Search only in titles

---

Using SAML Token Profile for Authentication

Authentication and Session Management

Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) standard defines an XML-based mechanism for exchanging messages that contain security information in the form of assertions. A SAML assertion contains one or more statements about a user. There are three different types of statements that are defined by the SAML specification:

• Authentication statements define how and when the user was authenticated.
• Attribute statements provide details about the user.
• Authorization decision statements identify what the user is permitted to do.

SAML messages follow a request and response protocol for requesting and receiving assertions in which SAML Request and Response elements are included within the body of a SOAP messages that are exchanged between SAML requesters and SAML responders. SAML messages provides a mechanism that you can use to implement SSO with P6 EPPM Web Services. Support for the SAML method of authentication is available in P6 EPPM Web Services.

For additional information about SAML, please refer to the Security Assertion Markup Language (SAML) v1.1 and 2.0 specification sets. These specification sets contain information about SAML assertions, protocol, bindings, profiles, and conformance. At the time of this writing, these specifications were available at:

http://www.oasis-open.org/specs/

Note: The following procedure demonstrates how to use SAML 1.1 with P6 EPPM Web Services. For additional information, refer to the sample code in the SAML11.java file in the P6 EPPM Web Services ws\demo\Java\JAX-WS\src\com\primavera\wsclient\demo folder. If you are using SAML 2.0 with P6 EPPM Web Services, refer to the sample code in the SAML2.java file in the P6 EPPM Web Services in this folder.

When using SAML, the P6 Authentication mode must be set to WebSSO or LDAP.

To configure the server to authenticate user credentials using SAML:

1. Launch the Primavera P6 Administrator and log in.
2. In the Primavera P6 Administrator, click the Configurations tab, and expand Web Services/Security.
3. In the Security node, click Authentication:
   1. On the Authentication page, select SAML Token - SOAP.
   2. Expand SAML Token Profile.
   3. Select the Require Signed SAML Token option.
   4. On the SAML Version list, select 1.1, 2.0. or Both.
4. In the SAML Tokens section:
   1. Set the Issuer setting to a valid issuer for the SAML token. Separate multiple valid users with a space.
   2. Set the Issue Instant Timeout setting to an appropriate value.
   3. Set the Authentication Timeout setting to an appropriate value.
5. In the Signed SAML Tokens section:
   1. On the Key Store Type list, select the key store type you are using.
   2. In File Location, enter the full path to your Java keystore.
   3. In Key Store Password, enter a password.
   4. In Certificate Alias, enter an alias.
   5. In Private Key Alias, enter an alias.
   6. In Private Key Password, enter a password.
6. On the Authentication tab, set the Login Mode to WebSSO or LDAP.

Step one: Create the SAML Token

Note: This step only applies to SAML 1.1. For information on creating SAML tokens for SAML 2.0, see .

For example, the following code snippet was extracted from the DemoOutInterceptor.java file that is included with the P6 EPPM Web Services demo application:

private Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope)

throws Exception

{

SAMLInitializer.initialize(1, 1);

Document aDoc = wsEnvelope.getOwnerDocument();

// Create all the information that we need for our own SAML assertion

// And since we're acting as the identity provider, we also specify how the user authenticated

AuthenticationStatement statement = new AuthenticationStatement(aDoc);

statement.setAuthenticationMethod(SAMLURI.authentication_method_password);

statement.setAuthenticationInstant(new Date());

statement.setSubject(createSAMLSubject(aDoc, m_demoInfo.username));

String assertionId = XMLUtils.randomName();

Date notBefore = new Date();

Date notOnOrAfter = Utils.minutesFrom(notBefore, 5);

// Create the assertion element we need based on all the information above

Assertion assertion = createAssertion(aDoc, assertionId, SAML_ISSUER, notBefore, notOnOrAfter, SAML_ISSUER, statement);

SAMLAssertionToken samlToken = new SAMLAssertionToken(assertion);

sec.addSAMLAssertionToken(samlToken);

// Finally, to prove that the assertion that we're sending out is actually from the identity provider (us),

// we can sign the message with our private key.

if (m_demoInfo.samlSigned)

{

// We just need to load the digital certificate and private key from the keystore specified

KeyStore keyStore = KeyStore.getInstance(m_demoInfo.samlKeystoreType);

keyStore.load(new FileInputStream(m_demoInfo.samlKeystore), m_demoInfo.samlKeystorepass.toCharArray());

String privateKeyPassword = m_demoInfo.samlKeypass;

PrivateKey privateKey = (PrivateKey)keyStore.getKey(m_demoInfo.samlAlias, privateKeyPassword.toCharArray());

// And we can use the private key to sign our assertion,

// verifying that the message comes from us

assertion.sign(privateKey, null);

}

return assertion.getElement();

}

Step two: Configure the CXF outgoing properties for including SAML Information

For example, the following code snippet was extracted from the WSDemo.java file that is included with the P6 EPPM Web Services demo application:

if (m_demoInfo.authMode == USERNAME_TOKEN_MODE || m_demoInfo.authMode == SAML_MODE)

{

client.getEndpoint().getOutInterceptors().add(new SAAJOutInterceptor());

client.getEndpoint().getInInterceptors().add(new SAAJInInterceptor());

// To do UsernameToken or SAML, we use our own Interceptor

// This will also handle encryption, if enabled

client.getEndpoint().getOutInterceptors().add(new DemoOutInterceptor(m_demoInfo));

// However, we only need a custom inbound Interceptor if we know that the server

// is sending back encrypted messages.

if (m_demoInfo.encEnabled && m_demoInfo.encInbound)

{

client.getEndpoint().getInInterceptors().add(new DemoInInterceptor());

}

}

Refer to the demo source to view the code snippets above within their context.

Including SAML 2.0 Tokens in SOAP Requests

The SAML token that was downloaded in the above step should be included in SOAP WS-Security header.

Sample Reference Code is given below:-

public static Element addSAMLAssertion(WSSecurity sec, WSSOAPEnvelope wsEnvelope)

      throws Exception

    {

      

        Document aDoc = wsEnvelope.getOwnerDocument();

        Document samlxml = getSAMLXML();

        NodeList assrtList =

            samlxml.getElementsByTagNameNS(SAML2URI.ns_saml, "Assertion");

       

        Element element = (Element)assrtList.item(0);

        Node importedNode = aDoc.importNode(element, true);

        sec.appendChild(importedNode);

        return samlxml.getDocumentElement();

    }

   

   

    private static Document getSAMLXML() throws Exception

    {

        return parseDomContent(new FileInputStream(new File("c:\\samlassertion.xml")));

    }

   

    public static Document parseDomContent(InputStream is) throws ParserConfigurationException, SAXException, IOException

    {

        DocumentBuilderFactory docbf = DocumentBuilderFactory.newInstance();

        docbf.setNamespaceAware(true);

        DocumentBuilder docBuilder = docbf.newDocumentBuilder();

        return docBuilder.parse(is);

    }

Related Topics

Creating a SAML 2.0 Token

---

Last Published Tuesday, April 1, 2025