SAML Calculator

This adapter signs, validates, encrypts and decrypts SAML assertions and requests.

Properties

Operation

Defines the operation executed by the function adapter.

Possible values:

Encrypt Assertion: Encrypt SAML assertion
Required parameters: cryptAlias, cryptPassword
Decrypt Assertion: Decrypt SAML assertion
Required parameters: cryptAlias, cryptPassword
Sign Assertion: Sign SAML assertion with a certificate
Required parameters: signatureAlias, signaturePassword, algorithm
Validate Assertion: Validate SAML assertion
Required parameters: cryptAlias, cryptPassword, signatureRequired, skipValidation
Sign Request: Sign SAML request with a certificate
Required parameters: signatureAlias, signaturePassword, algorithm
Validate Request: Validate SAML request
Required parameters: signatureRequired, skipValidations

Parameters

`Adapter`	Main adapter class (Do not change!) Possible values: de.softproject.x4.adapter.saml.SamlAdapter: Main class (default)
`keystoreUrl`	URL of the keystore that is used to encrypt and decrypt SAML assertions. Possible values: String (URL)
`keystorePassword`	Password of the keystore that is used to encrypt and decrypt SAML assertions. Possible values: String
`keystoreType`	Type of the keystore that is used to encrypt and decrypt SAML assertions. Possible values: Type of the keystores, e.g. `JKS`, `PKCS12`, ...
`signatureRequired`	Defines if a signature is required to decrypt a file. Possible values: `true` / `false`
`skipValidations`	Defines if the signature and validity verifications are skipped during decrypting. Possible values: `true` / `false`
`cryptAlias`	Alias of the key pair or certificate that is used to decrypt and encrypt SAML assertions.
`cryptPassword`	Passwort of the key pair that is used to decrypt SAML assertions.
`signatureAlias`	Alias of the key pair that is used to sign SAML assertions.
`signaturePassword`	Passwort of the key pair that is used to sign SAML assertions.
`algorithm`	Algorithm that is to be used to sign SAML assertions. Possible values: `SHA1`: `SHA256`: `SHA512`:

Status values

1	The adapter outputs a result.
-1	An error occurred during the adapter's execution (for details see server log).

Input

The adapter expects a SAML assertion or a SAML request depending on the operation to be executed.

SAML Assertion:

Example Input SAML Assertion

XML

<saml:Assertion 	
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 	
	xmlns:xs="http://www.w3.org/2001/XMLSchema"
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 	
	ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" 	IssueInstant="2014-07-17T01:01:48Z">
	<saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
	<saml:Subject>
		<saml:NameID 			SPNameQualifier="http://sp.example.com/demo1/metadata.php" 			Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 			_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7 		</saml:NameID>
		<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
			<saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" 				Recipient="http://sp.example.com/demo1/index.php?acs" 				InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
		</saml:SubjectConfirmation>
	</saml:Subject>
	<saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
		<saml:AudienceRestriction>
			<saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
		</saml:AudienceRestriction>
	</saml:Conditions>
	<saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" 		SessionNotOnOrAfter="2024-07-17T09:01:48Z" 		SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
		<saml:AuthnContext>
			<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
		</saml:AuthnContext>
	</saml:AuthnStatement>
	<saml:AttributeStatement>
		<saml:Attribute Name="uid" 			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
		</saml:Attribute>
		<saml:Attribute Name="mail" 			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
		</saml:Attribute>
		<saml:Attribute Name="eduPersonAffiliation" 			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
			<saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
		</saml:Attribute>
	</saml:AttributeStatement>
</saml:Assertion>

SAML Request:

Example Input SAML Request

XML

<samlp:AuthnRequest ID="123456789" Version="2.0" 	IssueInstant="2019-01-01T12:00:00" 	Destination="https://www.example.org/saml/login" 	ForceAuthn="false" IsPassive="false" 	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<saml:Issuer 		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">BPMX4</saml:Issuer>
	<samlp:NameIDPolicy AllowCreate="true" 		Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>

Output

The Adapter outputs different files depending on the operation executed:

Encrypt Assertion: The adapter outputs a decrypted SAML assertion.
Sign Assertion: The adapter outputs a signed SAML assertion.
Sign Request: The adapter outputs a signed SAML request.