In today’s IT paradigm, where Cloud or On-Premise systems are working in a distributed way, exposing API’s has become a norm. RESTFUL API’s interface being light on both memory and bandwidth footprint are becoming quite normal for exposing key business functionality. Hence, keeping the security interest in mind, the following article gives a tour of how to enable SAML-based authentication and authorization leveraging Talend components, IAM service, and other supporting platform tools.
Simple RESTFUL API for fetching meeting times from a csv flat file, and returning the content as XML is shown below.
Creation of build by right-clicking on the Job and selecting the Build Job Option. Select the build type OSGI bundle for ESB.
After installing Talend Data Fabric (specifically ESB, TAC, IAM, and Runtime) ensure these services are up and running.
The following snapshot shows checking if the services are running:
If they aren't, start the services using this command:
service Talend-XXX start
To ensure that STS and Authorization service is up and running in the Runtime service, log in to the Karaf client with the default credentials karaf/karaf (unless they have been changed).
Check that the services are up and running. If not, use the highlighted commands below to ensure they are running. Verify once started using the commands again.
Deploy the RESTFUL API Job, either using TAC (this is the recommended way) or by copying it directly to the /runtime/deploy folder. For the current exercise, copy it directly to the deploy folder.
Copy the flat file to location configured in the Job. For the above example job, use the following location:
Apache Syncope is required for the authentication and authorization scenario. In a default installation, TAC contacts Syncope to pull down the roles/groups used to create authorization policies. Instead, you can type tesb:switch-sts-tidm in the Karaf container, and it will switch to using Syncope instead of JAAS for authentication.
Go to Users and change Type to ESB, then grant all Roles to the user you logged in as. Click Validate, then Save.
An ESB Infrastructure / Authorization tab will appear.
Important: If the setup is new, then you will not see an Authorization tab. Set up the user with the appropriate Type and Roles as shown below:
Under Resources, click Add and Individual Resource.
For the resource, specify:
Click Show in the bottom bar. Change the default action to GET and click the role you have configured.
After some time, the authorization policy should be synced to the PDP repo, and the new invocation on the REST endpoint using the token retrieved from SoapUI should be authorized.
You are going to use SoapUI to test the RESTFUL service, so if it’s not already installed you need to install it. For example, you can install SoapUI on CENTOS 7 using the following instructions:
You can create the SOAP Request as shown in this snapshot, following the instructions given in this blog:
Before firing the SOAP request, you need to ask the STS for a SAML Token with the role information encoded in it. So in SoapUI, add the following to the RequestSecurityToken part of the request:
<Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> <ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity"/> </Claims>
The username/password is the same you created in the Syncope portal.
The SOAP Response on successful invocation of STS is shown below:
Once you have a successful response, then click on the RAW tab and copy the SOAP Body into an editor, stripping everything before <saml2:Assertion> and after </saml2:Assertion> at the end. It's important to use RAW before copying, as any whitespace change will break signature validation.
To call the REST API using an authentication token, you need to deflate and base64-encode a SAML Message before sending it.
Copy the SAML Assertion as extracted above and go to: https://www.samltool.com/encode.php. Paste it into the first field, and click on Deflate and Encode the XML. Copy the resulting text in Deflated and Encoded XML.
Important: Deflating had to be done because OPEN UI does not provide direct support to calling a RESFTUL API with a SAML Token as per their support tickets.
curl -v -H "Authorization: SAML <token>" http://localhost:8088/webinar/meetingtimes
Replace <token> with the content you copied above from samltool.com. Ensure the RESTFUL URL in the curl command is as configured in the component of the Job Flow. Hit Enter to see the results.
Note: Chrome plugin POSTMAN tool can also be used to execute the curl command.
Hurray!! You can congratulate yourself that you have your RESTFUL API working with SAML Authentication/Authorization enabled using Talend IAM.