How to use SAML assertion response to authenticate to WSO2 admin services
The SOAP web services used within WSO2 products are termed as admin services. We typically use HTTP basic authentication and session cookies as the authentication mechanism when invoking these admin services. In this blog post, I will show you how the SAML assertion response issued by the identity provider can be used as the authentication mechanism to access various functionalities offered via these admin services in the WSO2 Identity Server.
Pre-requisites:
Download the latest WSO2 Identity Server from here. For details on running the Identity Server, see Running the Product.
Step 01 - Deploying sample webapp and configuring it as a SAML service provider in WSO2 IS.
For this example, I will be using the Travelocity sample webapp. Refer here to set up the webapp and configure the webapp as a SAML service provider in WSO2 IS.
When creating the service provider, in addition to the steps provided at Configuring the service provider it is required to add ‘carbonServer’ as an allowed audience member.
Please refer to the below-provided screenshot for the complete SAML2 Web Single-Sign-On configuration.
Step 02 - Expose admin services in WSO2 IS.
Refer Calling Admin Services to expose the hidden WSDLs (Web Services Description Language) of admin services.
Step 03 - Obtain the SAML assertion.
SAML tracer which is a web browser extension for tracing details of SAML Requests and Responses will be used to capture the SAML assertion.
Activate the SAML tracer extension and access the configured sample webapp via the URL: http://wso2is.local:8080/travelocity.com/index.jsp
Login to the Travelocity webapp via the default admin user residing in the WSO2 Identity Server.
You will be successfully logged into the webapp.
View the SAML traffic captured by the extension. You will see the SAML assertion returned from the WSO2 Identity Server. Copy the SAML response value. This will be needed in the next step.
Step 04 - Obtain JSESSIONID cookie by passing the SAML assertion.
Execute the below-provided cURL command by inserting the copied SAML assertion response to the <xsd:response> tag.
curl --location --request POST 'https://localhost:9443/services/SAML2SSOAuthenticationService.SAML2SSOAuthenticationServiceHttpsSoap11Endpoint/' --header 'Content-Type: text/plain' --data-raw '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sso="http://sso.saml2.authenticator.identity.carbon.wso2.org" xmlns:xsd="http://dto.sso.saml2.authenticator.identity.carbon.wso2.org/xsd"> <soapenv:Header/> <soapenv:Body> <sso:login><!--Optional:--><sso:authDto><!--Optional:--><xsd:response>
add the copied saml assertion response here</xsd:response></sso:authDto></sso:login></soapenv:Body></soapenv:Envelope>' -k -vYou will get a response similar to the provided below.
< HTTP/1.1 200< X-Content-Type-Options: nosniff< X-XSS-Protection: 1; mode=block< X-Frame-Options: DENY< Set-Cookie: JSESSIONID=C6388653B085F970458E6B579AA84588; Path=/; Secure; HttpOnly< Content-Type: text/xml;charset=UTF-8< Transfer-Encoding: chunked< Date: Sat, 02 Jan 2021 04:51:34 GMT< Server: WSO2 Carbon Server<* Connection #0 to host localhost left intact<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:loginResponse xmlns:ns="http://sso.saml2.authenticator.identity.carbon.wso2.org"><ns:return>true</ns:return></ns:loginResponse></soapenv:Body></soapenv:Envelope>* Closing connection 0
Copy the JSESSIONID value from the obtained response.
Step 05 - Invoking an admin service.
For this example, I will be using the admin service to get the available list of roles. As the authentication mechanism pass the JSESSIONID obtained from step 04.
curl --location --request POST 'https://localhost:9443/services/UserAdmin.UserAdminHttpsSoap11Endpoint/' --header 'SOAPAction: getAllRolesNames' --header 'Cookie: JSESSIONID=C6388653B085F970458E6B579AA84588' --header 'Content-Type: text/plain' --data-raw '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd"> <soapenv:Header/> <soapenv:Body> <xsd:getAllRolesNames> <xsd:filter>*</xsd:filter> <xsd:limit>100</xsd:limit> </xsd:getAllRolesNames> </soapenv:Body></soapenv:Envelope>' -k -vYou will be able to successfully retrieve the list of roles residing in the WSO2 Identity Server. Similarly, you can use the JSESSIONID obtained by passing the SAML assertion, to invoke other available admin services.
I hope you got a basic idea about how we can use the SAML assertion response to authenticate to WSO2 admin services. If you need further clarification in this regard, please leave a comment below.
