Information Technology Blog: 2014

An enterprise application exchanges SAML2.0 bearer token which retrieves authentication against OAuth2 token from the API Manager.

These few steps explained how to create SAML2 token from Oauth2 token step by step

1. Configuring Trusted Identity Provider

Configure Trusted Identity Provider and create new Trusted Identity Provider

Figure 1 : Trusted Identity Provider Configuration

1.1 Create identity provide public certificate

Create pem file from keystore:

Here, i have used wso2carbon.jks file in {produtc_home}/repository/resources/security

keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -rfc -file test-user.pem

Now you can uplaod test-user.pem file as public certificate

2. Create OAuth Application

Create application to manage OAuth token, Main --> OAuth

You can untick code and Implicit check box since those are not mandatory fields

Figure 2: OAuth Management Configuration

When you double click on the OAuth app, you can see the properties like this

3. SAML assertion creation

You can implement SAML assertion functionality in your code or else you can download sample SAMLAssertionCreator.jar from this location

https://svn.wso2.org/repos/wso2/people/johann/SAML2-OAuth/

execute the lib as following to create the SAML assertion string:

java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://10.100.4.28:9443/oauth2/token https://10.100.4.28:9443/oauth2/token ws02carbon.jks wso2carbon wso2carbon wso2carbon

NOTE: require JDK 1.7 for execute the lib

Now, you need to copy SAML assertion string for next step

4. Use following cURL command used to generates an access token

4.1. Using Curl command

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<to-be-replace-generated-token>&scope=PRODUCTION" --basic -u "<to-be-replace-client-id>:<to-be-replace-client-secure>" -H "Content-Type: application/x-www-form-urlencoded" https://10.100.4.28:8243/oauth2/token

4.2. Using RESTClient

Go to http://10.100.4.28:9763/store

Tools -->RESTClient

You can use following parameters to create POST request in RESTClient Request

Figure 3: RESTClient request configuration

You might get server_error exception, possible causes

1. expire the token

2. incorrect parameter or missing parameters

Tested only for API Manager 1.6

Above flows you can use for IS 4.6 as well. But in 4th step, the property scope is not required for the request since the scope property use only in the API Manager

Related reading:

http://shafreenanfar.blogspot.com/2014/02/exchanging-sml2-token-to-oauth2-token.html

https://docs.wso2.org/display/AM160/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2SAMLextensiongranttype

http://nallaa.wordpress.com/2013/04/04/saml2-bearer-assertion-profile-for-oauth-2-0-with-wso2-identity-server/

These are the three places of registry spaces which keep configuration in carbon platform based all WSO2 products.

Local Repository : Used to store configuration and runtime data that is local to the server.

Configuration Repository : Used to store product-specific configuration.

Governance Repository : Used to store configuration and data that are shared across the whole platform. This typically includes services, service descriptions, endpoints or datasources and can be browsed under /_system/governance in the registry browser

                All service artifacts are going in to be in this repository based on the metadata type user is importing
                  WSDLs are going to /_system/governance/wsdls/ directory.
                  Policies are going to /_system/governance/policies/ directory.
                  Schemas are going to /_system/governance/schemas/ directory.

Here I explained the process flow of moving configuration directories within the Governance Repository when promoting the lifecycles in the Governance Registry product.

1. Configure the Life Cycle

Extensions --> Lifecycles

In there you can use existing ServiceLifeCycle modify or add new Lifecycle using DefaultLifeCycle class as follow.

<aspect name="ServiceLifeCycle34" class="org.wso2.carbon.governance.registry.extensions.aspects.DefaultLifeCycle">
<configuration type="literal">
<lifecycle>
<scxml xmlns="http://www.w3.org/2005/07/scxml"
version="1.0"
initialstate="Development">
<state id="Development">
<datamodel>
<data name="checkItems">
<item name="Code Completed" forEvent="">

</item>
<item name="WSDL, Schema Created" forEvent="">
</item>
<item name="QoS Created" forEvent="">
</item>
</data>
<data name="transitionExecution">
<execution forEvent="Promote" class="org.wso2.carbon.governance.registry.extensions.executors.ServiceVersionExecutor">
<parameter name="currentEnvironment" value="/_system/local/repository/components/{@resourcePath}/{@resourceName}"/>
<parameter name="targetEnvironment" value="/_system/governance/branches/testing/{@resourcePath}/{@version}/{@resourceName}"/>
<parameter name="service.mediatype" value="application/vnd.wso2-service+xml"/>
<parameter name="wsdl.mediatype" value="application/wsdl+xml"/>
<parameter name="endpoint.mediatype" value="application/vnd.wso2.endpoint"/>
</execution>
</data>
<data name="transitionUI">
<ui forEvent="Promote" href="../lifecycles/pre_invoke_aspect_ajaxprocessor.jsp?currentEnvironment=/_system/governance/trunk/"/>
</data>

<data name="transitionScripts">
<js forEvent="Promote">
<console function="showServiceList">
<script type="text/javascript">
showServiceList = function() { var element = document.getElementById('hidden_media_type'); var mediaType = ""; if (element) { mediaType = element.value;} if (mediaType == "application/vnd.wso2-service+xml") { location.href = unescape("../generic/list.jsp?region=region3%26item=governance_list_service_menu%26key=service%26breadcrumb=Services%26singularLabel=Service%26pluralLabel=Services"); } }
</script>
</console>
</js>
</data>
</datamodel>
<transition event="Promote" target="Testing"/>
</state>
<state id="Testing">
<datamodel>
<data name="checkItems">
<item name="Effective Inspection Completed" forEvent="">
</item>
<item name="Test Cases Passed" forEvent="">
</item>
<item name="Smoke Test Passed" forEvent="">
</item>
</data>
<data name="transitionExecution">
<execution forEvent="Promote" class="org.wso2.carbon.governance.registry.extensions.executors.ServiceVersionExecutor">
<parameter name="currentEnvironment" value="/_system/governance/branches/testing/{@resourcePath}/{@version}/{@resourceName}"/>
<parameter name="targetEnvironment" value="/_system/governance/branches/production/{@resourcePath}/{@version}/{@resourceName}"/>
<parameter name="service.mediatype" value="application/vnd.wso2-service+xml"/>
<parameter name="wsdl.mediatype" value="application/wsdl+xml"/>
<parameter name="endpoint.mediatype" value="application/vnd.wso2.endpoint"/>
</execution>
<execution forEvent="Demote" class="org.wso2.carbon.governance.registry.extensions.executors.DemoteActionExecutor">
</execution>
</data>
<data name="transitionUI">
<ui forEvent="Promote" href="../lifecycles/pre_invoke_aspect_ajaxprocessor.jsp?currentEnvironment=/_system/governance/branches/testing/"/>
</data>
<data name="transitionScripts">
<js forEvent="Promote">
<console function="showServiceList">
<script type="text/javascript">
showServiceList = function() { var element = document.getElementById('hidden_media_type'); var mediaType = ""; if (element) { mediaType = element.value;} if (mediaType == "application/vnd.wso2-service+xml") { location.href = unescape("../generic/list.jsp?region=region3%26item=governance_list_service_menu%26key=service%26breadcrumb=Services%26singularLabel=Service%26pluralLabel=Services"); } }
</script>
</console>
</js>
</data>
</datamodel>
<transition event="Promote" target="Production"/>
<transition event="Demote" target="Development"/>
</state>
<state id="Production">
<datamodel>
<data name="transitionExecution">
<execution forEvent="Demote" class="org.wso2.carbon.governance.registry.extensions.executors.DemoteActionExecutor">
</execution>
<execution forEvent="Publish" class="org.wso2.carbon.governance.registry.extensions.executors.apistore.ApiStoreExecutor">
</execution>
</data>
</datamodel>
<transition event="Publish" target="Published.to.APIStore"/>
<transition event="Demote" target="Testing"/>
</state>
<state id="Published.to.APIStore">
</state>
</scxml>
</lifecycle>
</configuration>
</aspect>

2. Modify Artifact location

Change the directories as you want for targetEnvironment and currentEnvironment of each states (Development, Testing, Production) of the configuration by specify locations within the / _system/governance directory.

3. Create the Service

Then go to Main --> Metadata --> Add --> Service and Create the service

4. Assign the Life cycle

After saving the service, you can see Add Lifecycle button within the LifeCycle area. If you see already assign the lifecycle that you don't want to assign it, delete and re-assign lifecycle from the drop-down menu.

5. Moving Artifacts
Now you can process the moving artifacts to targetEnvironment from currentEnvironment by clicking Promote button within the life cycle.

Information Technology Blog

Sunday, March 16, 2014

SAML2.0 bearer token from OAuth2 - WSO2 API Manager 1.6

Monday, January 13, 2014

WSO2 GREG 4.6.0 - Moving governed artifacts when promoting the lifecycles

About Me

Blog Archive