An enterprise application exchanges SAML2.0 bearer token which retrieves authentication against OAuth2 token from the API Manager.
These few steps explained how to create SAML2 token from Oauth2 token step by step
1. Configuring Trusted Identity Provider
Configure Trusted Identity Provider and create new Trusted Identity Provider
 |
| Figure 1 : Trusted Identity Provider Configuration |
1.1 Create identity provide public certificate
Create pem file from keystore:
Here, i have used wso2carbon.jks file in {produtc_home}/repository/resources/security
keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -rfc -file test-user.pem
Now you can uplaod test-user.pem file as public certificate
2. Create OAuth Application
Create application to manage OAuth token, Main --> OAuth
You can untick code and Implicit check box since those are not mandatory fields
 |
| Figure 2: OAuth Management Configuration |
When you double click on the OAuth app, you can see the properties like this
3. SAML assertion creation
You can implement SAML assertion functionality in your code or else you can download sample SAMLAssertionCreator.jar from this location
https://svn.wso2.org/repos/wso2/people/johann/SAML2-OAuth/
execute the lib as following to create the SAML assertion string:
java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://10.100.4.28:9443/oauth2/token https://10.100.4.28:9443/oauth2/token ws02carbon.jks wso2carbon wso2carbon wso2carbon
NOTE: require JDK 1.7 for execute the lib
Now, you need to copy SAML assertion string for next step
4. Use following cURL command used to generates an access token
4.1. Using Curl command
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<to-be-replace-generated-token>&scope=PRODUCTION" --basic -u "<to-be-replace-client-id>:<to-be-replace-client-secure>" -H "Content-Type: application/x-www-form-urlencoded" https://10.100.4.28:8243/oauth2/token
4.2. Using RESTClient
Tools -->RESTClient
You can use following parameters to create POST request in RESTClient Request
 |
| Figure 3: RESTClient request configuration |
You might get server_error exception, possible causes
1. expire the token
2. incorrect parameter or missing parameters
Tested only for API Manager 1.6
Above flows you can use for IS 4.6 as well. But in 4th step, the property scope is not required for the request since the scope property use only in the API Manager
Related reading:
http://shafreenanfar.blogspot.com/2014/02/exchanging-sml2-token-to-oauth2-token.html
https://docs.wso2.org/display/AM160/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2SAMLextensiongranttype
http://nallaa.wordpress.com/2013/04/04/saml2-bearer-assertion-profile-for-oauth-2-0-with-wso2-identity-server/
No comments:
Post a Comment