Parsing SAML Assertion with Metro SAML API

Originally in Metro/XWSS, we only provided API to create SAML assertions, but no API to parse them. That's why in all the SAML related samples, we had to use primitive DOM API to parse SAML assertions to obtain user information. Since Metro 1.4, we have enhanced the SAML API to add support for parsing the SAML assertions.

Here are some sample codes on how to get user identity and attributes from an SAML assertion using these new API.


import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.saml.AssertionUtil;
import com.sun.xml.wss.saml.\*;

1. Create Assertion from an DOM element:


Element samlEle;
Assertion assertion = AssertionUtil.fromElement(samlEle);

2. Get user attributes and Subject


Subject subject = null;
NameID nameID = null;

// SAML 2.0
try {
     subject = assertion.getSubject()};
}catch (Exception ex){
     subject = null;
}

if (subject != null){
     nameID = subject.getNameId();
}

List&lsaquo Object&rsaquo statements = assertion.getStatements();

for (Object s : statements){
     if (s instanceof AttributeStatement){
         List&lsaquo Attribute&rsaquo attrs = ((AttributeStatement)s).getAttributes();
         for (Attribue attr : attrs){
                 String attrName = attr.getName();
                 List&lsaquo Object&rsaquo attrValues = attr.getAttributes();
                 String attrValue = ((Element)attrValues.get(0)).getFirstChild().getNodeValue();
                 ...
         }

         // for SAML 1.0, 1.1
         if (subject == null){
                 subject = ((AttributeStatement)s).getSubject()
         }
     } else if (s instanceof AuthenticationStatement){
         subject = ((AuthenticationStatement)s).getSubject();
     }

}

3. Get the user identifier in the Subject:


if (nameID != null){
     //SAML 2.0 case
     String id = nameID.getValue();
     String nameQualifier = nameID.getNameQualifier();
     String format = nameID.getFormat();
}else{
     // SAML 1.0, 1.1. case
     NameIdentifier nameIdentifier = subject.getNameIdentifier();
     if (nameIdentifier != null){
         String id = nameIdentifier.getValue();
         String nameQualifier = nameIdentifier.getNameQualifier();
         String format = nameIdentifier.getFormat();
     }
}

Comments:

Is this API available yet? I tried to find it on the XWSS page but couldn't. The latest version I could find is XWSS 3.0 FCS and there is no method getStatements in the API documentation...

Currently I'm using XPath the parse the assertions, but that is rather cumbersome.

Thanks.

Posted by Fred Wan on January 01, 2009 at 10:37 PM PST #

Hi Fred,

Yes, it iis available:

https://xwss.dev.java.net/source/browse/xwss/xwss-ri/src/com/sun/xml/wss/saml/Assertion.java?rev=1.13&view=markup

You should have it with Metro 1.4 or above:

https://metro.dev.java.net/1.4/

The API doc may not be updated. I will check back.

Thanks!

JIandong

Posted by Jiandong Guo on January 02, 2009 at 02:55 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jiandong Guo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today