How to Validate a SAML Assertion and Then Insert the NameIdentifier Value into a HTTP Header
It is a common scenario that once you have validated a SAML Assertion at a Gateway layer, you then insert the name identifier from the SAML Assertion into a HTTP Header. Here is how you configure that in the Axway API Server:
Firstly, I have created a policy which performs SAML Validation (using the "SAML Authentication" filter) and then inserts a header (using the "Add HTTP Header" filter). Let's look at the steps in action.
Firstly, let's look at the SAML Authentication filter. I am choosing that I want to validate a SAML 2.0 assertion.
In the "Trusted Issuers" tab, I am setting that I trust "Acme" as an issuer of SAML tokens:
I could also follow this filter with a Signature Validation filter, if I also wanted to validate a digital signature over the SAML Assertion (and perhaps follow that with a Certificate Chain check filter to check the trust of the signing cert).
Once this filter has run, it will populate the SAML NameIdentifier (NameID) into the authentication.subject.id attribute. We can then insert this as a HTTP Header, using the "Add HTTP Header" filter configured as below:
Finally I am using a "Reflect" filter to simply return the message to the client, where we can see the new header added. Of course, we could use a "Connect to URL" filter to send our message, with its new header, to another destination (such as to an API or Web Service).
Finally I wire up my policy to a path called /ValidateSAML , as shown below:
I am using the free API Tester tool to test send a SOAP message containing a SAML Assertion.
I am inserting the SAML Assertion using the "Security" -> "Insert SAML Token" menu option, configured as below:
Notice below that I am putting "Joe" in as the name identifier in the SAML Assertion.
When I send it to the /SAMLValidate path on the API Server, and click on the "Headers" sub-tab on the bottom right of API Tester, I see the new HTTP header has been added, and the value is "Joe". I can also see this information by looking at the "Traffic" view through the API Server Manager (port 8090 over SSL) of the API Server.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)