It's a common use case where enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDP. Even if the OAuth authorization server is entirely different from the IDP. The API Cloud leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server.
WSO2 API Cloud has an token API which is exposed to the users in order to create and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API. In this example we will be using the SAML extension grant type to generate the tokens.
In this blog i will explain the steps on how you can successfully carry out the SAML to OAuth2 token exchange with the API Cloud. Let's take a look at how this can be achieved.
2. You also need to create a keystore and also the public certificate to sign the SAML tokens.
You also need to have a jks file which we will be using to sign the SAML tokens. You can find the command line command to create a jks file if you do not have one and also export its public certificate as shown below.
keytool -genkeypair -alias <alias> -keypass <name> -keysize 1024 -keystore <filename>.jks -storepass <storepass> -keyalg RSA Now you will be having a jks file you can use to sign the SAML tokens. Next you need to create a public certificate which you need to add to API Cloud so they will trust these tokens. To get this file enter the below command. You can replace the word "shenavi" with anything you wish for your files
Pre requisite.
1. You need to make sure you have an account with the WSO2 Cloud. If you do not have an account then you first need to create one. You can find the steps here under 'How to create an Account with WSO2 Cloud'.2. You also need to create a keystore and also the public certificate to sign the SAML tokens.
You also need to have a jks file which we will be using to sign the SAML tokens. You can find the command line command to create a jks file if you do not have one and also export its public certificate as shown below.
keytool -genkeypair -alias <alias> -keypass <name> -keysize 1024 -keystore <filename>.jks -storepass <storepass> -keyalg RSA Now you will be having a jks file you can use to sign the SAML tokens. Next you need to create a public certificate which you need to add to API Cloud so they will trust these tokens. To get this file enter the below command. You can replace the word "shenavi" with anything you wish for your files
keytool -exportcert -keystore shenavi.jks -alias shenavi -file shenavi.cert
Now that you have registered with the WSO2 Cloud and have a certificate we can start the required configurations on the API Cloud.
1. First Log into the API Cloud's management using the tenant aware user name. You can follow the link and find the steps how to log into the management console.
2. After you log in you will be able to see in the Configure menu section a menu item named as 'Identity Providers'. Click on the 'Add' option. Then a configuration page will appear.
4.For the 'Identity Provider Public Certificate' field i will upload the public cert of my jks file i am using to sign the tokens with. (shenavi.cert).
5. Give the alias as "https://keymanager.api.cloud.wso2.com/oauth2/token"
6. Enable SAML2 Web SSO.
7. For the Service Provider Entity Id and the Identity Provider Entity Id I have specified as 'myDemo'. When generating the SAML token you need to use this as the entity id therefore depending on the entity id and service provider this value needs to change.
6. Enable SAML2 Web SSO.
7. For the Service Provider Entity Id and the Identity Provider Entity Id I have specified as 'myDemo'. When generating the SAML token you need to use this as the entity id therefore depending on the entity id and service provider this value needs to change.
8. We need to specify the SSO url since it is a required field but we wont be needing this value so i will specify it as https://test.
9. Register the identity provider.
1. You can follow this blog and create a sample API with the API Cloud. After it is created you will be prompted with a message box where you need to select to 'go to the API store' option. Once you are in the API store go to the 'My Subscriptions' menu item.
2. Click on the generate keys button where you will get the client id and secret.
3. Use this base64 encoder and encode the value in this format <consumer key:consumer secret>. Lets refer to this as the Authorization value.
4. In order to generate a SAML token you need to download this archive from here and extract it. Navigate inside that extracted folder and enter the below command in this format. You need to enter the same values you used when creating the jks file. This will create you with a signed SAML token.
java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias> <private_key_password>
eg: java -jar SAML2AssertionCreator.jar myDemo shenavidemel.gmail.com@mydemo https://keymanager.api.cloud.wso2.com/oauth2/token https://keymanager.api.cloud.wso2.com/oauth2/token shenavi.jks test sample test
5. After you have received a SAML token we need to pass that value and call the token endpoint in order to get the OAuth2 token in exchange. You can use below command format to get this working.
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com/token?tenantDomain=<your_tenant_domain>
6. After executing this command you will be getting a access token similar to below.
{"scope":"default","token_type":"Bearer","expires_in":3600,"refresh_token":"99ffd146c6c76971bf012fc7","access_token":"70a2bfa0e3dc13b99d1a9fbab2"}
7. Now go back to the store's API console and invoke the API using this access token value for the Authorization.
You have successfully completed the token exchange from SAML to OAuth2. If you need any help or have any further questions please drop us an email at cloud@wso2.com where our Cloud team will be able to help you get it resolved.
References:
[1] http://shenavid.blogspot.com/2015/10/wso2-cloud-wso2-cloud-consists-of-two.html
[2] https://docs.wso2.com/display/APICloud/Token+API
[3] http://shenavid.blogspot.com/2015/10/creating-api-using-swagger.html
[4] https://docs.wso2.com/display/APICloud/Subscribe+to+and+Invoke+an+API
[5] https://docs.wso2.com/download/attachments/45944343/SAML2AssertionCreator.zip?version=1&modificationDate=1431389473000&api=v2
[6] https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com/token?tenantDomain=<your_tenant_domain>
6. After executing this command you will be getting a access token similar to below.
{"scope":"default","token_type":"Bearer","expires_in":3600,"refresh_token":"99ffd146c6c76971bf012fc7","access_token":"70a2bfa0e3dc13b99d1a9fbab2"}
7. Now go back to the store's API console and invoke the API using this access token value for the Authorization.
References:
[1] http://shenavid.blogspot.com/2015/10/wso2-cloud-wso2-cloud-consists-of-two.html
[2] https://docs.wso2.com/display/APICloud/Token+API
[3] http://shenavid.blogspot.com/2015/10/creating-api-using-swagger.html
[4] https://docs.wso2.com/display/APICloud/Subscribe+to+and+Invoke+an+API
[5] https://docs.wso2.com/download/attachments/45944343/SAML2AssertionCreator.zip?version=1&modificationDate=1431389473000&api=v2
[6] https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
Comments
Post a Comment