Forum Discussion

socaltester's avatar
socaltester
Contributor
5 years ago

No Community Help with SAML 2 Config Posts. Can some provide an example of SAML(XML) 2 in SoapUI?

I'm having difficulty configuring SAML authentication using SoapUI Pro and I've read many similar posts in Open Source community; however, they go unanswered. For example, "Could some give a sample example of SAML(XML) in SoapUI WS configuration" and "Enveloped Signature for SAML (XML) WSS Entry".

 

SmartBear's page doesn't provide an example SAML(XML) Assertion.

Collaborator has a page that goes into some depth to help the customer, but not SoapUI OS or Pro.

 

We use ForgeRock's OpenAM to setup SAML and I think I’ve gleaned as much as I can from it. For instance, XML Canonicalization algorithm, XML digest algorithm, XML signature algorithm, ID Token Signing Algorithms supported, ID Token Encryption Algorithms supported, Circle of Trust, etc.; however, there’s no 1-for-1 match between what OpenAM provides that SoapUI Pro asks for. I've asked our DevOps/Integration teams for a SAML(XML) Assertion, but they haven't been able to accommodate, yet.

 

Could someone give a sample example of SAML(XML) in SoapUI WS configuration?

 

Regards,

 

 

 

 

 

 

 

 

Assertions
Authentication
SAML
Security
X.509
  • richie's avatar
    richie
    Community Hero
    5 years ago

    Hi socaltester 

     

    I can't help per se (as I've never had to configure a SAML Auth connection) but perhaps the following idea might help you find a way.

     

    SAML authentication is quite similar to OAuth2 inasmuch that they have the same (equivalent) basic concepts in regards to the back and forth between the client/AuthServer/ResourceServer to obtain the required access/bearer tokens(OAuth) / SAML assertions (SAML Auth).

     

    It's likely a bit of trial and error - but in the absence of any other ideas and a default SAML auth connection profile within ReadyAPI!, perhaps you could tailor one of the default OAuth v2 auth profiles considering they have equivalent concepts?

     

    ta,

     

    rich

      • socaltester's avatar
        socaltester
        Contributor
        5 years ago

        I will have to clean up the SAML payloads of AuthnRequest and Response before I could provide them. I may be able to do this in a few days. I'm NOT just looking for an example SAML assertion, as I can find those online, I'm looking for those examples in combintation with configuring SoapUI with them. For instance, I can't tell what format a "Timestamp" entry will add to the assertion. Does it equate to "IssueInstant"? Does it equate to "<saml:Conditions"? or none of them? There isn't a "Timestamp" section specifically called out in my saml:Response.(see below)

         

                <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         NameQualifier="/abc2"
                         >12XHAx357FyJW5AC53tjEO77Z567</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_a34353d4e52fca721fc23f2160bab2fdqqq"
                                              NotOnOrAfter="2019-12-31T21:07:03Z"
                                              Recipient="https://aws-example-proxy.sd.bugbunny.looney.com/console/samlLogin"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2019-12-31T20:47:03Z"
                         NotOnOrAfter="2019-12-31T21:07:03Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>xyz</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>

         

        To add, the above is just an simple example that I'm dealing with. Our saml:Resonse also has a "saml:AttributeStatement" that has multiple "Attribute Names", each with it's own "Attribute Value", but SoapUI only has one "Attribute Name" field with multiple "Attribute Values" that can be added. How do I deal with that? (see below for multiple attributes with values)

               <saml:AuthnStatement AuthnInstant="2019-12-31T20:57:01Z"
                             SessionIndex="2qqef6c4ef4e2cfe3b87d3037cd3bcb7b27c07c1ee"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="uid">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >COOK.TIMOTHY.HESTER.123456789</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="isMemberOf">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >cn=ComputerManagers,ou=groups,o=ABC2,c=US</saml:AttributeValue>
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >cn=KiteManagers,ou=groups,o=ABC2,c=US</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="cn">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >COOK.TIMOTHY.HESTER.123456789</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sn">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >COOK.TIMOTHY.HESTER.123456789</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="givenName">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >COOK.TIMOTHY.HESTER.123456789</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>

        Also, also...there's a AuthnRequest payload and a seperate Response payload. The logic I have wants to categorize AuthnRequest with "WS-S Outgoing" and Response with "WS-S Incoming", but that doesn't match with what SoapUI requests in its GUI.

         

        Any help is greatly appreciated. I'll clean up the entire AuthnRequest and Response payloads and post them early next week. Say Monday or Tuesday.

  • socaltester's avatar
    socaltester
    Contributor
    5 years ago

    Okay. The SAML configuration tools presented in "Outgoing WS-Security Configurations" seems to have sent me into the wrong direction when dealing with an environment using PKI certificates and SAML in its authentication. I abandoned the use of the SAML recreation tools and effort after being informed that it shouldn't be necessary to get and utilize a tokenID for our environment. My tests are able to authenticate now, so I'm off and running.

     

    This begs the question, and maybe I just didn't key in on it when I read about it, but what is the purpose of the SAML assertion recreation tools within "Outgoing WS-Security Configurations"? Is their purpose to create a test tokenID on the fly just like an authentication service would do?

    • Nastya_Khovrina's avatar
      Nastya_Khovrina
      SmartBear Alumni (Retired)
      5 years ago

      As far as I know, you're working on this in the case with our Support Team. Please continue working there and share the solution with Community once you get some.