Sequence_diagram.png

Key distribution

  • client :
    • client private & public key
    • sts public key
    • gatekeeper public key
  • sts:
    • sts private & public key
    • client public key
    • gatekeeper public key
  • gateekper
    • gateeekeper private & public key
    • client public key
    • sts public key

1. GetMetadata Request:

selected HTTP header elements

Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://schemas.xmlsoap.org/ws/2004/09/mex/GetMetadata/Request"
User-Agent: Axis2

security elements

NONE

SOAP-Payload

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <mex:GetMetadata xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex">
         <mex:Dialect>http://schemas.xmlsoap.org/ws/2004/09/policy</mex:Dialect>
      </mex:GetMetadata>
   </soapenv:Body>
</soapenv:Envelope>

2. GetMetadata Response

security elements

NONE

SOAP-Payload

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <mex:Metadata xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:tns="http://gatekeeper.service.security.n52.org">
         <mex:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:geodrm="urn:ogc:ows4:geodrm:licensing" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wsp:ExactlyOne>
                  <wsp:All>
                     <wsp:Policy wsu:Id="IdentityPrecondition">
                        <wsse:RelatedService wsse:ServiceType="wsse:ServiceIP">
                           <wsa:EndpointReference>
                              <wsa:Address>
                              http://localhost:8080/52n-security-sts-webapp-0.1/services/STS
                           </wsa:Address>
                           </wsa:EndpointReference>
                        </wsse:RelatedService>
                        <wsse:SecurityToken wsp:Usage="wsp:Required">
                           <wsse:TokenType>

                           SAMLAssertion
                        </wsse:TokenType>
                        </wsse:SecurityToken>
                     </wsp:Policy>
                     <!--           <wsp:Policy wsu:Id="LicensePrecondition">
            <wsse:RelatedService wsse:ServiceType="wsse:ServiceSTS">
               <wsa:EndpointReference>
                  <wsa:Address>
                              ${licbro.uri}
                           </wsa:Address>
               </wsa:EndpointReference>
            </wsse:RelatedService>
            <geodrm:LicenseToken wsp:Usage="wsp:Required">
               <wsse:TokenType>
                           SAMLAssertion
                        </wsse:TokenType>
            </geodrm:LicenseToken>
         </wsp:Policy> -->
                  </wsp:All>
               </wsp:ExactlyOne>
            </wsp:Policy>
         </mex:MetadataSection>
      </mex:Metadata>
   </soapenv:Body>
</soapenv:Envelope>

3. Request Security Token

selected HTTP header elements

Content-Type: application/soap+xml; charset=UTF-8; 
action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"
User-Agent: Axis2

security elements

SOAP-Payload

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-20038146">
            <wsu:Created>2009-07-06T17:02:42.109Z</wsu:Created>
            <wsu:Expires>2009-07-06T17:07:42.109Z</wsu:Expires>
         </wsu:Timestamp>
         <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-28856183">
            <wsse:Username>client</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">apache</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
      <wsa:To>http://localhost:9090/52n-security-sts-webapp/services/STS</wsa:To>
      <wsa:ReplyTo>
         <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
      </wsa:ReplyTo>
      <wsa:MessageID>urn:uuid:9E492719DF65B450741246899762228</wsa:MessageID>
      <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
         <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
         <wst:Lifetime>
            <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:02:42.093Z</wsu:Created>
            <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:07:42.093Z</wsu:Expires>
         </wst:Lifetime>
         <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
         <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey</wst:KeyType>
         <wst:KeySize>256</wst:KeySize>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope>

4. Request Security Token Response

selected HTTP header elements

Content-Type: application/soap+xml; 
action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue";charset=UTF-8

security elements

  • SOAP Message Timestamp
  • WS-Trust Timestamp
  • SAMLToken 1.1
    • Timestamp
    • embedded client certificate
    • signed with sts key

SOAP-Payload

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Header xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-4964214">
            <wsu:Created>2009-07-06T17:02:42.203Z</wsu:Created>
            <wsu:Expires>2009-07-06T17:07:42.203Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
      <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
      <wsa:MessageID>urn:uuid:4F9B8B42EE96A7E7DC1246899762151</wsa:MessageID>
      <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</wsa:Action>
      <wsa:RelatesTo>urn:uuid:9E492719DF65B450741246899762228</wsa:RelatesTo>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
         <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
         <wst:RequestedAttachedReference>
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wsse:Reference URI="#_3f08b28b502473583ff6fb87217c12fa" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
            </wsse:SecurityTokenReference>
         </wst:RequestedAttachedReference>
         <wst:RequestedUnattachedReference>
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wsse:Reference URI="_3f08b28b502473583ff6fb87217c12fa" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"/>
            </wsse:SecurityTokenReference>
         </wst:RequestedUnattachedReference>
         <wst:Lifetime>
            <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:02:42.156Z</wsu:Created>
            <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-07-06T17:07:42.156Z</wsu:Expires>
         </wst:Lifetime>
         <wst:RequestedSecurityToken>
            <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3f08b28b502473583ff6fb87217c12fa" IssueInstant="2009-07-06T17:02:42.187Z" Issuer="STS" MajorVersion="1" MinorVersion="1">
               <Conditions NotBefore="2009-07-06T17:02:42.156Z" NotOnOrAfter="2009-07-06T17:07:42.156Z"/>
               <AuthenticationStatement AuthenticationInstant="2009-07-06T17:02:42.156Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                  <Subject>
                     <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
                     <SubjectConfirmation>
                        <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                           <X509Data xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                              <X509Certificate>MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</X509Certificate>
                           </X509Data>
                        </KeyInfo>
                     </SubjectConfirmation>
                  </Subject>
               </AuthenticationStatement>
               <AttributeStatement>
                  <Subject>
                     <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
                  </Subject>
                  <Attribute AttributeName="urn:n52:authentication:subject:principal:role" AttributeNamespace="def">
                     <AttributeValue>main</AttributeValue>
                     <AttributeValue>bob</AttributeValue>
                  </Attribute>
               </AttributeStatement>
               <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                     <ds:Reference URI="#_3f08b28b502473583ff6fb87217c12fa">
                        <ds:Transforms>
                           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"/>
                           </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>wHuGZFDFfxoOFnPZcshLlkUSye0=</ds:DigestValue>
                     </ds:Reference>
                  </ds:SignedInfo>
                  <ds:SignatureValue>
IJZojCy+6BEhTkmn3OvTKpyVcVlTSe7EBWv9KHIbN450CkS30dcOcHTHx1DEmbu6fvr/os0zYMra
gQDQcTRnGNdInDZO47ZSU19gSwzgBgmyj9pihYfZ9/I4k2T50aaPfo7qCcQ7Aszdoiwje3c8rgzT
W75lJjcwCnpmH+mUwZs=
</ds:SignatureValue>
                  <ds:KeyInfo>
                     <ds:X509Data>
                        <ds:X509Certificate>
MIICTjCCAbcCBEbJZQEwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFy
dDEXMBUGA1UEAxMOU2FtcGxlIFNlcnZpY2UwIBcNMDcwODIwMDk1NTEzWhgPMjA2MjA1MjMwOTU1
MTNaMG0xCzAJBgNVBAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ8w
DQYDVQQKEwZBcGFjaGUxEDAOBgNVBAsTB1JhbXBhcnQxFzAVBgNVBAMTDlNhbXBsZSBTZXJ2aWNl
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtgg6ess2lU1yOD48/iiAlWObB0WwAQtFG4bb
2KyvOE9dRF7+d/aZrHti3QWs6dtHpGkVMLgpomoq7APEq1kQnRvduk2T6ln83Jw1EpPDXH/emqeC
9OdNqHZj3eoyf34JMmgShuviYDqYaK4HkRmZMiJ13aPeZzPl60yBWydAuwIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBACVcoAqNbjO7+Jbm6+3pyYagQoBpdHZLnR8EU9/CRKmUGTj5qjXqYtE+Eka6OYKB
zv/dHdYlB2X3yH3YlSx1OtA3+5xl4VIjYODlgh9Bs9Tbqj1tw0G37dLrlG97kJAVjrkfm743N9EH
KFtFaX4iF1tWbGxa4+vIbbV4CaUG5s5x
</ds:X509Certificate>
                     </ds:X509Data>
                  </ds:KeyInfo>
               </ds:Signature>
            </Assertion>
         </wst:RequestedSecurityToken>
      </wst:RequestSecurityTokenResponse>
   </soapenv:Body>
</soapenv:Envelope>

5. Gateeekper Request

security elements

  • SOAP Message Timestamp
  • WS-Trust Timestamp
  • SAMLToken 1.1
    • Timestamp
    • embedded client certificate
    • signed with sts key
  • parts encrypted with gatekeeper key

selected HTTP header elements

Content-Type: multipart/related; boundary=MIMEBoundaryurn_uuid_9E492719DF65B450741246899773073;
type="application/xop+xml"; start="<0.urn:uuid:9E492719DF65B450741246899773074@apache.org>"; start-info="text/xml"
SOAPAction: "urn:method"

first part

Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: binary
Content-ID: <0.urn:uuid:9E492719DF65B450741246899773074@apache.org>

SOAP-Playoad

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
   <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-23426441">
            <wsu:Created>2009-07-06T17:02:52.843Z</wsu:Created>
            <wsu:Expires>2009-07-06T17:07:52.843Z</wsu:Expires>
         </wsu:Timestamp>
         <xenc:EncryptedKey Id="EncKeyId-urn:uuid:A4E69FD63028426E9B12468997728908">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <wsse:SecurityTokenReference>
                  <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
               <xenc:CipherValue>Eo+pZunwGRyrQd865sPPt6wsLHgid4l2CY88qD2hb9FDXEDN4nBHJMQqbcWW6EqdHysYNTQ5k6IVtTb9pG90ivK8WDHdH43ZvemMLxuYTpOQE/HtvMcjw/w3KMDxssRVy7/iVA7pAvlQO5Bzt7Dm8ImoFauTRJhn+BYtdztuVIk=</xenc:CipherValue>
            </xenc:CipherData>
         </xenc:EncryptedKey>
         <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_3f08b28b502473583ff6fb87217c12fa" IssueInstant="2009-07-06T17:02:42.187Z" Issuer="STS" MajorVersion="1" MinorVersion="1">
            <Conditions NotBefore="2009-07-06T17:02:42.156Z" NotOnOrAfter="2009-07-06T17:07:42.156Z"/>
            <AuthenticationStatement AuthenticationInstant="2009-07-06T17:02:42.156Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
               <Subject>
                  <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
                  <SubjectConfirmation>
                     <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod>
                     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                           <X509Certificate>MIICTDCCAbUCBEbJZMQwDQYJKoZIhvcNAQEEBQAwbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDAgFw0wNzA4MjAwOTU0MTJaGA8yMDYyMDUyMzA5NTQxMlowbDELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFydDEWMBQGA1UEAxMNU2FtcGxlIENsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhjQp2NJRUrAEsPYIlg26m34O16E6WkyBWMbkSvy/FJQoNg2HSOtqF/DHmej7qqJCDtiHtdZqCTOo28cpyB3XJ0g6y23ADTy1v7qUjYieF4Bn3p9QFtyznUmKyZ6hK4CjGraYvcDgjRlnPkfeyVnNamkzJB7TVRaLkumRlxHgxm0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBNLSbNEaGBj8GBoXWBndY3JFvblPvI2mDbtZsNiggGOCezyAufGe6RnR3s5DjR5YQqPcMiDtlskFQm4/SRN2Yh16E6l7LfsOhGQsPiPrDrci4T18pz1eDLSrtJiiBah1NdeISaD0kpoUiaNKiQiu16JCnxc8tGSw3nSPg44aLYmA==</X509Certificate>
                        </X509Data>
                     </KeyInfo>
                  </SubjectConfirmation>
               </Subject>
            </AuthenticationStatement>
            <AttributeStatement>
               <Subject>
                  <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">client</NameIdentifier>
               </Subject>
               <Attribute AttributeName="urn:n52:authentication:subject:principal:role" AttributeNamespace="def">
                  <AttributeValue>main</AttributeValue>
                  <AttributeValue>bob</AttributeValue>
               </Attribute>
            </AttributeStatement>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <ds:SignedInfo>
                  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  <ds:Reference URI="#_3f08b28b502473583ff6fb87217c12fa">
                     <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                           <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"/>
                        </ds:Transform>
                     </ds:Transforms>
                     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                     <ds:DigestValue>wHuGZFDFfxoOFnPZcshLlkUSye0=</ds:DigestValue>
                  </ds:Reference>
               </ds:SignedInfo>
               <ds:SignatureValue>
IJZojCy+6BEhTkmn3OvTKpyVcVlTSe7EBWv9KHIbN450CkS30dcOcHTHx1DEmbu6fvr/os0zYMra
gQDQcTRnGNdInDZO47ZSU19gSwzgBgmyj9pihYfZ9/I4k2T50aaPfo7qCcQ7Aszdoiwje3c8rgzT
W75lJjcwCnpmH+mUwZs=
</ds:SignatureValue>
               <ds:KeyInfo>
                  <ds:X509Data>
                     <ds:X509Certificate>
MIICTjCCAbcCBEbJZQEwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDzANBgNVBAoTBkFwYWNoZTEQMA4GA1UECxMHUmFtcGFy
dDEXMBUGA1UEAxMOU2FtcGxlIFNlcnZpY2UwIBcNMDcwODIwMDk1NTEzWhgPMjA2MjA1MjMwOTU1
MTNaMG0xCzAJBgNVBAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ8w
DQYDVQQKEwZBcGFjaGUxEDAOBgNVBAsTB1JhbXBhcnQxFzAVBgNVBAMTDlNhbXBsZSBTZXJ2aWNl
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtgg6ess2lU1yOD48/iiAlWObB0WwAQtFG4bb
2KyvOE9dRF7+d/aZrHti3QWs6dtHpGkVMLgpomoq7APEq1kQnRvduk2T6ln83Jw1EpPDXH/emqeC
9OdNqHZj3eoyf34JMmgShuviYDqYaK4HkRmZMiJ13aPeZzPl60yBWydAuwIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBACVcoAqNbjO7+Jbm6+3pyYagQoBpdHZLnR8EU9/CRKmUGTj5qjXqYtE+Eka6OYKB
zv/dHdYlB2X3yH3YlSx1OtA3+5xl4VIjYODlgh9Bs9Tbqj1tw0G37dLrlG97kJAVjrkfm743N9EH
KFtFaX4iF1tWbGxa4+vIbbV4CaUG5s5x
</ds:X509Certificate>
                  </ds:X509Data>
               </ds:KeyInfo>
            </ds:Signature>
         </Assertion>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-22150782">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
               <ds:Reference URI="#Id-24216257">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>+QGzBMp3ni2Sj6YPvr6EJHWzsBo=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#Timestamp-23426441">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>TrxGU+L0kL3CoOTAZ3Pxd3s5J+k=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>5bWnz5zEUIMtJJnUexJX3MZB9TQ=</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-18182194">
               <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-7926940">
                  <wsse:Reference URI="#EncKeyId-urn:uuid:A4E69FD63028426E9B12468997728908" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#EncryptedKey"/>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
      </wsse:Security>
      <ows6:OriginalBinding xmlns:ows6="http://gatekeeper.service.security.n52.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://gatekeeper.service.security.n52.org http://52north.org/schema/security/gatekeeper/KVP2XML.xsd">Get/KVP</ows6:OriginalBinding>
      <wsa:To>http://localhost:9090/52n-security-gatekeeper-webapp-0.1/services/gatekeeper</wsa:To>
      <wsa:MessageID>urn:uuid:9E492719DF65B450741246899772932</wsa:MessageID>
      <wsa:Action>urn:method</wsa:Action>
   </soapenv:Header>
   <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-24216257">
      <ows6:RequestProperty xmlns:ows6="http://gatekeeper.service.security.n52.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://gatekeeper.service.security.n52.org http://52north.org/schema/security/gatekeeper/KVP2XML.xsd">
         <ows6:property name="Service">WMS</ows6:property>
         <ows6:property name="request">getCapabilities</ows6:property>
      </ows6:RequestProperty>
   </soapenv:Body>
</soapenv:Envelope>

6. Gateekper Response

security elements

  • timestamps and body are signed with gatekeepers key

SOAP-Playload

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
         <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-26386186">
            <wsu:Created>2009-07-06T17:02:53.437Z</wsu:Created>
            <wsu:Expires>2009-07-06T17:07:53.437Z</wsu:Expires>
         </wsu:Timestamp>
         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-19640307">
            <ds:SignedInfo>
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <ds:Reference URI="#Id-17271278">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>XzOXMv+82CDfLA5fQ0a0OWzyrCI=</ds:DigestValue>
               </ds:Reference>
               <ds:Reference URI="#Timestamp-26386186">
                  <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <ds:DigestValue>fafth1SJrQNWol7trKzzR40dACE=</ds:DigestValue>
               </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
cdzLGUCY3tTMVEdh8ZOPqhCLYeI7SJVdPfJEXFOq9C8o430T61sahnIt+Qclk9KTGnR6BF7+QfhF
Jha/RsIJWFUhNm8LEw3x2PEPvK2/Kyh4Yki8hqAXFD7gN1MguiFXlumH8EgZDZ0jUFi5A4aQk3iE
GDasnd6rf72lLU2Oj/k=
</ds:SignatureValue>
            <ds:KeyInfo Id="KeyId-19700984">
               <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-32871353">
                  <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
               </wsse:SecurityTokenReference>
            </ds:KeyInfo>
         </ds:Signature>
      </wsse:Security>
      <wsa:Action>urn:methodResponse</wsa:Action>
      <wsa:RelatesTo>urn:uuid:9E492719DF65B450741246899772932</wsa:RelatesTo>
   </soapenv:Header>
   <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-17271278">
      <ns:methodResponse xmlns:ns="http://gatekeeper.service.security.n52.org">
         <ns:return>
            <WMT_MS_Capabilities version="1.1.1">
               [truncated]
            </WMT_MS_Capabilities>
         </ns:return>
      </ns:methodResponse>
   </soapenv:Body>
</soapenv:Envelope>
Topic attachments
I Attachment Action Size Date Who Comment
Sequence_diagram.pngpng Sequence_diagram.png manage 35 K 17 Jul 2009 - 07:55 UnknownUser current state
Sequence_diagram2.pngpng Sequence_diagram2.png manage 26 K 11 Jul 2009 - 12:18 UnknownUser  
Topic revision: r13 - 11 Jun 2013, EikeJuerrens
Legal Notice | Privacy Statement


This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback