Creating a SAML holder-of-key token using the API
The SAML holder-of-key token extends the security token public interface in WebSphere® Application Server, and can be used as a protection token. WebSphere Application Server provides a SAML library API for SAML holder-of-key token creation.
About this task
SAML token creation requires three parameters:
- com.ibm.wsspi.wssecurity.saml.config.RequesterConfig
- com.ibm.wsspi.wssecurity.saml.config.ProviderConfig
- com.ibm.wsspi.wssecurity.saml.config.CredentialConfig
Procedure
Example
Use this sample code to create a SAML version 1.1 holder-of-key token using a secret key
(symmetric key) from the
subject.
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfoig ;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
RequesterConfig reqData = samlFactory.newSymmetricHolderOfKeyTokenGenerateConfig();
//Map "AppliesTo" to key alias, so library knows how to encrypt the Symmetric Key
reqData.setKeyAliasForAppliesTo("SOAPRecipient");
ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig(IsserUri);
Subject subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
SAMLToken samlToken = samlFactory.newSAMLToken(subject, reqData, samlIssuerCfg);
Use this sample code to create a SAML version 2.0 holder-of-key token using a public key from the
subject:
//User expression on how SAML should be created, default provided
RequesterConfig reqData = samlFactory.newAsymmetricHolderOfKeyTokenGenerateConfig();
//Choose a public key to be included in SAML
reqData.setKeyAliasForRequester("SOAPInitiator");
//Get issuer key store so can sign or encrypt assertion, issuer name
ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("any_issuer");
//Get JAAS Subject so the factory can populate principal and attributes to SAML
Subject subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
SAMLToken samlToken = samlFactory.newSAMLToken(subject, reqData, samlIssuerCfg);
Use this sample code to create a SAML version 2.0 holder-of-key token using a secret key
(symmetric
key):
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance (SAMLTokenFactory.WssSamlV20Token11);
RequesterConfig reqData = samlFactory. newSymmetricHolderOfKeyTokenGenerateConfig ();
//Map "AppliesTo" to key alias so library knows how to encrypt the Symmetric Key
reqData.setKeyAliasForAppliesTo("SOAPRecipient");
ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig(null);
CredentialConfig cred = samlFactory.newCredentialConfig ();
cred.setRequesterNameID("any_name");
SAMLToken samlToken = samlFactory.newSAMLToken(subject, reqData, samlIssuerCfg);