Securing Web Services
Creating and Adding SAML Tokens
|
|
This chapter describes how to add a SAML token to the WS-Security header element. It discusses the following topics:
With InterSystems IRIS SOAP support, you can add a SAML token to the WS-Security header element.
Alternatively, you can add a
<SubjectConfirmation> with the Sender-vouches (SV) method; in this case, the subject does not include a key. To protect the assertion in this case, it is recommended that you add a security token reference from the message signature to the SAML token.
To create a SAML token and add it to outbound SOAP messages, you can use the basic procedure here or the variations described in the subsections.
-
Optionally include the
%soap.inc include file, which defines macros you might need to use.
-
This InterSystems IRIS credential set must contain your own certificate. For example:
Set x509alias = "servercred"
Set pwd = "mypassword"
Set credset = ##class(%SYS.X509Credentials).GetByAlias(x509alias,pwd)
-
set bst=##class(%SOAP.Security.BinarySecurityToken).CreateX509Token(credset)
Where
credset is the InterSystems IRIS credential set you created in the previous step.
-
Add this token to the WS-Security header element. To do so, call the
AddSecurityElement() method of the
SecurityOut property of your web client or web service. For the method argument, use the token you just created. For example:
do ..SecurityOut.AddSecurityElement(bst)
-
set assertion=##class(%SAML.Assertion).CreateX509(bst)
-
-
For
IssueInstant, specify the date and time when this assertion is issued.
-
-
-
-
You can confirm the subject with either the Holder Of Key method or the Sender Voucher method.
-
-
-
Call the
AddSecurityElement() method of the
SecurityOut property of your web client or web service. For the method argument, use the SAML token you created.
-
Optionally sign the SAML assertion by adding a reference from the SOAP message signature to the SAML assertion.
Set str=##class(%SOAP.Security.SecurityTokenReference).GetSAMLKeyIdentifier(assertion)
Set ref=##class(%XML.Security.Reference).CreateSTR(str.GetId())
Do signature.AddReference(ref)
-
A
<BinarySecurityToken> contains a certificate in serialized, base-64encoded format. You can omit this token and instead use information that identifies the certificate; the recipient uses this information to retrieve the certificate from the appropriate location. To do so, use the preceding steps, with the following changes:
-
-
In step 4, use the credential set (rather than a binary security token) as the first argument to
CreateX509(). For example:
set assertion=##class(%SAML.Assertion).CreateX509(credset,referenceOption)
If you specify a credential set as the first argument (as we are doing in this variation), the default reference option is the thumbprint of the certificate.
To create an unsigned SAML assertion, use the preceding steps, with the following changes:
-
-
For step 4, use the
Create() method instead of
CreateX509(). This method takes no arguments. For example:
set assertion=##class(%SAML.Assertion).Create()
-
Create one or more instances of the appropriate statement classes:
-
Specify properties of these instances as needed.
-
-
-
Create a list that contains these attribute value instances.
-
Set the
AttributeValue property of your attribute object equal to this list.
Or directly specify the
AttributeValueOverride property. For the value, use the exact string (an XML mixed content string) needed for the value.
-
Create a list that contains these statement instances.
-
Set the
Statement property of your assertion object equal to this list.
-
-
Set properties of the subject as needed.
-
Set the
Subject property of your assertion object equal to this instance.
-
Or use the same credential set that you use to sign the assertion.
-
Optionally create and then add a binary security token that contains the certificate associated with the given credential set.
set bst=##class(%SOAP.Security.BinarySecurityToken).CreateX509Token(credset)
Where
credset is the credential set you created in the previous step.
To add this token to the WS-Security header element, call the
AddSecurityElement() method of the
SecurityOut property of your web client or web service. For the method argument, use the token you just created.
-
method AddX509Confirmation(credentials As %SYS.X509Credentials,
referenceOption As %Integer) as %Status
-
Set the
NameID property of the
Subject property of your SAML assertion object.
-
method AddConfirmation(method As %String) as %Status
In this case, be sure to sign the SAML assertion to protect it.
-
Or use the same credential set that you use to sign the assertion.
-
Set the
NameID property of the
Subject property of your SAML assertion object.
-
method AddEncryptedKeyConfirmation(credentials As %X509.Credentials) as %Status
-
When you sign the SAML assertion, create the signature as follows:
set sig=##class(%XML.Security.Signature).Create(assertion,$$$SOAPWSIncludeNone,$$$SOAPWSSAML)
Where
assertion is the SAML assertion. Note that you use the
Create() method in this scenario. The
$$$SOAPWSSAML reference option creates a reference to the SAML assertion.
-
set binsec=##class(%SOAP.WST.BinarySecret).Create()
-
set status=assertion.Subject.AddBinarySecretConfirmation(binsec)
For
binsec, use the BinarySecret you created in the previous step.
-
-
Specify properties of this instance as needed.
-
Set the
Conditions property of your assertion object equal to this instance.
-
Create instances of one or more of the following classes:
-
Specify properties of these instances as needed.
-
Create a list that contains these advice instances.
-
Set the
Advice property of your assertion object equal to this list.
Content Date/Time: 2019-02-21 01:13:32