This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

SAML assertions generation usecase is not working

Posted on 06-07-2017 06:36 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I am trying to implement SAML assertion policy usecase in my edge. To do that I have referred link:https://community.apigee.com/articles/37587/saml-assertion-policies-study.html. I have followed this and implemented below steps.

1)I have created a certificate 'mockserverKeyrstore' using open ssl.

2)Created a keystore 'mockserverKeystore' and added above certificate.

3)Created proxies 'SAMLsampleIdPproxy'(generate SAML assertions and prepare key) and 'SAMLsampleSPproxy'(validate access token) as API products.

4)Created app 'SAMLAPP' and added above API products. I got consumer key and secret code.

5)Tested proxy with url 'http://apitechbasics-prod.apigee.net/samlsampleidpproxy/GenerateIdPToken?response_type=token&redirection_uri=http://localhost:2999&client_id=4hCaENG9MyJL08T3aOQaLImj8TnlxCKA'

I am getting error401. Attaching code and certificates for your reference. Could you please help me in running this sample.

Also need some more clarification on the article, How SAML assertions are being validated against key store.samlsampleidpproxy-rev1-2017-06-07.zipsamlsamplespproxy-rev1-2017-06-07.zip

samlsamplespproxy-rev1-2017-06-07.zip
samlsampleidpproxy-rev1-2017-06-07.zip
0 3 361
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi ,

Could you please look into this scenario and help me understanding the concept. If you have code already available for usecase :https://community.apigee.com/articles/37587/saml-assertion-policies-study.html, please provide me the link.

0 Likes

Posted on --/--/---- --:-- AM
williamssean
Staff
Reply posted on --/--/---- --:-- AM

Do you get an error at the Verify Access token policy in your preflow? You can see this from the trace in the UI.

0 Likes

Posted on --/--/---- --:-- AM
williamssean
Staff
Reply posted on --/--/---- --:-- AM

Hi @veeraraghavendra

The reason you receive a 401 unauthorized is because your samlsampleidpproxy-rev1-2017-06-07 has the VerifyAccessToken policy in the preflow, which means that your request must include an access token in the Authorization: Bearer token header. The request that you posted does not have that header included in it.

In order for your request to succeed, you have two options:

1) Disable/remove the VerifyAccessToken policy in the preflow.

2) Obtain an access token by sending a client credentials request to your OAuth proxy to generate an access token first. Then include that access token in the Authorization: Bearer token header on the request. So the updated request is shown below. Make sure to include the access_token.

curl -H 'Authorization: Bearer access_token' 'http://apitechbasics-prod.apigee.net/samlsampleidpproxy/GenerateIdPToken?response_type=token&redirection_uri=http://localhost:2999&client_id=4hCaENG9MyJL08T3aOQaLImj8TnlxCKA'

I recommend the first option because the purpose of SAML IDP proxy is to generate a SAML assertion and an access token, given that the OAuth v2 (generate access token) policy is able to verify the client ID and the redirect URI.

All the other steps that you completed seem to be correct.

I'll quickly summarize this community article and explain how it works.

1) The SAML IDP proxy has two policies, a) Generate SAML, b) OAuth v2 - Generate Access Token (implicit grant).

  • This means that this proxy generates a SAML assertion first, then associates that assertion with the access token ONLY IF it is able to successfully validate the redirect URI and the client ID provided in the query parameters. Therefore, you don't need to include the VerifyAccessToken policy on the preflow within this proxy, because this flow will generate the access token for you.
  • This proxy generates a SAML assertion without validating the user's credentials, but this is ok, because that article is demonstrating how to generate a SAML assertion and associate it with an access token.
  • Keep in mind that you typically generate a SAML assertion given that a user has provided valid credentials and your proxy has validated the user's credentials first. (I have a repo that shows how to do this with Apigee BaaS and I'm working on a community post for it as well).
  • The idea here is to return an OAuth 2 access token to your client, however, your target server may require a SAML assertion. Subsequent requests to Apigee Edge will require the access token, but Apigee could swap the access token for the SAML assertion stored in the token and forward that to your target service.

2) The SAML SP proxy is for you to verify the access token generated by the SAML IDP proxy. When the Verify Access Token policy executes, you can see in the trace that the SAML assertion is associated to the access token.

  • Now that the access token is validated it can swap the access token for the SAML assertion and send that to your target service.
0 Likes
Top Solution Authors
View all