Converting STS Token: OpenAM -> SAML2

This topic has 2 replies, 2 voices, and was last updated 6 years ago by Fernando A. Barbeiro Campos.

  • Author
    Posts
  • #12801

    Hi guys, I need to convert an OpenAM token into a SAML2 and the appropriate subject confirmation for my case is HOLDER_OF_KEY. Given that, I read the documentation and it’s well defined there that:

    When generating an assertion with a holder-of-key subject confirmation method, the proof_token_state property is required. The value for this property is an object that contains the base64EncodedCertificate property.

    {
        "input_token_state":{
            "token_type": "OPENAM",
            "session_id": "AQIC5wM2XXXXXXXXXXX.*AAJTSQACMDEAAlNLABQtNzQXXXXXXXXXXNjMyMgACUzEAAA..*" 
        },
        "output_token_state": {
            "token_type": "SAML2",
            "subject_confirmation": "HOLDER_OF_KEY",
            "proof_token_state": "MIMbFAAOBjQAwgYkCgYEArSQ...c/U75GB2AtKhbGS5pimrW0Y0Q=="
        }
    }

    My question is: what certificate is that? I mean, should I generate a keystore cert and do something or is it issued by OpenAM? (As you realized, I’m confused here).

    Does anyone could give me a clue?

    Thanks in advance, regards.

    #12857
     Peter Major
    Moderator

    See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.html section 2.2.
    The proof_token_state is going to hold the X.509 certificate of the attesting entity (based on my reading of the above spec).

    #12878

    Hi Peter, very useful clue. I could generate my SAML assertion. Thank you so much.

    A useful link is that one (https://idmdude.com/2014/02/09/how-to-configure-openam-signing-keys/) and after I have comprehended completely the certificate question, I was able to generate the SAML.

    By the way, there is a small mistake in my JSON above… intead of:

    "proof_token_state": "MIMbFAAOBjQAwgYkCgYEArSQ...c/U75GB2AtKhbGS5pimrW0Y0Q=="

    We need to do:

    "proof_token_state": {
                    "base64EncodedCertificate": "MIMbFAAOBjQAwgYkCgYEArSQ...c/U75GB2AtKhbGS5pimrW0Y0Q=="
    }

    Thanks.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?