Enterprise Integration Zone is brought to you in partnership with:

Mark O'Neill is VP Innovation at Axway. Previously, he was CTO and co-founder at Vordel, acquired by Axway in 2012. He is the author of the McGraw-Hill book "Web Services Security" and is frequent speaker at conferences including Java One, the RSA Security Conference, and Oracle Open World. Mark is based on Boston, Massachusetts. Mark is a DZone MVB and is not an employee of DZone and has posted 65 posts at DZone. You can read more from them at their website. View Full User Profile

How to Validate a SAML Assertion and Then Insert the NameIdentifier Value into a HTTP Header

  • submit to reddit

It is a common scenario that once you have validated a SAML Assertion at a Gateway layer, you then insert the name identifier from the SAML Assertion into a HTTP Header. Here is how you configure that in the Axway API Server:

Firstly, I have created a policy which performs SAML Validation (using the "SAML Authentication" filter) and then inserts a header (using the "Add HTTP Header" filter). Let's look at the steps in action.

Firstly, let's look at the SAML Authentication filter. I am choosing that I want to validate a SAML 2.0 assertion.

In the "Trusted Issuers" tab, I am setting that I trust "Acme" as an issuer of SAML tokens:

I could also follow this filter with a Signature Validation filter, if I also wanted to validate a digital signature over the SAML Assertion (and perhaps follow that with a Certificate Chain check filter to check the trust of the signing cert).

Once this filter has run, it will populate the SAML NameIdentifier (NameID) into the authentication.subject.id attribute. We can then insert this as a HTTP Header, using the "Add HTTP Header" filter configured as below:

Finally I am using a "Reflect" filter to simply return the message to the client, where we can see the new header added. Of course, we could use a "Connect to URL" filter to send our message, with its new header, to another destination (such as to an API or Web Service).

Finally I wire up my policy to a path called /ValidateSAML , as shown below:

I am using the free API Tester tool to test send a SOAP message containing a SAML Assertion.

I am inserting the SAML Assertion using the "Security" -> "Insert SAML Token" menu option, configured as below:

Notice below that I am putting "Joe" in as the name identifier in the SAML Assertion.

When I send it to the /SAMLValidate path on the API Server, and click on the "Headers" sub-tab on the bottom right of API Tester, I see the new HTTP header has been added, and the value is "Joe". I can also see this information by looking at the "Traffic" view through the API Server Manager (port 8090 over SSL) of the API Server.
Published at DZone with permission of Mark O'neill, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)