Topic
9 replies Latest Post - ‏2013-10-25T17:20:59Z by KrithikaPrakash
npwagner1
npwagner1
45 Posts
ACCEPTED ANSWER

Pinned topic SAML 2.0 post to client web application

‏2011-02-03T22:37:12Z |
An External app needs a SAML 2.0 token posted in the name/values pair of the web application to authenticate. Is there any way for datapower to act as a saml creator where you send a request to it and it returns a valid saml 2.0 token to post to the external application? Kind of a weird use case, but I wanted to get input from the community on this.
Updated on 2012-11-01T17:05:31Z at 2012-11-01T17:05:31Z by BrunoD
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: SAML 2.0 post to client web application

    ‏2011-02-21T22:04:51Z  in response to npwagner1
    Hi,
    I Guess When you authenticate and Authorized the incoming request using AAA object, you can choose Process Meta Data object, after done with AAA Policy, you can enable SAML assertion ON in Post Processing Policy.
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: SAML 2.0 post to client web application

    ‏2011-02-22T16:43:06Z  in response to npwagner1
    In the previous release prior to 3.8.1 we were able to generate the SAML within AAA policy in post processing policy but we were not able to include SAMLAttribute statement.

    The SAML feature were implemented before some SAML specification is finalized, hence it is outdated. The SAML assertion that the old releases supported has only limited format of SAML Authentication Assertions, DP cannot generate other type of assertion or SAML response by default. Many SAML optional settings that defined by the standard, especially the SAML attributes for SSO are very critical for some user cases, but DataPower is lack of the support for many optional features. With the previous releases, customer has to program with XSL style sheets, it is neither easy nor efficient, it is very inflexible too as the customized SAML message could not be signed freely on DP device. When DP works as a SAML message consumer, if the token issuer’s system clock is slower than the standard, DataPower does not process the SAML 2.0 Attributes correctly; neither does it enforce the SAML 2.0 message validation completely. This presentation contains the features to correctly handle all the listed limitations.

    Regards,

    Kumar
  • PacoGomez
    PacoGomez
    1 Post
    ACCEPTED ANSWER

    Re: SAML 2.0 post to client web application

    ‏2012-04-05T12:44:00Z  in response to npwagner1
    Nicholas,
    Did you achieve your goaL?

    We want to use our xi50 datapower to issue a sso saml 2.0 token to google apps, after validating the request with our LDAP. I think it is a situation similar to yours and I am interested in knowing if it worked to you?

    Thanks a lot for any information about viability.

    Regards.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: SAML 2.0 post to client web application

      ‏2012-10-16T03:29:53Z  in response to PacoGomez
      Have any of you been able to achieve the goal of POSTing SAML to an external application provider? We're looking to doing this, but so far with no luck.

      Thanks
      Srini
  • BrunoD
    BrunoD
    7 Posts
    ACCEPTED ANSWER

    Re: SAML 2.0 post to client web application

    ‏2012-11-01T17:05:31Z  in response to npwagner1
    Anybody achieved this? I'm trying to integrate Google Apps with DataPower too.
  • belenkiy
    belenkiy
    5 Posts
    ACCEPTED ANSWER

    Re: SAML 2.0 post to client web application

    ‏2013-10-25T05:34:32Z  in response to npwagner1

    We are trying to implement the same scenario with JIVE.using XI52 v6.0.0.2 but it seems that this SAML feature is missing.

    Anybody?

    • HermannSW
      HermannSW
      4360 Posts
      ACCEPTED ANSWER

      Re: SAML 2.0 post to client web application

      ‏2013-10-25T07:59:23Z  in response to belenkiy

      In v6.0.0.0 release notes
      http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m0/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2FrelnotesXI.html

      you will find that SAML 2.0 is supported under "Supported standards and protocols"->"Security policy enforcement".


      Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

      • belenkiy
        belenkiy
        5 Posts
        ACCEPTED ANSWER

        Re: SAML 2.0 post to client web application

        ‏2013-10-25T08:58:39Z  in response to HermannSW

        Hi Hermann,

        Thanks for you answer!

        SAML 2.0 specifies a Web Browser SSO Profile involving an identity provider (IdP), a service provider (SP).

        The login scenario looks like this:

        1. The user (browser) access customer's personal JIVE web app.
        2. In case authentication needed, the web app responses with HTTP redirect to the Identity Provider (idp). In our case this should be the DataPower.
        3. The user fills username and password in the form received from the idp and submits it.
        4. The idp authenticates the credentials, in case of success generates SAML v2 SSO Response and sends it back to the browser.
        5. The browser redirects to back to customer JIVE web app.

        A pretty good description of this scenario located in Google-Developers or in Wikipedia under SP POST Request; IdP POST Response section.

        How can this scenario be implemented by DataPower acting as idp?

        Thanks in advance,

        Gosha

        • KrithikaPrakash
          KrithikaPrakash
          6 Posts
          ACCEPTED ANSWER

          Re: SAML 2.0 post to client web application

          ‏2013-10-25T17:20:59Z  in response to belenkiy

          It should be doable. You can configure DataPower AAA action to do  "HTML-forms based authentication" in the EI step, configure AU and AZ as required for your environment, and in AAA PP, enable "Generate SAML assertion or response" and choose "SAML response with assertion" for the parameter "SAML protocol or profile". For the "Wrap up result" parameter, I believe you can configure it to "output directly".

          This should generate the SAML response with an assertion.