Can IS validator SAML token on incoming request

Hi,

I’m kind of new in webMethods, only working on it for the last 12 months.
I’m currently working on a request to validate SAML token on some incoming request.

Those request could be REST or SOAP.
I noticed that we can setup the SAML issuer in IS and I have done that.

Now I need to test it.
Just wonder how the token should attached in REST or SOAP request?
How do specify a service required SAML token validation?

In soap request, I usually attached the token to soap header surrounded by WSSE tag.

Thanks

Kenny

Hi,

Integration Server supports including SAML2 tokens in the HTTP header, making it possible to use SAML2 tokens with all types of services.

To use this functionality, you must do the following on Integration Server:

  1. Configure the Integration Server “<SAG_HOME>\IntegrationServer\instances<inst_name>\config\is_jaas.cnf” as shown below by adding the SamlAssertLoginModule as the first login module to the IS_Transport login context:
com.wm.app.b2b.server.auth.jaas.SamlAssertLoginModule requisite 
mode="transport"
defaultUserName="Default";
  1. Add the issuer of the SAML assertion to the list of trusted SAML issuers. Since you have already added SAML issuer in IS, this step can be skipped.

To validate SAML Token:

The client sending the request must include the custom HTTP header named “wmIS-SAML2-Assertion” and send the Base64 encoded SAML2 assertions as the header value.

  • When Integration Server receives an HTTP request with the custom header “wmIS-SAML2-Assertion” and finds a Base64 encoded SAML2 assertion in the header, Integration Server decodes from Base64 and validates the assertion.
  • If validation of the assertion succeeds, Integration Server searches for an Integration Server user that matches the NameID from the SAML2 Assertion.
  • Integration Server first checks for a local user defined on Integration Server and then searches Central Users or LDAP.
  • If Integration Server finds a username that matches the NameID, Integration Server uses that username for the session.
  • Otherwise, Integration Server uses the user defined in the “defaultUserName” option of the SamlAssertLoginModule module shown above.
  • If the “defaultUserName” option is set to “Default”, Integration Server uses the Default user account, which allows access to resources that have the Anonymous ACL.

Thanks
Vasanth

1 Like

Thanks Vasantha,

I will give it a try shortly once I finished what I’m doing here.

Cheers

Hi Visantha, Thanks for your solution here.
If there anyway we could have saml validation only apply to certain folder? Just like OAuth in IS.

It seem like the solution here apply to all packages in IS. We currently have packages required no authentication and some of them using OAuth. SAML validation is a new requirement for certain packages.

Thanks

Hi Kenny,

SAML authentication applies to all packages in IS. We cant enable SAML authentication only for specific packages/folders.

Integration Server also supports SAML tokens in policies attached to provider web service descriptors for inbound requests. If the package contains only provider web services, then SAML authentication can be enabled for those web services using WS-Security policies.

Regards
Vasanth