SAML Assertion
A SAML assertion is the XML document that the IdP sends to the service provider (that is webMethods API Gateway). It informs the webMethods API Gateway that a user has logged in. It also provides the necessary information for the webMethods API Gateway to confirm the user's identity and lists the groups to which the logged user belongs to.
In webMethods API Gateway, a user is created and a group gets associated to the created user based on the SAML assertion.
User Creation
In order to create a user you have to map the following attributes from the SAML assertion:
- Login ID
- First name
- Last name
- Email address
The attributes to be considered in the SAML assertion for the First Name, Last Name and Email address can be configured and value for the corresponding attributes are used in the creation of the user.
In the SAML assertion, the NameID element displays login ID of the user.
<Subject>
<NameID>alice</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="a57d9j2i936ae5de2icdedg73jce390"
NotOnOrAfter="2021-02-19T12:51:28.106Z"
Recipient="https://localhost:9073/apigatewayui/saml/SSO"
/>
</SubjectConfirmation>
</Subject>
The first name, last name, and email address attributes in the SAML assertion can be configured and their corresponding values are used in user creation.
Group Association
Once the user is created, the user needs to be assigned to a group in webMethods API Gateway.
In the SAML assertions, under the AttributeStatement element, if the AttributeName has any of the following values, then the AttributeValue element displays the group name to which the login
- http://schemas.microsoft.com/ws/2008/06/identity/claims/role
- http://schemas.xmlsoap.org/claims/Group
Example 1:
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>group1</AttributeValue>
</Attribute>
</AttributeStatement>
In the example 1, based on the SAML assertion, the user is associated to the group called group1 in the IdP. Later, webMethods API Gateway uses this value group1 to map the user to the corresponding group.
Example 2 :
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>group2</AttributeValue>
</Attribute>
</AttributeStatement>
In the example 2, based on the SAML assertion, the user is associated to the group called group2 in the IdP. Later, webMethods API Gateway uses this value group2 to map the user to the corresponding group.
Example 3:
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Everyone</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">group1</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">group2</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
In the example 3, based on the SAML assertion, the user is associated to the groups called Everyone,group1, and group2 in the IdP. Later, webMethods API Gateway uses these values Everyone,group1, and group2 to map the user to the corresponding groups.
The SAML assertion is populated dynamically for each time when the user logs into webMethods API Gateway using SSO. If the user is mapped to a different group in the IdP or if the user is removed from the IdP during the subsequent login, then webMethods API Gateway maps the user to a group based on the SAML assertion of that subsequent session. This is to ensure that the mapping is always in synchronization between IdP and webMethods API Gateway.