Enabling SAML Authentication and Authorization for RESTFUL APIs using Talend IAM Service within ESB

Overview

In today’s IT paradigm, where Cloud or On-Premise systems are working in a distributed way, exposing API’s has become a norm. RESTFUL API’s interface being light on both memory and bandwidth footprint are becoming quite normal for exposing key business functionality. Hence, keeping the security interest in mind, the following article gives a tour of how to enable SAML-based authentication and authorization leveraging Talend components, IAM service, and other supporting platform tools.

 

Prerequisites

  • Basic knowledge of WS-Security and Apache CXF
  • Have installed subscription version of Talend Studio, IAM, Runtime, and ESB modules
  • Basic understanding of the JSON format and how to parse it for extracting values and writing it
  • Knowledge of calling SOAP/REST web services with SAML based authentication

 

RESTFUL API Creation and Creation of Build

  1. Simple RESTFUL API for fetching meeting times from a csv flat file, and returning the content as XML is shown below.

    image1.png

     

  2. Creation of build by right-clicking on the Job and selecting the Build Job Option. Select the build type OSGI bundle for ESB.

    image2.png

 

Environment Setup, Deployment, and Configuration

  1. After installing Talend Data Fabric (specifically ESB, TAC, IAM, and Runtime) ensure these services are up and running.

    image3.png

     

    The following snapshot shows checking if the services are running:

    image4.png

     

    If they aren't, start the services using this command:

    service Talend-XXX start

     

  2. Create Groups and Users in Talend IAM. When creating the users, be sure to map them to the employee roles as given below. You need to login with proper Admin rights for creating the necessary users.

    image5.png

    image6.png

     

  3. To ensure that STS and Authorization service is up and running in the Runtime service, log in to the Karaf client with the default credentials karaf/karaf (unless they have been changed).

    image7.png

     

  4. Check that the services are up and running. If not, use the highlighted commands below to ensure they are running. Verify once started using the commands again.

    image8.png

     

  5. Deploy the RESTFUL API Job, either using TAC (this is the recommended way) or by copying it directly to the /runtime/deploy folder. For the current exercise, copy it directly to the deploy folder.

    image9.png

     

    Copy the flat file to location configured in the Job. For the above example job, use the following location:

     

    image10.png

     

    Apache Syncope is required for the authentication and authorization scenario. In a default installation, TAC contacts Syncope to pull down the roles/groups used to create authorization policies. Instead, you can type tesb:switch-sts-tidm in the Karaf container, and it will switch to using Syncope instead of JAAS for authentication.

    image11.png

     

 

Verification of users in TAC and resource access configuration

  1. With TAC running, log on to: http://localhost:8080/org.talend.administrator-6.4.1.
  2. Go to Users and change Type to ESB, then grant all Roles to the user you logged in as. Click Validate, then Save.

    An ESB Infrastructure / Authorization tab will appear.

    Important: If the setup is new, then you will not see an Authorization tab. Set up the user with the appropriate Type and Roles as shown below:

    image12.png

 

Resource configuration in TAC for RESTFUL webservice against roles/users from Talend IAM

  1. In Authorization, under Roles, select all then select the Role (Group) you associated with the user in Syncope. If it fails, verify that the IAM service is working, and log in to re-verify.
  2. Under Resources, click Add and Individual Resource.

  3. For the resource, specify:

  4. Click Show in the bottom bar. Change the default action to GET and click the role you have configured.

    After some time, the authorization policy should be synced to the PDP repo, and the new invocation on the REST endpoint using the token retrieved from SoapUI should be authorized.

    image13.png 

     

 

Testing the RESTFUL web service using SoapUI

 

Installing SoapUI

You are going to use SoapUI to test the RESTFUL service, so if it’s not already installed you need to install it. For example, you can install SoapUI on CENTOS 7 using the following instructions:

https://www.linuxhelp.com/how-to-install-soapui-in-centos-7/

 

Creation of SOAP Request and Invocation

You can create the SOAP Request as shown in this snapshot, following the instructions given in this blog:

http://coheigea.blogspot.in/2016/09/invoking-on-talend-esb-sts-using-soapui.html

 

Before firing the SOAP request, you need to ask the STS for a SAML Token with the role information encoded in it. So in SoapUI, add the following to the RequestSecurityToken part of the request:

<Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
</Claims>

 

The username/password is the same you created in the Syncope portal.

 

image14.png

 

The SOAP Response on successful invocation of STS is shown below:

 

image15.png

 

Switching to RAW XML and extracting SAML Assertion

image16.png

 

Once you have a successful response, then click on the RAW tab and copy the SOAP Body into an editor, stripping everything before <saml2:Assertion> and after </saml2:Assertion> at the end. It's important to use RAW before copying, as any whitespace change will break signature validation.

 

Deflating and Base64 encoding

To call the REST API using an authentication token, you need to deflate and base64-encode a SAML Message before sending it.

  1. Copy the SAML Assertion as extracted above and go to: https://www.samltool.com/encode.php. Paste it into the first field, and click on Deflate and Encode the XML. Copy the resulting text in Deflated and Encoded XML.

    image17.png

     

    Important: Deflating had to be done because OPEN UI does not provide direct support to calling a RESFTUL API with a SAML Token as per their support tickets.

 

Invocation of REST service using a curl command

curl -v -H "Authorization: SAML <token>" http://localhost:8088/webinar/meetingtimes

Replace <token> with the content you copied above from samltool.com. Ensure the RESTFUL URL in the curl command is as configured in the component of the Job Flow. Hit Enter to see the results.

image18.png

 

Note: Chrome plugin POSTMAN tool can also be used to execute the curl command.

 

Hurray!! You can congratulate yourself that you have your RESTFUL API working with SAML Authentication/Authorization enabled using Talend IAM.

 

References

http://coheigea.blogspot.in/2016/09/invoking-on-talend-esb-sts-using-soapui.html

 

Version history
Revision #:
6 of 6
Last update:
‎01-04-2018 03:31 PM
Updated by:
 
Labels (2)