Open in app

Sign in

Write

Sign in

Testing SAML2 Bearer Grant Flow for a Federated User with WSO2 Identity Server 5.10.0

Shanika Wickramasinghe
3 min readFeb 25, 2020

--

  1. Get an IS with access URL https://localhost:9443/carbon/ as Primary IS.
  2. Get another IS and change the offset with 1 in deployment.toml as below

[server]
offset = “1”

3. In Secondary IS created in setp 2 register a SP with OAUTH/Openid connect as below.

4. In Primary IS created in step 1 register travelocity as a SP

5. In Primary IS register the IS created in step 2 as a IDP with federated authenticator OAUTH2/openid connect

Note

Here client id and secret values are taken from the SP registered in secondary IS in step 2

6. Register playground as a SP in Primary IS with inbound authenicator OAuth/Openid connect

Now in the SP travelocity register the created IDP as a federated authenticator from local and outbound configuratios

7. In tomcat deploy travelocity.war and playground.war

8. In travelocity.properties file add the below configs

EnableOAuth2SAML2Grant=true

#OAuth2 Client ID
OAuth2.ClientId=<client id of the playground app registred as SP in primary IS >

#OAuth2 Client Secret
OAuth2.ClientSecret=<client secret of the playground app registred as SP in primary IS >

9. In Primary IS deployment.toml add the below config

[oauth.grant_type.saml_bearer]
user_type= “FEDERATED”

9. Now access http://localhost:8080/travelocity.com

While accessing keep saml tracer opened

Login to the application with the federated user credentials shanika:shanika

Copy the SAML response and decode it with https://www.base64decode.net/

Copy the decoded saml2 assertion

<saml2:Assertion ID=”_1078c8c4315ea080e0662cac6c7b908f” </saml2:Assertion>

Use the Bbase 64 URL encode to encode the copied assertion

base64url encoder

Encode text to base64url, as per RFC-4648. The result is a URL-safe base64url encoded UTF-8 string. See corresponding…

simplycalc.com

Now use the below CURL Request or Postman request to obtain the access token. (You can also obtain the access token using the Travelocity apps UI as mentioned in doc [1]

In the request Assertion value is the value obtained by URL encoding the saml2 assertion value

Authorization

Get the clinetid:clientsecret value and base 64 encode it. Get these 2 values from the Playground app registered as SP in primary IS

[1]. https://is.docs.wso2.com/en/next/learn/setting-up-a-saml2-bearer-assertion-profile-for-oauth-2.0/

Wso2is
Wso2
Saml2 Bearer
Saml2
Federation

--

--

Shanika Wickramasinghe
Shanika Wickramasinghe

Written by Shanika Wickramasinghe

1.1K Followers
34 Following

Senior Software Engineer and Freelance Technical Writer. I write about any Computer Science related topic. https://www.linkedin.com/in/shanikawickramasinghe

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams