProviderConfig instance is created from a JVM system property,
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath, in a java client environment.
This JVM property specifies a property file that contains default value of ProviderConfig object.
In the Application Server runtime environment, default value of ProviderConfig object is defined by a
an SAMLIssuerConfig.properties file under the cell level or server level config directory.
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create a RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); // Set the Authentication method that the requester authenticated with. This is an optional parameter. reqData.setAuthenticationMethod("Password"); // 2. Create a CredentialConfig object which contains a NameID and Attributes in the assertion. CredentialConfig cred = samlFactory.newCredentialConfig(); // Create a SAMLNameID object for the SAMLTokenFactory to generate a NameID or NameIdentifier // in the assertion. SAMLNameID samlNameId = new SAMLNameID("alice@websphere", "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", null, null, null); cred.setSAMLNameID(samlNameId); // Create a SAMLAttribute object for the SAMLTokenFactory to generate an Attribute in the assertion. SAMLAttribute sattribute = new SAMLAttribute("Address", new String[] {"Austin, Texas"}, null, "IBM WebSphere namespace", null, null); ArrayListal = new ArrayList (); al.add(sattribute); sattribute = new SAMLAttribute("Membership", new String[] {"Blue team", "Green Team"}, null, null, null, null ); al.add(sattribute); cred.setSAMLAttributes(al); // 3. Create a ProviderConfig object which specifies the key store for SAML signing // and encryption, the expiration time, and issuer logic name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated // in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create a RequesterConfig object. RequesterConfig reqData = samlFactory.newAsymmetricHolderOfKeyTokenGenerateConfig(); // Set the Authentication method that the requester authenticated with. This is an optional parameter. reqData.setAuthenticationMethod("Password"); // 2. Create a CredentialConfig object which contains a NameID CredentialConfig cred = samlFactory.newCredentialConfig(); // Create a SAMLNameID object for the SAMLTokenFactory to generate a NameID or NameIdentifier // in the assertion. SAMLNameID samlNameId = new SAMLNameID("alice@websphere", "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", null, null, null); cred.setSAMLNameID(samlNameId); // 3. Create a ProviderConfig object which will specify the key store and key for // signing the SAML token. The object will initialize with the settings from the // SAMLIssuerConfig.properties file. // The public certificate to put in the SAML HoK assertion will come from the trust store // configured on the trustStore property in the SAMLIssuerConfig.properties file. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer"); // 4. (Optional) If you want to use keystore and key properties other than what // is set in the SAMLIssuerConfig.properties file, reset the keystore, // trust store and alias information in the ProviderConfig object. // Create the key information config for the private key KeyInformationConfig kic = samlFactory.newKeyInformationConfig("private_key", "keypass", "CN=Private"); // Create the key store config KeyStoreConfig ksc = samlFactory.newKeyStoreConfig("jks","/keystores/myKeystore.ks", "storepass"); // Set the keystores on the saml issuer config object samlIssuerCfg.setKeyStoreConfig(ksc); //keystore that holds the private key samlIssuerCfg.setTrustStoreConfig(ksc); //keystore that holds the public key // 5. In the RequesterConfig object, specify the alias for the public certificate // to put in the HoK assertion. This alias must exist in the trust store configured // in the previous step or in the SAMLIssuerConfig.properties file and must not // require a password. This public certificate must match the private key configured // in the privious step. However, since this entry must be accessed without a password, // it cannot be the same alias as configured above. It must be a separate entry in the // keystore that only holds the public key information for the private key configured above. reqData.setKeyAliasForRequester("public_cert"); // 6. Create the token SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg); // 7. Add the private key to the token so that the token can be used to sign // elements in a SOAP message. // Get the private key WSSUtilFactory wssufactory = WSSUtilFactory.getInstance(); KeyStore ks = wssufactory.getKeyStore("jks","/keystores/myKeystore.ks", "storepass".toCharArray()); Key privateKey = ks.getKey("private_key", "keypass".toCharArray()); // Add the private key to the token ((com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl)samlToken). setKey(SecurityToken.SIGNING_KEY, privateKey); ((com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl)samlToken). setKey(SecurityToken.DECRYPTING_KEY, privateKey);
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create a RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); // 2. Create a CredentialConfig object. // This step assumes a SAMLToken exists on the RunAsSubject. // This method call will allow the SAMLTokenFactory to copy the existing SAML NameID and // attributes from a SAML token in the RunAsSubject to new SAMLToken. // If there is no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user // security identity from the WSPrincipal object in the RunAsSubject. CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject); // 3. Create a ProviderConfig object which specifies the key store for SAML signing // and encryption, the expiration time, and issuer logic name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated // in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg); // Get SAML assertion in XML form. OMElement samlXML = ((OMStructure)samlToken.getXML()).getNode();
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11); // 1. Create a RequesterConfig object. RequesterConfig reqData = samlFactory.newSymmetricHolderOfKeyTokenGenerateConfig(); // Set the recipient's key alias, so the secret key can be encrypted for the recipient. reqData.setKeyAliasForAppliesTo("SOAPRecipient"); // Set the Authentication method that the requester authenticated with. This is an optional parameter. reqData.setAuthenticationMethod("Password"); // 2. Create a CredentialConfig object. // This step assumes a SAMLToken exists on the RunAsSubject. // This method call will allow the SAMLTokenFactory to copy the existing SAML NameID and // attributes from a SAML token in the RunAsSubject to new SAMLToken. // If there is no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user // security identity from the WSPrincipal object in the RunAsSubject. CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject); // 3. Create a ProviderConfig object which specifies the key store for SAML signing // and encryption, the expiration time, and issuer logic name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated // in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11); // Create a ConsumerConfig object for SAML validation and parsing. ConsumerConfig samlConsumerCfg = samlFactory.newConsumerConfig(); // The following method calls are required if SAML tokens or embedded Keys are encrypted. KeyStoreConfig tsc = SAMLTokenFactory.newKeyStoreConfig( "jceks", "recipient.jceks","storepass"); samlConsumerCfg.setTrustStoreConfig(tsc); // Use one of the following statements to create the SAMLToken. // If you have the assertion in XMLStructure format (samlXml): SAMLToken samlTokenFromXML = samlFactory.newSAMLToken(samlConsumerCfg, samlXml); // If you have the assertion available with an InputStream (samlInputStream): SAMLToken samlTokenFromInputStream = samlFactory.newSAMLToken(samlConsumerCfg, samlInputStream );
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create a RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); -or- RequesterConfig reqData = samlFactory.newSenderVouchesTokenGenerateConfig(); // 2. Create a ProviderConfig object which will specify the key store and key for SAML // signing. The object will initialize with the settings from the SAMLIssuerConfig.properties // file. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig(); // 3. (Optional) If you want to use keystore and/or key properties other than what // are set in the SAMLIssuerConfig.properties file, reset the keystore and key // information in the ProviderConfig object. KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks", "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender.ks", "client"); samlIssuerCfg.setKeyStoreConfig(ksc); KeyInformationConfig kic = samlFactory.newKeyInformationConfig("soaprequester", "client", "SOAPRequester"); samlIssuerCfg.setKeyInformationConfig(kic); // 4. (Optional) If you want to use issuer name/format values other than the ones // specified in SamlIssuerConfig.properties, do the following: samlIssuerCfg.setIssuerURI("myIssuerURI"); samlIssuerCfg.setIssuerFormat("myIssuerFormat"); //Only supported on SAML 2.0 tokens // 5. (Optional) If you want to ensure that the original issuer is maintained on // the token and that issuer does not match what is in SamlIssuerConfig.properties, // do the following: samlIssuerCfg.setIssuerURI(null); // Create a new SAML token that is a clone of the original, but a new signature SAMLToken resignedSamlToken = samlFactory.newSAMLToken(originalSamlToken, reqData, samlIssuerCfg);
Modifier and Type | Field and Description |
---|---|
static java.security.SecurityPermission |
GET_NEWCREDENTIALCONFIG_PERM |
static java.security.SecurityPermission |
GET_NEWSAMLTOKEN_PERM |
static java.security.SecurityPermission |
GET_NEWSUBJECT_PERM |
static java.lang.String |
WssSamlV11Token11
This is the key used by SAMLTokenFactory to create an instance of
the SAML Version 1.1 token factory.
|
static java.lang.String |
WssSamlV20Token11
This is the key used by SAMLTokenFactory to create an instance of
the SAML Version 2.0 token factory.
|
Constructor and Description |
---|
SAMLTokenFactory() |
Modifier and Type | Method and Description |
---|---|
static SAMLTokenFactory |
getInstance(java.lang.String valueType)
Return a
SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0). |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newAsymmetricHolderOfKeyTokenGenerateConfig()
Create a default
RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token. |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newBearerTokenGenerateConfig()
Create a default
RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token that will contain
bearer type of subject confirmation. |
abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig |
newConsumerConfig()
Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion.
|
abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig |
newCredentialConfig()
Create a
CredentialConfig that encapsulates two main attributes:
a SAML Name Identifier for the requester
a SAML list of attributes for the requester
|
abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig |
newCredentialConfig(javax.security.auth.Subject subject)
Create a
CredentialConfig that encapsulates the identity of the requester
and possibly its attributes. |
abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig |
newDefaultProviderConfig(java.lang.String stsUri)
Create a default
ProviderConfig that encapsulates configuration attributes
for the SAML token issuer . |
static com.ibm.wsspi.wssecurity.core.config.KeyInformationConfig |
newKeyInformationConfig(java.lang.String alias,
java.lang.String keyPass,
java.lang.String keyName)
Create a
KeyInformationConfig that encapsulates
KeyInformation configuration attributes. |
static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig |
newKeyStoreConfig(java.lang.String ksRef)
Create a
KeyStoreConfig that encapsulates
KeyStore configuration attributes. |
static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig |
newKeyStoreConfig(java.lang.String type,
java.lang.String path,
java.lang.String password)
Create a
KeyStoreConfig that encapsulates
KeyStore configuration attributes. |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
java.io.InputStream in)
Create a
SAMLToken object based on an inputStream for a SAML XML document. |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
XMLStructure xml)
Create a
SAMLToken object based on an existing SAML XML document. |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred,
com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a
SAMLToken object based on the passed in parameters that include the
CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details). |
abstract SAMLToken |
newSAMLToken(SAMLToken aSAMLToken)
Create a
SAMLToken object that is a clone of the input SAMLToken object. |
abstract SAMLToken |
newSAMLToken(SAMLToken aSAMLToken,
com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a
SAMLToken object based on the input SAMLToken and new signature data. |
abstract SAMLToken |
newSAMLToken(javax.security.auth.Subject subject,
com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a
SAMLToken object based on the passed in parameters that include a JAAS Subject
and configuration objects for the requester and provider (see the methods above for content details). |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newSenderVouchesTokenGenerateConfig()
Create a
RequesterConfig . |
abstract javax.security.auth.Subject |
newSubject(SAMLToken aSAMLToken)
Create a JAAS subject based on
SAMLToken object principal name which is basically
the NameId or NameIdentifier attribute in SAML Assertion Specification. |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newSymmetricHolderOfKeyTokenGenerateConfig()
Create a default
RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token. |
public static final java.security.SecurityPermission GET_NEWCREDENTIALCONFIG_PERM
public static final java.security.SecurityPermission GET_NEWSAMLTOKEN_PERM
public static final java.security.SecurityPermission GET_NEWSUBJECT_PERM
public static final java.lang.String WssSamlV11Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.
public static final java.lang.String WssSamlV20Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.
public static SAMLTokenFactory getInstance(java.lang.String valueType) throws WSSException
SAMLTokenFactory
implementation that supports the specified token type (v1.1 or v2.0).valueType
- a string that specifies the version level for the token. It can only have either of these values:
SAMLTokenFactory
implementation that support the specified token type.WSSException
- if there is no SAMLTokenFactory
class that
supports the specified token type.WSSException
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newBearerTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token that will contain
bearer type of subject confirmation. These attributes include:
RequesterConfig
object to build Bearer confirmation SAML assertion.public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSenderVouchesTokenGenerateConfig()
RequesterConfig
.RequesterConfig
object to build a SAML assertion that contains
Sender-Vouches as a subject confirmation. The main attributes encapsulated by this object are:
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token. This object will contain
holder of key type of subject confirmation using a secret key. It mainly contains these attributes:
RequesterConfig
object to build Holder-of-Key SAML assertion with SymmetricKey KeyType.public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token. This object will contain
holder of key type of subject confirmation using a public key. It mainly contains these attributes:
RequesterConfig
object to build Holder-of-Key SAML assertion with asymmetricKey KeyType.public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig(javax.security.auth.Subject subject) throws WSSException
CredentialConfig
that encapsulates the identity of the requester
and possibly its attributes. This object is created in preparation for using the SAML
token creation methods (see below).
subject
- containing the principal name and possibly attributes of the requester.CredentialConfig
object that could be used to create SAML assertion.
The CredentialConfig is populated with the Name Identifier of the requester and possibly SAML attributes
that may exist on the SAML token that is extracted off of the Private Credential list
of the subject.
If subject is null, this method will return null.WSSException
public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig() throws WSSException
CredentialConfig
that encapsulates two main attributes:
CredentialConfig
object that can be used to populate the NameID and the attributes
for a requester when creating a SAML token (see below).WSSException
com.ibm.wsspi.wssecurity.saml.config.CredentialConfig for how to use setter methods to populate the returned object.
public abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig newDefaultProviderConfig(java.lang.String stsUri) throws WSSException
ProviderConfig
that encapsulates configuration attributes
for the SAML token issuer .stsUri
- is a String that represents SAML issuer in an SAML Assertion.
In this case of WebSphere self issued tokens, this parameter can assume any value; e.g.
WebSphereSelfIssuer.ProviderConfig
that encapsulates the following attributes:
In order to change the configuration parameters for the provider in the WebSphere environment you need to edit: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties for the cell level. At the server level: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties
WSSException
public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String type, java.lang.String path, java.lang.String password) throws WSSException
KeyStoreConfig
that encapsulates
KeyStore configuration attributes. For example in a WebSphere installation,
one can set the type to JKS and point to the keyStore using
parameter strings like the following:
"JKS, "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender.ks", "sampleapp"type
- is a String that represents type of KeyStorepath
- is a String that represents the KeyStore file namepassword
- is a String that represents the KeyStore passwordKeyStoreConfig
that
encapsulates the following attributes: the type, location,
and password.WSSException
public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String ksRef) throws WSSException
KeyStoreConfig
that encapsulates
KeyStore configuration attributes. For example in a WebSphere
installation, one can use a reference to the default keystore
with a parameter string like:
"name=NodeDefaultKeyStore managementScope=(cell):sampleNode01Cell:(node):sampleNode01"ksRef
- is a String that represents KeyStore reference nameKeyStoreConfig
that
encapsulates the KeyStore reference name.WSSException
public abstract SAMLToken newSAMLToken(javax.security.auth.Subject subject, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig) throws WSSException
SAMLToken
object based on the passed in parameters that include a JAAS Subject
and configuration objects for the requester and provider (see the methods above for content details).
This method will copy the contents from the original SAML Token, if one exists in the Subject, to the new SAML token.
NameId or NameIdentifier, SAML Attributes, and AuthenticationMethod are copied to the new SAML Token.
The new SAML Token namespace, issuer, signing certificate,
confirmation method and encryption key, timestamp, and lifetime are determined by the ProviderConfig and RequesterConfig parameters.
When the Subject does not contain an existing SAMLToken object, this method will create a new SAML Token using
the WSPrincipal name as the NameId or NameIdentifier. No other attribute will be copied from the Subject to the new SAMLToken when there
was no SAML token in the Subject parameter.
Use the newSAMLToken( CredentialConfig cred, RequesterConfig request, ProviderConfig providerConfig )
method if you need to add SAML Attributes in the new SAMLToken
.
subject
- is mapped to NameIdentifier and attributes in an SAML Assertion.request
- contains data that describes what kind of assertion should be created.providerConfig
- describes issuer, like Signing KeyInfo and Encryption KeyInfo.SAMLToken
which can then be bound to a secure service request.WSSException
- if required key and certificate cannot be found,
or upon other configuration problems.WSSException
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig) throws WSSException
SAMLToken
object based on the passed in parameters that include the
CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details).
cred
- contains principal and attributes that will be included in SAML Assertion.request
- contains data that describes what kind of assertion should be created.providerConfig
- describes issuer, like Signing KeyInfo and Encryption KeyInfo.SAMLToken
WSSException
- if the specified SAMLToken class cannot be found,
or required key and certificate cannot be found, or upon other configuration problems.WSSException
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, XMLStructure xml) throws WSSException
SAMLToken
object based on an existing SAML XML document.
This method can be used to validate the xml structure representing the SAML token.consumer
- contains key information associated with the recipient of the token.
This info is used to verify and/or decrypt the SAML XML document.xml
- is an SAML XML document.SAMLToken
. That can be used to initiate service requests.WSSException
- if key and certificate information cannot be found, or upon other configuration problems.WSSException
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, java.io.InputStream in) throws WSSException
SAMLToken
object based on an inputStream for a SAML XML document.
This method may be used to validate the inputStream representing the SAML token.consumer
- contains key information associated with the recipient of the token.
This info is used to verify and/or decrypt the SAML XML document.is
- an inputStream corresponding to a serialized SAML token. The programmer is
responsible for closing of the stream accordingly.SAMLToken
. That can be used to initiate service requests.WSSException
- if key and certificate information cannot be found, or upon other configuration problems.WSSException
public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig) throws WSSException
SAMLToken
object based on the input SAMLToken and new signature data. The new
token is a clone of the original token with the signature element removed and a new signature
added based on the input credentials.
The issuer name and format in the ProviderConfig object will default to the values in
SamlIssuerConfig.properties
file when the newDefaultProviderConfig method is invoked.
The issuer/issuer format in the new token will be set to the values that are set in the ProviderConfig
object unless the issuerURI is set to null. Setting the issuerURI to null will retain the issuer on the
original token : ProviderConfig.setIssuerURI(null)
SAMLToken.addAttribute
and SAMLToken.deleteAttribute
. This method cannot be used with an encrypted SAMLToken.
aSAMLToken
- contains the original SAMLToken to be re-signedrequest
- contains data that describes what kind of assertion should be created.providerConfig
- describes issuer, like Signing KeyInfo and Encryption KeyInfo.SAMLToken
. That can be used to initiate service requests.WSSException
public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken)
SAMLToken
object that is a clone of the input SAMLToken object.aSAMLToken
- SAMLToken
to copySAMLToken
. That can be used to initiate service requests.public abstract javax.security.auth.Subject newSubject(SAMLToken aSAMLToken) throws WSSException
SAMLToken
object principal name which is basically
the NameId or NameIdentifier attribute in SAML Assertion Specification.
This method looks up user security name and group membership data from the configured user registry using the
SAMLToken
principal name. The SAMLToken
object will be added to the Subject PrivateCredentials
.
None of the individual SAMLToken
attributes will be copied into the new subject.
The lifetime of the new subject is determined by the LTPA timeout configuration.
The subject lifetime is independent from the SAMLToken
lifetime.
aSAMLToken
- that contains a named principal and attributes.WSSException
public abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig newConsumerConfig() throws WSSException
WSSException
com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig for to how set the
consumer's keyStore as well as trustStore information on the newly created ComsumerConfig
object.
public static com.ibm.wsspi.wssecurity.core.config.KeyInformationConfig newKeyInformationConfig(java.lang.String alias, java.lang.String keyPass, java.lang.String keyName) throws WSSException
KeyInformationConfig
that encapsulates
KeyInformation configuration attributes.alias
- is a String that represents type of alias of the keykeyPass
- is a String that represents the password for the keykeyName
- is a String that represents the name for the keyKeyInformationConfig
that
encapsulates the following attributes: the alias, keyPass,
and keyName.WSSException