Introduction
Edge has two simple but powerful policies, that let us use Edge as an IdP or SP points of a SAML2-enabled solution.
Their documentation, http://docs.apigee.com/api-services/reference/saml-assertion-policy, is comprehensive but terse. To understand them better, let’s experiment with those policies, using simple but complete test harness.
The current design and requirements of our little project assume an ability to swap the OAuth2 access_token for the SAML Assertion, when the Edge will be functioning as an IdP and that could be accepted by a Target Server.
The key design decisions of our solution are:
Our client application
- Upon providing client credentials;
- exchanges them for OAuth2 access_token.
- uses the access_token to interact with a SAML-enabled backend.
Our oauth proxy
- After validating user credentials,
- Uses Generate SAML Assertion policy to create the assertion;
- And stores it as an Attribute when generating an access_token.
Our business proxy
- After Verifying provided access_token, the SAML assertion is automatically fetched and added to a SOAP message;
- Then it is expected to be verified by an BackEnd SAML SP.
The SAML test harness will have two proxies samlidp and samlsp. To validate digital signature on SAML assertions we need X.509 certificates. We will use openssl to generate self-signed certificate for our setup.
KeyStore with X.509 Certificates
Create and upload keystore
To list keystores:
https://api.enterprise.apigee.com/v1/organizations/dbcjd/environments/test/keystores
Create self-signed SSL Certificate
WARNING: Your certificate is not working? Meet the Logjam, https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/.
Check the version of your openssl package. If it is older than 1.0.2, the generated certificate will not be accepted by a later Node.js interpreter. As Node.js uses openssl libraries, chances are you have fresh node but stale openssl utility.
- Generate RSA key. In the Terminal enter
openssl genrsa -out mockserver.key
The mockserver.key file will be generated.
- Create a certificate signing request (CSR) for an SSL certificate. Answer the questions
openssl req -new -key mockserver.key -days 3650 -out mockserver.csr
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) :Guildford
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mock Server Ltd
Organizational Unit Name (eg, section) :mockdept
Common Name (e.g. server FQDN or YOUR name) :mockserver.com
Email Address :admin@mockserver.com
A challenge password :
An optional company name :
An .csr file will be created.
- Create the certificate from the certificate request
openssl x509 -req -days 3650 -in mockserver.csr -signkey mockserver.key -out mockserver.crt
Signature ok
subject=/C=UK/ST=Surrey/L=Guildford/O=Mock Server Ltd/OU=mockdept/CN=mockserver.com/emailAddress=admin@mockserver.c
om
Getting Private key
To create a keystore
See also: http://docs.apigee.com/api-services/content/keystores-and-truststores
- “create” .pem files in the mockserverKeystore folder
cp mockserver.crt mockserverKeystore/mockserverCrt.pem
cp mockserver.key mockserverKeystore/mockserverKey.pem
-
Make a folder for a jar file mockserverKeystore
-
In the folder, create: sub-folder META-INF
-
In the META-INF create a descriptor.properties file and add following lines:
certFile=mockserverCrt.pem
keyFile=mockserverKey.pem
- Inside the mockserverKeystore folder run commands
jar -cf mockserverKeystore.jar mockserverCrt.pem mockserverKey.pem
jar -uf mockserverKeystore.jar META-INF/descriptor.properties
NOTE: Example ~/.netrc file for curl -n option:
machine api.enterprise.apigee.com login name@gmail.com password psw2
machine 192.168.56.102 login admin@apigee.com password Apigee2016
- List the keystores
curl https://api.enterprise.apigee.com/v1/organizations/dbcjd/environments/test/keystores -nv
- Create a KeyStore object
curl -H “Content-Type: text/xml” \
https://api.enterprise.apigee.com/v1/organizations/dbcjd/environments/test/keystores \
-d ‘’ -nv
- Add the .jar into the keystore
curl -X POST -H “Content-Type: multipart/form-data” \
-F file=“@mockserverKeystore.jar” \
- Verify using curl
- Verify using Web UI look at Admin/TLS Certificates
SAML Proxies
Saml IdP Proxy
-
Proxy no target;
-
Generate Product checkbox
-
Add Generate SAML Assertion policy
Generate SAML Assertion
mockserverKeystore
mockserver
subject
issuer
<![CDATA[
<saml:Assertion Version=“2.0”
ID=“SAML-rcFM3cPB5RIi6DGbJVJeDQ44” IssueInstant=“2015-04-18T11:37:23Z”
xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>
saml:Issuerwww.oracle.com</saml:Issuer>
<saml:NameID
Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>USERNAME</saml:NameID>
<saml:SubjectConfirmation
Method=“urn:oasis:names:tc:SAML:2.0:cm:sender-vouches” />
</saml:Subject>
<saml:Conditions NotBefore=“2014-09-17T10:47:22Z”
NotOnOrAfter=“2017-09-17T10:52:22Z” />
<saml:AuthnStatement AuthnInstant=“2014-09-17T10:47:22Z”>
saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
]]>
- Add OAuthV2.GenerateAccessToken policy
OAuthV2.GenerateAccessToken
GenerateAccessTokenImplicitGrant
Saml SP Proxy
-
Proxy No Target;
-
Generate Product checkbox
-
Add Verify OAuth v2.0 Access Token policy
Verify OAuth v2.0 Access Token
VerifyAccessToken
Developer App Configuration
1 Create saml-app Developer App
Developer: Nikolai Tesla
Callback URL http://localhost:2999
-
Add samlidp Product and samlsp Product to the app.
-
Save
Test Request
- Use Developer Apps, Consumer Key as a client_id query parameter
http://localhost:2999/#scope=&expires_in=1799&access_token=uzB6lBLPcNZGUdeegE4EJEsWbkE3
- Postman request with Authorization: Bearer header
- In the trace we can see fetched Attribute of the OAuthv2 Verify Access Token policy.
