Setting up a SAML2 Bearer Assertion Profile for OAuth 2.0 using WSO2 IS (The HARD WAY)

For an introduction of the process refer to WSO2 Documentation Page Setting up a SAML2 Bearer Assertion Profile for OAuth 2.0. At this moment in time, the latest WSO2 Identity Server release is 5.10.0 M1 and SAML2 Bearer Assertion Profile for OAuth 2.0 does not work inside Travelocity as expected. The purpose of writing this blog is to guide you through the steps that you can flow to configure it manually.

Prerequisites

Steps

  1. Deploy Travelocity inside TOMCAT_HOME -> web apps.
  2. Create a service provider by configuring SAML2 Web SSO Configuration and OAuth/OpenID Connect Configuration.
  3. Configure Travelocity properties.
  4. Test SAML2 Bearer Assertion Profile for OAuth 2.0.

Guide Through

Deploy travelocity inside TOMCAT_HOME -> webapps

  • Copy travelocity.war from the downloaded product-is by navigating through the path product-is -> modules -> samples -> sso -> sso-agent-sample -> target.
  • Navigate to TOMCAT_HOME -> web apps and paste the war inside.
  • Navigate to TOMCAT_HOME -> bin and start tomcat with the command
sh catalina.sh run
  • You might face an error while deploying the web app. If you face the error then refer the doc fixing bcprov-issue.doc.

Create a service provider by configuring SAML2 Web SSO Configuration and OAuth/OpenID Connect Configuration

Configuring SAML SSO

  • Login to Identity-Server accessible through https://localhost:9443/carbon. Use admin as the username and password and log in to the management console. For more information on how to build and start the identity server refer Configuring Federated Authentication with SAML SSO using two WSO2 Identity Servers sections “Download and Extract” and “Setup Servers”.
  • Click on the Main tab at the left corner of the screen. Then from the Identity Tab navigate to Service Providers-> Add, enter a Service Provider Name (Enter the name as Travelocity) and click Register.
  • After the redirection to Service Providers window, expand the Inbound Authentication Configuration and then further expand the SAML2 Web SSO Configuration and click on Configure.

After the redirection to Register New Service Provider window,

  1. Provide the Issuer (Enter the issuer as travelocity.com).
  2. Provide the Assertion Consumer URLs (Provide it as http://localhost:8080/travelocity.com/home.jsp) and Add the Assertion Consumer URL.
  3. Tick- Enable Response Signing, Enable Signature Validation in Authentication Requests and Logout Requests.
  4. Select the Enable Audience Restriction and Enable Recipient Validation fields and enter the following values:

Keep other fields as default and click the Register button located at the bottom.

Configuring OAuth/OpenID Connect service provider

  • Click on the Main tab at the left corner of the screen. Then from the Identity Tab navigate to Service Providers-> List, find the Service Provider Name (Travelocity) and click Edit.
  • After the redirection to Service Providers window, expand the Inbound Authentication Configuration and then further expand the OAuth/OpenID Connect Configuration and click on Configure.

After the redirection to Register New Application window,

  1. Provide the Callback URL as http://localhost:8080/travelocity.com/home.jsp.

Keep other fields as default and click the Add button located at the bottom.

Configure Travelocity properties

  • Locate and open the file travelocity.properties through path TOMCAT_HOME -> web apps -> Travelocity ->WEB_INF -> classes.
  • In the management console, click on the Main tab at the left corner of the screen. Then from the Identity Tab navigate to Service Providers-> List, find the Service Provider Name (Travelocity) and click Edit.
  • After the redirection to Service Providers window, expand the Inbound Authentication Configuration and then further expand the OAuth/OpenID Connect Configuration. You see a Client Key and a Client Secret. You need to set these in the travelocity.properties file.

Set values:

  • Set value EnableOAuth2SAML2Grant as true
  • Client ID same as the Client Key in the management console
  • Client Secret same as the Client Secret in the management console
  • Save the file and restart the tomcat server.

Test SAML2 Bearer Assertion Profile for OAuth 2.0

  • Click Click here to log in with SAML from Identity Server (Post binding or Redirect Binding). You are redirected to the Identity Server for authentication.
  • Enter admin as username and password and click SIGN IN.

You’ll be redirected to a page as follows:

  • Open the imported Postman collection move to the Authorization Tab and provide the received Client Key and Client Secret for the fields username and password.
  • Click the SAML-Tracer Extension on the browser window and click on Request OAuth2 Access Token.
  • You will see a POST request sent out marked as SAML on the SAML-Trace Extension. Click on it and then move to the tab Parameters and copy the SAML Response.
  • Paste the SAML Response on the webpage Base64 Decode + Inflate and click on DECODE AND INFLATE XML.
  • Copy and Paste the Deflated XML to a text editor. Then, copy the SAML Assertion.
  • Paste the encoded SAML Assertion on assertion at tab Body in Postman.
  • Copy the cURL from Postman by clicking Code just next to Cookies.
  • Open a terminal. Paste the cURL and then type -kv after space.
  • You will receive an OAuth2 Access Token as follows:

Furthermore, you can perform the actions at Running the Samples section from point 6 at WSO2 Documentation. I hope that you will have no problem in trying the process manually while the web application does not work properly.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store