Topic
4 replies Latest Post - ‏2013-01-09T04:49:13Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic DataPower AAA Policy Resolve SAML Artifact Request

‏2012-11-28T17:15:37Z |
Hi,

Do anyone know how to change the Issuer value in the following SAML Artifact Resolve request that is sent by DataPower AAA policy to retrieve SAML assertion identified with the SAML Artifact received as an identity in the request url. By default DataPower is using 'XS' as issuer. I would like to override this value with the service provider identity url that is created in the OpenSSO circle of trust as remote service provider. I am using SAML 2.0 Web Browser SSO Profile with HTTP-REDIRECT. I can achieve this using custom xslt files. But I would like to use the built in feature of the AAA policy. This for an IDP initiated single sign on request.

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dp="http://www.datapower.com/schemas/management">
<SOAP:Body>
<samlp2:ArtifactResolve xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="IDdfac88d3-bed9-431a-b8aa-2993c167c95c" IssueInstant="2012-11-28T13:54:39Z">

<saml2:Issuer>*XS*</saml2:Issuer> <<----------------

<samlp2:Artifact>AAQAAEHxTvWUy1n1Jn8LnvdZijhGdF/Wok+v64sy9yR8fW9tBeU2j2qQMDE=</samlp2:Artifact>

</samlp2:ArtifactResolve>
</SOAP:Body>
</SOAP:Envelope>

Any help would be greatly appreciated.

Thanks in advance
Venky
Updated on 2013-01-09T04:49:13Z at 2013-01-09T04:49:13Z by SystemAdmin
  • swlinn
    swlinn
    1327 Posts
    ACCEPTED ANSWER

    Re: DataPower AAA Policy Resolve SAML Artifact Request

    ‏2012-11-28T19:03:20Z  in response to SystemAdmin
    I've seen some DataPower actions where you can specify a context variable in the configuration and the variable is evaluated, but in this case the field is not evaluated. To have that capability in the AAA PP step would be an enhancement. In the meantime, you're going to need a separate transformation action where your stylesheet changes the value of this element to what you want.

    Regards,
    Steve
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: DataPower AAA Policy Resolve SAML Artifact Request

      ‏2012-11-29T17:37:52Z  in response to swlinn
      Thank you Steve!

      Regards,
      Venky
    • swlinn
      swlinn
      1327 Posts
      ACCEPTED ANSWER

      Re: DataPower AAA Policy Resolve SAML Artifact Request

      ‏2012-12-05T11:14:42Z  in response to swlinn
      Another approach here in lieu of a stylesheet that has the stylesheet parameters that place values into context would be to specify your stylesheet parameters on the service itself. Your custom xsl in the AAA action can then reference the stylesheet param directly instead of writing a separate stylesheet.

      Regards,
      Steve
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: DataPower AAA Policy Resolve SAML Artifact Request

    ‏2013-01-09T04:49:13Z  in response to SystemAdmin
    Hi Venky,
    I am working with Web Broser SSO using DataPower and OpenAM. I am facing similar issue in the AAA policy attached to the Web App Firewall. I am using a custom template create a ArtifactResolve (to replace the issuer) and to retrieve the SAML Assertions Corresponding to a SAML Browser Artifact received from the IDP originated SSO request. However the OpenAM is returning a soap fault. The ArtifactResolve from DataPower is in same lines of yours but the following is the response from OpenAM. The DP side looks ok to me I am currently investigating at OpenAM side, meanwhile any leads/suggestions would be much appreciated.
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header />
    <SOAP-ENV:Body>
    <SOAP-ENV:Fault>
    <faultcode>SOAP-ENV:Client</faultcode>
    <faultstring>The SAML Request is invalid.</faultstring>
    </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    Thank You