One Star

Talend STS setup

Hi,
I'm trying to configure the Talend Security Token Service (STS) for ESB. I'm following the STS User Guide document.
I'm not using Tomcat. Instead I'm just activating the STS feature in Karaf. So I've installed feature tesb-sts, but the STS SOAP services don't seem to be created. The bundle state just stays at Installed, rather than Resolved.
Do I need to do something else first? Is there another dependency?
Thanks
Tom
3 REPLIES
One Star

Re: Talend STS setup

Hi Tom,
the bundle is Resolved because it is a "fragment" bundle to the Apache CXF STS Core (which is Active and has Started the spring blueprint.. hopefully). You should see the service between exposed services (http://localhost:8040/services) as the STS service. We planned to use the UT service, but the clients were unable to comply so we ended up using the default WS-Security with the username/password.
To run it out of the box follow the documentation to create a new keypair or download/install JCE Unlimited Strength Policy (to enabke support for strong keys used in the examples)
URL: http://localhost:8040/services/SecurityTokenService/UT
Request:

POST http://localhost:8040/services/SecurityTokenService/UT HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
Content-Length: 1177
Host: localhost:8040
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
   <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-19C5E83727A253C48D14503860476433"><wsse:Username>tesb</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">tesb</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken Context="?">
         <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
         <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
         <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">http://my.service.external/service/tst1</wsp:AppliesTo>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

Have fun
Gabriel
One Star

Re: Talend STS setup

however - trying it out manually (Soap UI):
POST http://localhost:8040/services/SecurityTokenService/UT HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
Content-Length: 1192
Host: localhost:8040
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-19C5E83727A253C48D14503867654994">
            <wsse:Username>tesb</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">tesb</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken Context="jaas">
         <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
         <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
         <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">http://my.service.external/service/tst1</wsp:AppliesTo>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>


Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns4:RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200802" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns5="http://www.w3.org/2005/08/addressing">
         <ns4:RequestSecurityTokenResponse Context="jaas">
            <ns4:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns4:TokenType>
            <ns4:RequestedSecurityToken>
               <saml2:Assertion ID="_7DDDB5CE692BC34F3614503931791732" IssueInstant="2015-12-17T22:59:39.173Z" Version="2.0" xsi:type="saml2:AssertionType" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <saml2:Issuer>TalendESB_STSIssuer</saml2:Issuer>
... long text of SAML Assertion details ....
               </saml2:Assertion>
            </ns4:RequestedSecurityToken>
            <ns4:RequestedAttachedReference>
               <ns3:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <ns3:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_7DDDB5CE692BC34F3614503931791732</ns3:KeyIdentifier>
               </ns3:SecurityTokenReference>
            </ns4:RequestedAttachedReference>
            <ns4:RequestedUnattachedReference>
               <ns3:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                  <ns3:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_7DDDB5CE692BC34F3614503931791732</ns3:KeyIdentifier>
               </ns3:SecurityTokenReference>
            </ns4:RequestedUnattachedReference>
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://my.service.external/service/tst1</wsp:AppliesTo>
            <ns4:Lifetime>
               <ns2:Created>2015-12-17T22:59:39.173Z</ns2:Created>
               <ns2:Expires>2015-12-17T23:29:39.173Z</ns2:Expires>
            </ns4:Lifetime>
         </ns4:RequestSecurityTokenResponse>
      </ns4:RequestSecurityTokenResponseCollection>
   </soap:Body>
</soap:Envelope>


Validating:
POST http://localhost:8040/services/SecurityTokenService/UT HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"
Content-Length: 5367
Host: localhost:8040
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
   <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-19C5E83727A253C48D145039319990241"><wsse:Username>tesb</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">tesb</wsse:Password></wsse:UsernameToken></wsse:Security>
  
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken Context="?">
         <wst:TokenType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status</wst:TokenType>
         <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate</wst:RequestType>
         <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">http://my.service.external/service/tst1</wsp:AppliesTo>
         <wst:ValidateTarget>
<saml2:Assertion ID="_5AC9088C659ADB458414503906174301" IssueInstant="2015-12-17T22:16:57.430Z" Version="2.0" xsi:type="saml2:AssertionType" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <saml2:Issuer>TalendESB_STSIssuer</saml2:Issuer>
... copy / paste of the assertion ...
               </saml2:Assertion></wst:ValidateTarget>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

and the validations fails claiming the Signature did not validate against the credential's key
2015-12-17 23:58:08,686 | WARN  | tp1252807592-116 | XMLSignature
      | .security.signature.XMLSignature  738 | 446 - org.apache.santuario.xmlse
c - 1.5.8 | Signature verification failed.
2015-12-17 23:58:08,686 | WARN  | tp1252807592-116 | SAMLTokenValidator
      | ken.validator.SAMLTokenValidator  255 | 502 - org.apache.cxf.services.st
s.core - 2.7.15 |
org.apache.ws.security.WSSecurityException: SAML signature validation failed
        at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(Asse
...
Caused by: org.opensaml.xml.validation.ValidationException: Signature did not va
lidate against the credential's key
        at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValid
ator.java:79)
        at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(Asse
rtionWrapper.java:632)
        ... 61 more

but the example services run ok, so you have to rely on CXF to do that properly itself
Five Stars

Re: Talend STS setup

Thank you so much for your examples. I had been searching high and low for day for something like this. There aren't any examples of the SOAP bodies in the Talend documentation. 
If anyone is interested, here is how to pass SAML token to REST API

Take the SAML assertion portion of the xml response and deflate and base64 encode it
Set the http header key "Authorization" to the value "SAML xxxx" - where xxxx is the deflated/base64 encoded assertion xml

reference material: http://cxf.apache.org/docs/jax-rs-saml.html
NOTE: make sure that there aren't any special characters in the xml of you will get an error "Signature cryptographic validation not successful" (see runtime log -/log/tesb.tx) - reference: https://www.talendforge.org/forum/viewtopic.php?pid=164104