Search only in titles

---

Authentication Using SAML Token Profile

Authentication and Session Management

Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) standard defines an XML-based mechanism for exchanging messages that contain security information in the form of assertions. A SAML assertion contains one or more statements about a user. There are three different types of statements that are defined by the SAML specification:

• Authentication statements define how and when the user was authenticated
• Attribute statements provide details about the user
• Authorization decision statements identify what the user is permitted to do

SAML messages follow a request and response protocol for requesting and receiving assertions in which SAML Request and Response elements are included within the body of a SOAP messages that are exchanged between SAML requesters and SAML responders. SAML messages provides a mechanism that you can use to implement SSO with P6 EPPM Web Services. Support for the SAML method of authentication is available in P6 EPPM Web Services.

For additional information about SAML, please refer to the Security Assertion Markup Language (SAML) v1.1 and 2.0 specification sets. These specification sets contain information about SAML assertions, protocol, bindings, profiles, and conformance. At the time of this writing, these specifications were available at:

http://www.oasis-open.org/specs/

Note: The following procedure demonstrates how to use SAML 1.1 with P6 EPPM Web Services. For additional information, refer to the sample code in the SAML11.java file in the P6 EPPM Web Services ws\demo\Java\JAX-WS\src\com\primavera\wsclient\demo folder. If you are using SAML 2.0 with P6 EPPM Web Services, refer to the sample code in the SAML2.java file in the P6 EPPM Web Services in this folder.

When using SAML, the P6 Authentication mode must be set to WebSSO or LDAP.

To configure the server to authenticate user credentials using SAML:

1. Launch the Administration Application.
2. On the Configurations tab:
   1. Set the Web Services/Security/Authentication/Mode setting to SAML Token Profile.
   2. Set the Web Services/Security/Authentication/SAML Token Profile/SAML Version setting to 1.1 or 2.0.
   3. Set the Web Services/Security/Require Signed SAML Token to true.
   4. Set the Web Services/Security/Authentication/SAML Token Profile/SAML Tokens/Issuer setting to a valid issuer for the SAML token. Separate multiple valid users with a space.
   5. Set the Web Services/Security/Authentication/SAML Token Profile/SAML Tokens/IssueInstant Timeout setting to an appropriate value in seconds.
   6. Set the SAML Tokens information to the appropriate values for your environment.
   7. Set the Signed SAML Tokens information to the appropriate values for your environment.
3. On the Authentication tab, set the Authentication/Login Mode to WebSSO or LDAP.

Step one: Create the SAML Token

Note: This step only applies to SAML 1.1. For information on creating SAML tokens for SAML 2.0, see .

For example, the following code snippet was extracted from the DemoOutInterceptor.java file that is included with the P6 EPPM Web Services demo application:

private Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope)

throws Exception

{

SAMLInitializer.initialize(1, 1);

Document aDoc = wsEnvelope.getOwnerDocument();

// Create all the information that we need for our own SAML assertion

// And since we're acting as the identity provider, we also specify how the user authenticated

AuthenticationStatement statement = new AuthenticationStatement(aDoc);

statement.setAuthenticationMethod(SAMLURI.authentication_method_password);

statement.setAuthenticationInstant(new Date());

statement.setSubject(createSAMLSubject(aDoc, m_demoInfo.username));

String assertionId = XMLUtils.randomName();

Date notBefore = new Date();

Date notOnOrAfter = Utils.minutesFrom(notBefore, 5);

// Create the assertion element we need based on all the information above

Assertion assertion = createAssertion(aDoc, assertionId, SAML_ISSUER, notBefore, notOnOrAfter, SAML_ISSUER, statement);

SAMLAssertionToken samlToken = new SAMLAssertionToken(assertion);

sec.addSAMLAssertionToken(samlToken);

// Finally, to prove that the assertion that we're sending out is actually from the identity provider (us),

// we can sign the message with our private key.

if (m_demoInfo.samlSigned)

{

// We just need to load the digital certificate and private key from the keystore specified

KeyStore keyStore = KeyStore.getInstance(m_demoInfo.samlKeystoreType);

keyStore.load(new FileInputStream(m_demoInfo.samlKeystore), m_demoInfo.samlKeystorepass.toCharArray());

String privateKeyPassword = m_demoInfo.samlKeypass;

PrivateKey privateKey = (PrivateKey)keyStore.getKey(m_demoInfo.samlAlias, privateKeyPassword.toCharArray());

// And we can use the private key to sign our assertion,

// verifying that the message comes from us

assertion.sign(privateKey, null);

}

return assertion.getElement();

}

Step two: Configure the CXF outgoing properties for including SAML Information

For example, the following code snippet was extracted from the WSDemo.java file that is included with the P6 EPPM Web Services demo application:

if (m_demoInfo.authMode == USERNAME_TOKEN_MODE || m_demoInfo.authMode == SAML_MODE)

{

client.getEndpoint().getOutInterceptors().add(new SAAJOutInterceptor());

client.getEndpoint().getInInterceptors().add(new SAAJInInterceptor());

// To do UsernameToken or SAML, we use our own Interceptor

// This will also handle encryption, if enabled

client.getEndpoint().getOutInterceptors().add(new DemoOutInterceptor(m_demoInfo));

// However, we only need a custom inbound Interceptor if we know that the server

// is sending back encrypted messages.

if (m_demoInfo.encEnabled && m_demoInfo.encInbound)

{

client.getEndpoint().getInInterceptors().add(new DemoInInterceptor());

}

}

Refer to the demo source to view the code snippets above within their context.

Including SAML 2.0 Tokens in SOAP Requests

The SAML token that was downloaded in the above step should be included in SOAP WS-Security header.

Sample Reference Code is given below:-

public static Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope)

      throws Exception

    {

      

        Document aDoc = wsEnvelope.getOwnerDocument();

        Document samlxml = getSAMLXML();

        NodeList assrtList =

            samlxml.getElementsByTagNameNS(SAML2URI.ns_saml, "Assertion");

       

        Element element = (Element)assrtList.item(0);

        Node importedNode = aDoc.importNode(element, true);

        sec.appendChild(importedNode);

        return samlxml.getDocumentElement();

    }

   

   

    private static Document getSAMLXML() throws Exception

    {

        return parseDomContent(new FileInputStream(new File("c:\\samlassertion.xml")));

    }

   

    public static Document parseDomContent(InputStream is) throws ParserConfigurationException, SAXException, IOException

    {

        DocumentBuilderFactory docbf = DocumentBuilderFactory.newInstance();

        docbf.setNamespaceAware(true);

        DocumentBuilder docBuilder = docbf.newDocumentBuilder();

        return docBuilder.parse(is);

    }

---

Last Published Thursday, May 2, 2024