August 8, 2016

Using SAML SSO Authorize Carbon Admin Services from Jaggery App

To give a background on the above scenario, please refer the following diagram.



A Jaggery App is deployed on WSO2 Application Server (AS) and we have enabled SAML 2.0 based SSO for the Jaggery app using WSO2 Identity Server (IS) . You can find more details on enabling SSO with IS at [1]. ESB also shares the same IDP.

What we are doing here is authenticating the Jaggery App from IDP by sending a SAML request and using the same SAML response to authenticate ESB and get a session cookie. This cookie can then be used to invoke admin services of ESB.

[JAGGERY_APP]/jagg/jaggery_acs file acts as the assertion consumer service (ACS). This is the same that is configured in the IDP. Once the request comes to jaggery_acs.jag we will validate the SAML response and get the cookie from ESB.

Once we have the SAML response, use the following code to authenticate ESB.

 //authenticate ESB
var ws = require("ws");
var requestESB = new ws.WSRequest();
var options = new Array();
options.useSOAP = 1.2;
options.action = "urn:login";
var endPoint = "https://localhost:9453/services/SAML2SSOAuthenticationService";
var payload = '<sso:login xmlns:sso="http://sso.saml2.authenticator.identity.carbon.wso2.org"><sso:authDto><xsd:response xmlns:xsd="http://dto.sso.saml2.authenticator.identity.carbon.wso2.org/xsd">' + samlResponse + '</xsd:response></sso:authDto></sso:login>';
requestESB.open(options,endPoint, false);
requestESB.send(payload);
var responseESB = requestESB.responseE4X;
var adminSession = requestESB.getResponseHeader("Set-Cookie");
session.put("esb-auth-cookie", adminSession);


Use the following code segment to invoke ESB Admin services with the above cookie

var restApiAdminUrl = site.esb.serverBaseURL + "t/" + tenantDomain + "/services/" + REST_API_ADMIN_SERVICE + "/";
var requestPayload = "<xsd:getAPIsForListing xmlns:xsd=\"http://org.apache.axis2/xsd\">"
                      +"  <xsd:pageNumber>0</xsd:pageNumber>"
                      +"  <xsd:itemsPerPage>100</xsd:itemsPerPage>"
                      +"</xsd:getAPIsForListing>";

var ws = require("ws");
var request = new ws.WSRequest();
var options = new Array();
options.useSOAP = 1.2;
options.action = "urn:getAPIsForListing";
options["HTTPHeaders"] = [{name: "cookie", value: session.get("esb-auth-cookie")}];
request.open(options, restApiAdminUrl, false);
request.send(requestPayload);
var response = request.responseE4X;



References

[1] https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
[2] http://wso2.com/library/articles/2016/02/article-how-to-setup-a-wso2-api-manager-store-login-with-google/

No comments:

Post a Comment