Sunday, March 16, 2014

SAML2.0 bearer token from OAuth2 - WSO2 API Manager 1.6

An enterprise application exchanges SAML2.0 bearer token which retrieves authentication against OAuth2 token from the API Manager.

These few steps explained how to create SAML2 token from Oauth2 token step by step

1. Configuring Trusted Identity Provider
Configure Trusted Identity Provider and create new Trusted Identity Provider

Figure 1 : Trusted Identity Provider Configuration

1.1 Create identity provide public certificate  

Create pem file from keystore:
Here, i have used wso2carbon.jks file in {produtc_home}/repository/resources/security

keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -rfc -file test-user.pem

Now you can uplaod  test-user.pem  file as public certificate

2. Create OAuth Application

Create application to manage OAuth token, Main --> OAuth

You can untick code and Implicit check box since those are not mandatory fields

Figure 2: OAuth Management Configuration
When you double click on the OAuth app, you can see the properties like this

3. SAML assertion creation

You can implement SAML assertion functionality in your code or else you can  download sample SAMLAssertionCreator.jar from this location

execute the lib as following to create the SAML assertion string: 

java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin ws02carbon.jks wso2carbon wso2carbon wso2carbon

NOTE: require JDK 1.7 for execute the lib

Now, you need to copy SAML assertion string for next step

4. Use following  cURL command used to generates an access token

4.1. Using Curl command

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<to-be-replace-generated-token>&scope=PRODUCTION" --basic -u "<to-be-replace-client-id>:<to-be-replace-client-secure>" -H "Content-Type: application/x-www-form-urlencoded"

4.2. Using RESTClient

Tools -->RESTClient

You can use following parameters to create POST request in RESTClient Request
Figure 3: RESTClient request configuration

You might get server_error exception, possible causes

1. expire the token
2. incorrect parameter or missing parameters

Tested only for API Manager 1.6

Above flows you can use for IS 4.6 as well. But in 4th step, the property scope is not required for the request since the scope property use only in the API Manager

Related reading: