com.ibm.websphere.wssecurity.wssapi.token

Class SAMLTokenFactory

  1. java.lang.Object
  2. extended bycom.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory

  1. public abstract class SAMLTokenFactory
  2. extends java.lang.Object

This API is used for the creation of SAML security tokens conforming the SAML v1.1 and SAML v2.0 standards (both versions of the token are supported). Subject confirmation can be based on holder of key (symmetric or public key) or bearer. Users can create and validate tokens or use them to authenticate the token holder.

Code snippet that are shown below demonstrate how to use this API to generate and validate SAML tokens as defined in:
OASIS Web Services Security:SAML Token Profile 1.1. In those sample codes, it is assumed that the ProviderConfig instance is created from a JVM system property, com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath, in a java client environment. This JVM property specifies a property file that contains default value of ProviderConfig object. In the Application Server runtime environment, default value of ProviderConfig object is defined by a an SAMLIssuerConfig.properties file under the cell level or server level config directory.

Refer to the "Configuration of a SAML token during token creation" Section in the WebSphere Application Server V7 InfoCenter for detail description of all the properties.

Sample code of generating SAMLToken for SAML V1.1 Symmetric holder-of-Key assertion from Subject
        SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
        
        // 1. Create RequesterConfig object.
        RequesterConfig reqData = samlFactory.newSymmetricHolderOfKeyTokenGenerateConfig();
        // Set recipient's key alias, so the secret key could be encrypted for the recipient. 
        reqData.setKeyAliasForAppliesTo("SOAPRecipient");
        // Set authentication method that the requester was authenticated with. This is an optional parameter.
        reqData.setAuthenticationMethod("Password"); 
 
        
        // 2. Create CredentialConfig object. 
        // This step assumes that an SAMLToken exists in a RunAsSubject.  You can use WSSUbject API to get RunAsSubject..
        // This method allows SAMLTokenFactory copies SAMLToken's NameID or NameIdentifier and Attributes to the new SAMLToken.
        // If there were no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user security identity from 
        // the WSPrincipal object in the RunAsSubject.
        CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject);
       
        // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logical name.
        // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, 
        // or the default SAMLIssuerConfig.properties file is updated in the Application Server runtime environment. 
        ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server");
                        
        SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
    

Sample code of generating SAMLToken for SAML V2.0 Bearer assertion from Subject
        SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
        
        // 1. Create RequesterConfig object.
        RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
        
        // 2. Create CredentialConfig object.
        // This step assumes an SAMLToken existing in an RunAsSubject, and you first get an RunAsSubject. 
        // This method call will allow SAMLTokenFactory to copy existing SAML NameID and attributes in RunAsSubject to new SAMLToken.
        // If there were no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user security identity from
        // the WSPrincipal object in the RunAsSubject.
        CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject);
       
        // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logical name.
        // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, 
        // or the default SAMLIssuerConfig.properties is updated in the Application Server runtime environment. 
        ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); 
                        
        SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
        
        // Get SAML assertion in XML form.        
        OMElement samlXML = ((OMStructure)samlToken.getXML()).getNode();                
    

Sample code of generating SAMLToken for SAML V2.0 Bearer assertion
        SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
        
        // 1. Create RequesterConfig object.
        RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
        // Set Authentication method that the requester was authenticated with. This is an optional parameter.
        reqData.setAuthenticationMethod("Password");    
        
        // 2. Create CredentialConfig object which contains NameID and Attributes Assertion.
        CredentialConfig cred = samlFactory.newCredentialConfig();  
        // Create SAMLNameID object for SAMLTokenFactory to generate NameID or NameIdentifier assertion.
        SAMLNameID samlNameId = new SAMLNameID("alice@websphere", "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", null, null, null);
        cred.setSAMLNameID(samlNameId);
        // Create SAMLAttribute object for SAMLTokenFactory to generate Attribute assertion.
        SAMLAttribute sattribute = new SAMLAttribute("Address", new String[] {"Austin, Texas"},  null,
                "IBM WebSphere namespace", null,  null);
        ArrayList al = new ArrayList();
        al.add(sattribute);
        sattribute = new SAMLAttribute("Membership", new String[] {"Blue team", "Green Team"}, null, null, null, null  );
        al.add(sattribute);
        cred.setSAMLAttributes(al);             
   
        // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logic name.
        // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, 
        // or the default SAMLIssuerConfig.properties is updated in the Application Server runtime environment. 
        ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer");           
        
        SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);     
        
    

Sample code of generating SAMLToken from SAML XMLStructure or InputStream
        SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
        // Create ConsumerConfig object for SAML validation and parsing.
        ConsumerConfig samlConsumerCfg =  samlFactory.newConsumerConfig();
        // The following method calls are required if SAML tokens or embedded Keys are encrypted.     
        KeyStoreConfig tsc = SAMLTokenFactory.newKeyStoreConfig( "jceks", "recipient.jceks","storepass");
        samlConsumerCfg.setTrustStoreConfig(tsc);
        // Use one of the following statement to create SAMLToken.
        SAMLToken samlTokenFromXML = samlFactory.newSAMLToken(samlConsumerCfg, samlXml); //samlXml is SAML in XMLStructure format.
        SAMLToken samlTokenFromInputStream = samlFactory.newSAMLToken(samlConsumerCfg,  samlInputStream ); // samlInputStream is SAML in InputStream.
      
    

Field Summary

Modifier and Type Field and Description
  1. static
  2. java.security.SecurityPermission
GET_NEWCREDENTIALCONFIG_PERM
  1. static
  2. java.security.SecurityPermission
GET_NEWSAMLTOKEN_PERM
  1. static
  2. java.security.SecurityPermission
GET_NEWSUBJECT_PERM
  1. static
  2. java.lang.String
WssSamlV11Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory.
  1. static
  2. java.lang.String
WssSamlV20Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory.

Constructor Summary

Constructor and Description
SAMLTokenFactory()

Method Summary

Modifier and Type Method and Description
  1. static
  2. SAMLTokenFactory
getInstance(java.lang.String valueType)
Return a SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0).
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig
newAsymmetricHolderOfKeyTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token.
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig
newBearerTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token that will contain bearer type of subject confirmation.
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig
newConsumerConfig()
Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion.
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.CredentialConfig
newCredentialConfig()
Create a CredentialConfig that encapsulates two main attributes: a SAML Name Identifier for the requester a SAML list of attributes for the requester
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.CredentialConfig
newCredentialConfig(javax.security.auth.Subject subject)
Create a CredentialConfig that encapsulates the identity of the requester and possibly its attributes.
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.ProviderConfig
newDefaultProviderConfig(java.lang.String stsUri)
Create a default ProviderConfig that encapsulates configuration attributes for the SAML token issuer .
  1. static
  2. com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig
newKeyStoreConfig(java.lang.String ksRef)
Create a KeyStoreConfig that encapsulates KeyStore configuration attributes.
  1. static
  2. com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig
newKeyStoreConfig(java.lang.String type,java.lang.String path,java.lang.String password)
Create a KeyStoreConfig that encapsulates KeyStore configuration attributes.
  1. abstract
  2. SAMLToken
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,java.io.InputStream in)
Create a SAMLToken object based on an inputStream for a SAML XML document.
  1. abstract
  2. SAMLToken
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,XMLStructure xml)
Create a SAMLToken object based on an existing SAML XML document.
  1. abstract
  2. SAMLToken
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred,com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a SAMLToken object based on the passed in parameters that include the CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details).
  1. abstract
  2. SAMLToken
newSAMLToken(javax.security.auth.Subject subject,com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a SAMLToken object based on the passed in parameters that include a JAAS Subject and configuration objects for the requester and provider (see the methods above for content details).
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig
newSenderVouchesTokenGenerateConfig()
Create a RequesterConfig .
  1. abstract
  2. javax.security.auth.Subject
newSubject(SAMLToken aSAMLToken)
Create a JAAS subject based on SAMLToken object principal name which is basically the NameId or NameIdentifier attribute in SAML Assertion Specification.
  1. abstract
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig
newSymmetricHolderOfKeyTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token.
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GET_NEWCREDENTIALCONFIG_PERM

  1. public static final java.security.SecurityPermission GET_NEWCREDENTIALCONFIG_PERM

GET_NEWSAMLTOKEN_PERM

  1. public static final java.security.SecurityPermission GET_NEWSAMLTOKEN_PERM

GET_NEWSUBJECT_PERM

  1. public static final java.security.SecurityPermission GET_NEWSUBJECT_PERM

WssSamlV11Token11

  1. public static final java.lang.String WssSamlV11Token11

This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.

See Also:

WssSamlV20Token11

  1. public static final java.lang.String WssSamlV20Token11

This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.

See Also:

Constructor Detail

SAMLTokenFactory

  1. public SAMLTokenFactory()

Method Detail

getInstance

  1. public static SAMLTokenFactory getInstance( java.lang.String valueType)
  2. throws WSSException
Return a SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0).
Parameters:
valueType - a string that specifies the version level for the token. It can only have either of these values:
  • SAMLTokenFactory.WssSamlV11Token11 for SAML 1.1
  • SAMLTokenFactory.WssSamlV20Token11 for SAML 2.0
Returns:
a SAMLTokenFactory implementation that support the specified token type.
Throws:
WSSException - if there is no SAMLTokenFactory class that supports the specified token type.

newBearerTokenGenerateConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newBearerTokenGenerateConfig( )
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token that will contain bearer type of subject confirmation. These attributes include:
  • subject confirmation type of bearer
  • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
Returns:
a RequesterConfig object to build Bearer confirmation SAML assertion.
See Also:
RequesterConfig

newSenderVouchesTokenGenerateConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSenderVouchesTokenGenerateConfig( )
Create a RequesterConfig .
Returns:
a default RequesterConfig object to build a SAML assertion that contains Sender-Vouches as a subject confirmation. The main attributes encapsulated by this object are:
  • subject confirmation type of sender-vouches
  • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
Throws:
WSSException
See Also:
RequesterConfig

newSymmetricHolderOfKeyTokenGenerateConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig( )
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token. This object will contain holder of key type of subject confirmation using a secret key. It mainly contains these attributes:
  • subject confirmation type of holder-of-key
  • key type of symmetric (secret)
  • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
Returns:
a RequesterConfig object to build Holder-of-Key SAML assertion with SymmetricKey KeyType.
See Also:
RequesterConfig

newAsymmetricHolderOfKeyTokenGenerateConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig( )
Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token. This object will contain holder of key type of subject confirmation using a public key. It mainly contains these attributes:
  • subject confirmation type of holder-of-key
  • key type of asymmetric (public)
  • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
Returns:
a RequesterConfig object to build Holder-of-Key SAML assertion with asymmetricKey KeyType.
See Also:
RequesterConfig

newCredentialConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig( javax.security.auth.Subject subject)
  2. throws WSSException
Create a CredentialConfig that encapsulates the identity of the requester and possibly its attributes. This object is created in preparation for using the SAML token creation methods (see below). This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newCredentialConfig") Java Security permission.
Parameters:
subject - containing the principal name and possibly attributes of the requester.
Returns:
a CredentialConfig object that could be used to create SAML assertion. The CredentialConfig is populated with the Name Identifier of the requester and possibly SAML attributes that may exist on the SAML token that is extracted off of the Private Credential list of the subject. If subject is null, this method will return null.
Throws:
WSSException
See Also:
CredentialConfig

newCredentialConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig( )
  2. throws WSSException
Create a CredentialConfig that encapsulates two main attributes:
  • a SAML Name Identifier for the requester
  • a SAML list of attributes for the requester
Returns:
a CredentialConfig object that can be used to populate the NameID and the attributes for a requester when creating a SAML token (see below).
Throws:
WSSException
See Also:
how to use setter methods to populate the returned object.

newDefaultProviderConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig newDefaultProviderConfig( java.lang.String stsUri)
  2. throws WSSException
Create a default ProviderConfig that encapsulates configuration attributes for the SAML token issuer .
Parameters:
stsUri - is a String that represents SAML issuer in an SAML Assertion. In this case of WebSphere self issued tokens, this parameter can assume any value; e.g. WebSphereSelfIssuer.
Returns:
a default embedded ProviderConfig that encapsulates the following attributes:
  • the URI for the issuer from the passed input parameter. This can default to the string WebSphere.
  • time to live for the token expiration. Defaults to 3600000 milliseconds or 2 hours.
  • a KeyStoreConfig object encapsulating the key store info for the issuer including: the location, password, and type. For example in a WebSphere installation, one can set the type to PKCS12 and point to the keyStore: $WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/WssIP.pfx
  • a trust store configuration possibly containing the public key certificate for the recipient. Both issuer keyStore and trustStore are used to protect the SAML token as well as for the generation of holder-of-key data in the SAML assertion (see token creation API below). Configuration items for the trustStore include: type, password, and location. For example in a WebSphere installation one might set the type to PKCS12 and point to the trustStore: $WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/wssipkey.p12

    In order to change the configuration parameters for the provider in the WebSphere environment you need to edit: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties for the cell level. At the server level: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties

  • a KeyInformationConfig object encapsulating key store info for the issuer that includes: the key alias, password and key name.
Throws:
WSSException

newKeyStoreConfig

  1. public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig( java.lang.String type,
  2. java.lang.String path,
  3. java.lang.String password)
  4. throws WSSException
Create a KeyStoreConfig that encapsulates KeyStore configuration attributes. For example in a WebSphere installation, one can set the type to JKS and point to the keyStore using parameter strings like the following: "JKS, "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender.ks", "sampleapp"
Parameters:
type - is a String that represents type of KeyStore
path - is a String that represents the KeyStore file name
password - is a String that represents the KeyStore password
Returns:
a default embedded KeyStoreConfig that encapsulates the following attributes: the type, location, and password.
Throws:
WSSException
See Also:
KeyStoreConfig

newKeyStoreConfig

  1. public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig( java.lang.String ksRef)
  2. throws WSSException
Create a KeyStoreConfig that encapsulates KeyStore configuration attributes. For example in a WebSphere installation, one can use a reference to the default keystore with a parameter string like: "name=NodeDefaultKeyStore managementScope=(cell):sampleNode01Cell:(node):sampleNode01"
Parameters:
ksRef - is a String that represents KeyStore reference name
Returns:
a default embedded KeyStoreConfig that encapsulates the KeyStore reference name.
Throws:
WSSException
See Also:
KeyStoreConfig

newSAMLToken

  1. public abstract SAMLToken newSAMLToken( javax.security.auth.Subject subject,
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
  3. com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
  4. throws WSSException
Create a SAMLToken object based on the passed in parameters that include a JAAS Subject and configuration objects for the requester and provider (see the methods above for content details). This method will copy the contents from the original SAML Token, if one exists in the Subject, to the new SAML token. NameId or NameIdentifier, SAML Attributes, and AuthenticationMethod are copied to the new SAML Token. The new SAML Token namespace, issuer, signing certificate, confirmation method and encryption key, timestamp, and lifetime are determined by the ProviderConfig and RequesterConfig parameters. When the Subject does not contain an existing SAMLToken object, this method will create a new SAML Token using the WSPrincipal name as the NameId or NameIdentifier. No other attribute will be copied from the Subject to the new SAMLToken when there was no SAML token in the Subject parameter. Use the newSAMLToken( CredentialConfig cred, RequesterConfig request, ProviderConfig providerConfig ) method if you need to add SAML Attributes in the new SAMLToken. This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
Parameters:
subject - is mapped to NameIdentifier and attributes in an SAML Assertion.
request - contains data that describes what kind of assertion should be created.
providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo.
Returns:
a SAMLToken which can then be bound to a secure service request.
Throws:
WSSException - if required key and certificate cannot be found, or upon other configuration problems.
See Also:
ProviderConfig, RequesterConfig

newSAMLToken

  1. public abstract SAMLToken newSAMLToken( com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred,
  2. com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
  3. com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
  4. throws WSSException
Create a SAMLToken object based on the passed in parameters that include the CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details). This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
Parameters:
cred - contains principal and attributes that will be included in SAML Assertion.
request - contains data that describes what kind of assertion should be created.
providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo.
Returns:
SAMLToken
Throws:
WSSException - if the specified SAMLToken class cannot be found, or required key and certificate cannot be found, or upon other configuration problems.
See Also:
ProviderConfig, RequesterConfig, CredentialConfig

newSAMLToken

  1. public abstract SAMLToken newSAMLToken( com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
  2. XMLStructure xml)
  3. throws WSSException
Create a SAMLToken object based on an existing SAML XML document. This method can be used to validate the xml structure representing the SAML token.
Parameters:
consumer - contains key information associated with the recipient of the token. This info is used to verify and/or decrypt the SAML XML document.
xml - is an SAML XML document.
Returns:
SAMLToken. That can be used to initiate service requests.
Throws:
WSSException - if key and certificate information cannot be found, or upon other configuration problems.
See Also:
ConsumerConfig

newSAMLToken

  1. public abstract SAMLToken newSAMLToken( com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
  2. java.io.InputStream in)
  3. throws WSSException
Create a SAMLToken object based on an inputStream for a SAML XML document. This method may be used to validate the inputStream representing the SAML token.
Parameters:
consumer - contains key information associated with the recipient of the token. This info is used to verify and/or decrypt the SAML XML document.
in - an inputStream corresponding to a serialized SAML token. The programmer is responsible for closing of the stream accordingly.
Returns:
SAMLToken. That can be used to initiate service requests.
Throws:
WSSException - if key and certificate information cannot be found, or upon other configuration problems.
See Also:
ConsumerConfig

newSubject

  1. public abstract javax.security.auth.Subject newSubject( SAMLToken aSAMLToken)
  2. throws WSSException
Create a JAAS subject based on SAMLToken object principal name which is basically the NameId or NameIdentifier attribute in SAML Assertion Specification. This method looks up user security name and group membership data from the configured user registry using the SAMLToken principal name. The SAMLToken object will be added to the Subject PrivateCredentials. None of the individual SAMLToken attributes will be copied into the new subject. The lifetime of the new subject is determined by the LTPA timeout configuration. The subject lifetime is independent from the SAMLToken lifetime. This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSubject") Java Security permission.
Parameters:
aSAMLToken - that contains a named principal and attributes.
Returns:
a Subject containing the principal and attributes from the input SAMLToken.
Throws:
WSSException.

newConsumerConfig

  1. public abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig newConsumerConfig( )
  2. throws WSSException
Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion.
Returns:
a ConsumerConfig object.
Throws:
- - throws WSSException .
See Also:
for how set the consumer's keyStore as well as trustStore information on the newly created ComsumerConfig object.