Over a million developers have joined DZone.

How to Validate a SAML Assertion and Then Insert the NameIdentifier Value into a HTTP Header

· Integration Zone

Today’s data climate is fast-paced and it’s not slowing down. Here’s why your current integration solution is not enough. Brought to you in partnership with Liaison Technologies.

It is a common scenario that once you have validated a SAML Assertion at a Gateway layer, you then insert the name identifier from the SAML Assertion into a HTTP Header. Here is how you configure that in the Axway API Server:

Firstly, I have created a policy which performs SAML Validation (using the "SAML Authentication" filter) and then inserts a header (using the "Add HTTP Header" filter). Let's look at the steps in action.

Firstly, let's look at the SAML Authentication filter. I am choosing that I want to validate a SAML 2.0 assertion.

In the "Trusted Issuers" tab, I am setting that I trust "Acme" as an issuer of SAML tokens:

I could also follow this filter with a Signature Validation filter, if I also wanted to validate a digital signature over the SAML Assertion (and perhaps follow that with a Certificate Chain check filter to check the trust of the signing cert).

Once this filter has run, it will populate the SAML NameIdentifier (NameID) into the authentication.subject.id attribute. We can then insert this as a HTTP Header, using the "Add HTTP Header" filter configured as below:

Finally I am using a "Reflect" filter to simply return the message to the client, where we can see the new header added. Of course, we could use a "Connect to URL" filter to send our message, with its new header, to another destination (such as to an API or Web Service).

Finally I wire up my policy to a path called /ValidateSAML , as shown below:

I am using the free API Tester tool to test send a SOAP message containing a SAML Assertion.

I am inserting the SAML Assertion using the "Security" -> "Insert SAML Token" menu option, configured as below:

Notice below that I am putting "Joe" in as the name identifier in the SAML Assertion.

When I send it to the /SAMLValidate path on the API Server, and click on the "Headers" sub-tab on the bottom right of API Tester, I see the new HTTP header has been added, and the value is "Joe". I can also see this information by looking at the "Traffic" view through the API Server Manager (port 8090 over SSL) of the API Server.

Is iPaaS solving the right problems? Not knowing the fundamental difference between iPaaS and iPaaS+ could cost you down the road. Brought to you in partnership with Liaison Technologies.


Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}