0

I am trying a SAML Bearer flow between WebSphere Liberty and Salesforce. Here is what I have so far: 1. A trust relationship set up between ADFS (IdP)and WebSphere Liberty 2. A trust relationship between Salesforce and the same ADFS (IdP) as above. I have the Salesforce configured so that when user goes directly to the site url, it redirect user to the same ADFS to authenticate if not authenticated already 3. The servlet running on the webshphere liberty, has a security constraint so that when the user tries to access it, the SAML TAI intercepts and sends the user to the ADFS login if not already authenticated. 4. Using the websphere api, I am able to extract details of the SAML Token as well as the assertion that was generated by the ADFS and was sent to the servlet.

Here is the question that I am pondering: If my servlet is already authenticated and now wants to access some SFDC API, since the servlet has a SAML Token given to it by the same ADFS ( IdP ) that the SFDC trusts, it should be able to send that to the SFDC OAuth2 url and get an OAuth token. The federated id for both SFDC and the Servlet is the username@domain.com attribute that is in the AD attributes of the user and is a part of the assertion. I tried send the assertion using POSTMAN and got back an "invalid assertion" from the SFDC OAuth endpoint. On further validation of the assertion through the SAML Validation tool in SFDC, it states that the assertion does not start with "Response". That made me realize that what SFDC OAuth endpoint is looking for is the SAMLResponse rather than the assertion I extracted out of the SAMLToken. So question I have that is relevant to this forum: The SAMLResponse is sent by the ADFS ( IdP) to the ACS ( assertion consumer service url ). How can I get access to that SAMLResponse? Per my understanding , the SAMLReponse is consumed by the SAML TAI, which intercepts the POST that ADFS sends to the ACS and uses it to build the JAAS subject. Now, I believe I can substitute the ACS application with my own servlet and supply that as the ACS url to the IdP, which would then let me capture the SAMLResponse from the POST in that servlet, but isn't the SAMLResponse available without having to substitute the ACS with my own? If it is, what is the API I need to use to get that SAMLResponse? Thanks for your help, thoughts and ideas on this.

vman
  • 1
  • 1

1 Answers1

0

It has been a while since I looked that closely, but it does not surprise me if the SAMLResponse is not available in the Subject's privateCredential. That said, it makes sense that only the assertion data is available:

  1. The SAMLResponse is time limited. Typical lifetime is minutes, to allow for time skew.
  2. The SAMLResponse frequently includes an AudienceRestriction - the request should only be acceptable to a very limited list of Service Providers (possibly a single one).
  3. The SAMLResponse is frequently encrypted using the SP's public key. If resent to SP#2, this second SP would not be able to read it.

I know of one large US retailer which calls SOAP web services and authenticates using SAML. Each hop uses a new SAML Token. The caller (typically a servlet, but also the code implementing the SOAP web service) makes a WS-Trust back to ADFS to get a new SAML token.

BTW, WebSphere Support is now actively recommending against customers, and even IBM stack products, from implementing their own ACS application. WAS Support has seen too many PMRs because of the write-your-own-ACS approach.

mrl
  • 1
  • 1
  • Totally forgot about this question. Albeit pretty late but I wanted to thank you for your response. We ended up taking a completely different approach on the project. – vman Mar 27 '18 at 01:29