Pushpalanka

About Pushpalanka

Pushpalanka is an undergraduate in Computer Science and Engineering and working on variety of middle-ware solutions. She is an open-source enthusiastic having interests in the fields of Big Data, Distributed Systems and Web Security.

Implementing SAML to XACML

Before Implementing SAML



This is how a XACML request will looks like when it is arriving at PDP(Policy Decision Point) to be evaluated.

<Request xmlns='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<Subject>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'>
    <AttributeValue>admin</AttributeValue>
    </Attribute>
</Subject>
<Resource>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'>
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
</Resource>
<Action>
    <Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id'
    DataType='http://www.w3.org/2001/XMLSchema#string'><AttributeValue>read</AttributeValue>
    </Attribute>
</Action>
<Environment/>
</Request>

Basically it states who is(Subject) wanting to access which resource and what action it wants to perform on the resource. PDP trusts that request made is not altered while being sent and received, evaluates the request against existing enabled policies and reply with the decision which will be as follows.

<Response>
<Result ResourceId='http://localhost:8280/services/echo/echoString'>
<Decision>Permit</Decision>
<Status>
    <StatusCode Value='urn:oasis:names:tc:xacml:1.0:status:ok'/>
</Status>
</Result>
</Response>

Again there is no guarantee for the party who is using this response that this decision is not altered since sent from PDP until been received. In order achieve the security of XACML requests and responses in server to server communication SAML profile for XACML is defined by OASIS.This take the system security to a higher level by allowing the usage of fine-grained authorization provided by XACML, to be signed.


After Implementing SAML

Following is how the previous XACML request looks like after wrapped into a XACMLAuthzDecisionQueryType, which is generated using OpenSAML 2.0.0 library which is supporting SAML profile of XACML as declared in 2004 . The diagram shows the basic structure of a XACMLAuthzDecisionQueryType.

Following is a sample XACMLAuthzDecisionQuery.

<xacml-samlp:XACMLAuthzDecisionQueryType InputContextOnly='true' IssueInstant='2011-10-31T06:44:57.766Z' ReturnContext='false' Version='2.0' xmlns:xacml-samlp='urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol'>
<saml:Issuer SPProvidedID='SPPProvierId' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'> https://identity.carbon.wso2.org</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
   <ds:Reference URI=''>
      <ds:Transforms>
      <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
      <ec:InclusiveNamespaces PrefixList='ds saml xacml-context xacml-samlp'       xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/>
      </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <ds:DigestValue>7T1ScatC2Xg7pSpjB2X9HB3EH8M=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>XQBUVH3j16HVm3aTFSFh5EYFyiYjn0IU4PJfXelzK6BfXp
GGTBGouVJEe2Kk26sa3Yj0nEgh51pKsNWxk8xQFWdXg6/UlMkq+CaKrYj7laYlM9yGuIlEBT6t
yzjIQBa8wskHeITL6tHE+G0aMa5YnTqtb+9IaJKGPIrl/K5Zn2A=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BA
QUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZ
pZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyM
jZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1U
EBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0M
IGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2i
ltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5Hpwvn
H/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQI
DAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq
+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrP
prjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvu
hPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<xacml-context:Request xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Subject SubjectCategory='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject' xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>admin</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Subject><xacml-context:Resource xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>http://localhost:8280/services/echo/echoString</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Resource><xacml-context:Action xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'><xacml-context:Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id' DataType='http://www.w3.org/2001/XMLSchema#string'><xacml-context:AttributeValue>read</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Action><xacml-context:Environment xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'/>
</xacml-context:Request>
</xacml-samlp:XACMLAuthzDecisionQueryType>

As you can see it carries lot of information related to the content of the request like who issued it , when, signature with the X509Certificate and the XACML request. Data integrity can be preserved in this way.
After executing the request and gaining the response from PDP, it is also sent secured with a signature. The diagram shows the structure of a basic SAML Response.

Following is a sample SAML response that carries XACML response.

<samlp:Response IssueInstant='2011-10-31T06:49:51.013Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
<saml:Issuer SPProvidedID='SPPProvierId' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>

https://identity.carbon.wso2.org</saml:Issuer>

<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
   <ds:Reference URI=''>
   <ds:Transforms>
   <ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
   <ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
   <ec:InclusiveNamespaces PrefixList='ds saml samlp xacml-context xacml-saml' 
xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'/>
   </ds:Transform>
   </ds:Transforms>
   <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
   <ds:DigestValue>uct4nBcdqAV4FIO50WMmFjSy9sE=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>dLaXFl6+HHqtaQoE8l22bCCM8byxblyBOYUTdUdG/LeYIR+
NUTn6nTRe9MJqWqrXT4qLtQ2Jvb3Cjrw66YZTdVrBXNjD1t6oWAg3YFXtZcO4s1+z5y4BeN6Mq
spLLKIUnovCADNbHvhhVDwtMkCOcUs0x35R0zENiU1PYVMLQMM=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1
UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMM
CWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAl
VTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjES
MBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/
TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48F
jbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrK
GJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wP
R7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY
1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcv
uhPQK8Qc/E/Wq8uHSCo=
   </ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<saml:Assertion IssueInstant='2011-10-31T06:49:51.008Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>
<saml:Issuer SPProvidedID='SPPProvierId'>https://identity.carbon.wso2.org</saml:Issuer>
<saml:Statement xmlns:xacml-saml='urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:type='xacml-saml:XACMLAuthzDecisionStatementType'>
<xacml-context:Response xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<xacml-context:Result ResourceId='http://localhost:8280/services/echo/echoString'
xmlns:xacml-context='urn:oasis:names:tc:xacml:2.0:context:schema:os'>
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status><xacml-context:StatusCode Value='urn:oasis:names:tc:xacml:1.0:status:ok'/>
</xacml-context:Status>
</xacml-context:Result>
</xacml-context:Response>
</saml:Statement>
</saml:Assertion>
</samlp:Response>

The XACML response is wrapped into a SAML statement which is included in a SAML assertion that is again wrapped by a SAML response.I have only signed the response according to the context and included only one assertion. We can separately sign both the assertion and response according to the spec and include more assertions in one response. Also it is possible to send the relevant XACML request inside the response and lot more options are there according to the spec. With OpenSAML we can get most of them into action.

Reference: Implementing SAML to XACML from our JCG partner Pushpalanka at the Pushpalanka’s Blog blog.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

Leave a Reply


× 9 = eighty one



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close