Is there a WSO2 IS service to validate a SAML token generated from wso2carbon-sts

2
votes

I referred to the below link to generate a SAML token from SOAP UI. But there is no service exposed in IS to validate a SAML token. http://charithaka.blogspot.ae/2013/07/broker-trust-relationships-with-wso2.html

SAML Sample request in SOAP UI RST Request

{Service.url}/services/wso2carbon-sts

{Service.url}/services/wso2carbon-sts.wso2carbon-stsHttpsSoap12Endpoint/

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
            <wsu:Created>2014-12-17T11:59:30.226Z</wsu:Created>
            <wsu:Expires>2014-12-17T11:59:30.226Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-2">
            <wsse:Username>admin</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
      <wsa:To>https://localhost:9443/services/wso2carbon-sts</wsa:To>
      <wsa:ReplyTo>
         <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
      </wsa:ReplyTo>
      <wsa:MessageID>urn:uuid:258de3bc-c053-4b41-93d5-5d292a896b3a</wsa:MessageID>
      <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
         <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
         <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
         <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/Bearer</wst:KeyType>
         <wst:Claims xmlns:wsp="http://schemas.xmlsoap.org/ws/2005/02/trust" wsp:Dialect="http://wso2.org/claims">
            <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/emailaddress"></wsid:ClaimType>
            <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://wso2.org/claims/givenname"></wsid:ClaimType>
         </wst:Claims>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

Also used sts client from https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/sts/sts-client

Validate token which is given in WSO2 IS -> Tools -> Validate SAML Request, does not seem to work for the use case in hand, when providing the generated RSTR(Response for Security Token Request).

Is there any difference between the sts client and the link provided above? Looking for a way to validate SAML token via SOAP service(SOAP UI)?

1
samlsaml-2.0wso2issts-securitytokenservice

1 Answers

0
votes

Sample Client provided with WSO2IS 5.0.0 will call to a service (echo) secured with sts. So it validate the sts token internal before access the service but there it does not provide a separate API to validate the token.

And in the WSO2 IS -> Tools -> Validate SAML Request It only validate the SAML logout request and login requests not the SAML assertion only.

But in IS 5.1.0 (from next release onwards) wso2carbon-sts API will provide a validation service