通过使用 API 来添加属性并重新签署现有的 SAML 令牌

SAML 库 API 可用于对未加密的 SAML 令牌添加或删除属性,然后签署或重新签署 SAML 令牌。每当进行了任何操作以修改 SAML 令牌对象时,如果该对象上已存在数字签名,那么会移除现有的数字签名。

关于此任务

以下过程描述如何修改现有的 SAMLToken 对象,然后将新的数字签名应用于令牌。此任务不会显示如何获取现有的 SAMLToken 对象。现有的 SAMLToken 对象可来自入站 SOAP(通过 LoginModule 共享状态)、SAML Web SSO(通过基本安全性主体)、STS(使用信任客户机)或自签发令牌(使用 SAML API 创建)。

当 SAML API 初始化配置对象时,会从 SamlIssuerConfig.properties 获取配置。可选择使用 SamlIssuerConfig.properties 中的设置,也可选择覆盖这些设置。以下过程显示如何覆盖此文件中的所有设置。

过程

  1. 克隆现有的 SAML 令牌
    import java.util.ArrayList;
    import org.apache.axiom.om.OMElement;
    import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
    import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
    import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
    import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
    import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
    import com.ibm.wsspi.wssecurity.wssapi.OMStructure;
    ....
    
    //someSAMLToken is the existing SAMLToken object
    
    SAMLTokenFactory samlFactory = null;
    
    //initialize the desired SAML token factory
    //samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
    samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
    
    //clone the existing SAMLToken object if desired.
    SAMLToken mySamlToken = factory.newSAMLToken(someSamlToken);
  2. 对此令牌添加或删除属性
    //add a single attribute
    SAMLAttribute sattribute1 = new SAMLAttribute("Purchases", new String[] {"TooMany"},  null, null, null, null);
    mySamlToken.addAttribute(sattribute1);
    
    //after this first addAttribute, there will not be a digital signature in the
    //token's XML.  Doing a token modification invalidated the signature.
    
    //add a list of attributes
    SAMLAttribute sattribute2 = new SAMLAttribute("Address", new String[] {"Austin, Texas"},null,null,"IBM NameFormat","IBM FriendlyName");
    SAMLAttribute sattribute3 = new SAMLAttribute("Membership",new String[] {"Blue team", "Green Team"},null,null,null,null );
    
    ArrayList al = new ArrayList();
    al.add(sattribute2);
    al.add(sattribute3);
    
    mySamlToken.addAttribute(al);
    
    //delete an attribute
    mySamlToken.deleteAttribute(sattribute3);
    ....
  3. 重新签署 SAML 令牌。
    RequesterConfig reqData = null;
    
    //initialize the desired requester config
    //reqData = samlFactory.newSenderVouchesTokenGenerateConfig();
    reqData = samlFactory.newBearerTokenGenerateConfig();
    
    //initialize the provider config object with an issuer name
    ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("myIssuer");
    
    //Or preserve the existing issuer by setting the issuer URI to null
    //samlIssuerCfg.setIssuerURI(null);
    
    //set the keystore information for use with digital signature in the provider config object
    KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks", "/myx509.ks", "myx509");
    samlIssuerCfg.setKeyStoreConfig(ksc);
    
    //set the key information for use with digital signature in the provider config object
    KeyInformationConfig kic = samlFactory.newKeyInformationConfig("mySignAlias", "password", "CN=ME");
    samlIssuerCfg.setKeyInformationConfig(kic);
    
    //create a new SAMLToken object that is a signed clone of the input token
    SAMLToken myNewSamlToken = samlFactory.newSAMLToken(mySamlToken,reqData,samlIssuerCfg);
  4. 检查 SAML 令牌 XML 以查看修改内容
    //get the SAML Assertion element
    OMElement samlElement = ((OMStructure) myNewSamlToken.getXML()).getNode();
    
    //convert the element to a String
    String xmlString = samlElement.toString();

指示主题类型的图标 任务主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twbs_addingattributesandresigningexistingSAMLtokens
文件名:twbs_addingattributesandresigningexistingSAMLtokens.html