Wednesday, June 10, 2009

Extending WSO2 Identity Server 2.0 to handle custom SAML assertions

WSO2 Identity Server 2.0 is a free and open source identity and entitlement management server, available to download from here...

Before reading this, you need to go through my previous blog post on 'WSO2 Identity Server + Claim aware proxy services with ESB' - available here.

Once you get the above running - all the client requests to attributes are satisfied through Identity Server's defaut implementation.

What if you need to filter attributes being sent?

What if you need to invoke an EJB to obtain custom attributes, and insert them as a SAML assertion to the returning security token?

In other words, you need to execute some custom logic in side Identity Server 2.0 to manipulate attributes being added to the returning security token... how to do this?

This blog post explains all what you need to make that happen.

First make sure - the first scenario works fine. That is, now you get the Security Token with SAML attribute assertions inserted by the Identity Server.

Now let's move to the second scenario - now we are going to override it.

Step -1

We need to write a carbon componet to insert our custom logic.

Please download the sample already written from here.

Extract the sample.aar. And run;

mvn clean install

from sample folder.[I have tested this with a clean maven repo].

Now, you can find the bundle inside, sample\org.wso2.carbon.identity.samples.attributeservice\target\org.wso2.carbon.identity.samples.attributeservice-2.0.0.SNAPSHOT.jar.

Step -2

Stop Identity Server [IS] if it's already running.

Copy org.wso2.carbon.identity.samples.attributeservice-2.0.0.SNAPSHOT.jar to [IS_HOME]\webapps\ROOT\WEB-INF\plugins\server

Open [IS_HOME]\webapps\ROOT\WEB-INF\eclipse\configuration\org.eclipse.equinox.simpleconfigurator\ and add the following entry to the end [one line].


Start the IS with following.

\> wso2server.bat -DosgiConsole -cleanCache

Once got started - press <ENTER> on the console - you'll get the osgi prompt.

Type the following there - to list the available bundles.

osgi\> ss

Check the status of org.wso2.carbon.identity.samples.attributeservice bundle and get it's bundle ID [say 164]. If the status is RESOLVED then type;

osgi\> start 164

Now once again check the status with ss - it should be ACTIVE now.

Step -3

Run the same client used here before.

You'll see the 'First Name' attribute being overridden as well as a new attribute being added.

Also you'll see following line on the console.

INFO - SampleAttributeService being called