| By Mark O'Neill | Article Rating: |
|
| November 9, 2011 11:28 AM EST | Reads: |
1,144 |
Looking up user information from an LDAP directory is a common usage of the Vordel Gateway. Sometimes it's used for Message Enrichment in front of an applications server. This saves the applications server developer the hassle of looking up the attributes from the directory, since the attributes are handed to them on a plate, in the message, by the Gateway. So here is a quick tutorial on how to do this:
1) Authenticating the client against an LDAP directory (in this case Microsoft Active Directory) using WS-Security UsernameTokens.
2) Looking up attributes for the user (in this case, their telephone number)
3) "Injecting" a SAML 2.0 assertion into the message, including the SAML Attribute Statement
4) Passing the message back, with the SAML assertion now in it (so that we can see it). Here I could have used a "Connect to URL" filter to send the message to a URL, the "Messaging" filter to put it onto a queue, etc.

Let's look at each of these filters. Firstly, the filter which does WS-Security authentication against LDAP. This is shown below:

See that "Sample Active Directory Repository" under the "Repository Name" field above? That is a pointer to the connection I have configured to an LDAP directory. Actually, with the Vordel Gateway, you get a pre-configured sample LDAP connection which you can adapt to your own directory. This is what I did. The configuration for the LDAP connection can be found under "External Connections", as shown below:
You can see above that there are two things to configure: (a) The Authentication Repository Profile, and (b) The LDAP Connection itself. The LDAP Connection is how the Gateway binds to the LDAP server. The Authentication Repository Profile is how it finds the users which are being authenticated. So it is "bind then find". The Authentication Repository Profile (the "find") makes use of the LDAP connection (the "bind"). Note that if you only configure the LDAP connection, you won't see your LDAP authentication connection come up in the drop-down box on your authentication filters. If I click on "Add/Edit", I can edit (and test) my LDAP connection. In the screenshot below, you can see that the test was successful, meaning I could connect from Policy Studio to the LDAP directory:

OK - so now let's look at the next filter in our circuit. This is a "Retrieve Attributes from Directory Server" filter, which you can find in the "Attributes" group in Policy Studio. I have configured it to retrieve the "telephoneNumber" filter from Active Directory:
If I look into Active Directory, I can see the phone number is in place for a sample user ("Joe Developer"). This is the phone number I am looking up:
Next, I am using an "Insert SAML Authentication Assertion" filter, and I have checked the box to place the SAML Attributes into it, as shown below:

So.... Now when I send a request to the Gateway on a path which is mapped to that policy (e.g. /MyAPI), I see that in the response I now have the SAML Assertion containing the user's phone number. Note that the WS-Security UsernameToken has been removed after use by the Vordel Gateway (you might have noticed the checkbox for this in the WS-Security configuration screenshot above).
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="Id-0001320855457809-800be35d4ebaa7a1120b3266-2"
IssueInstant="2011-11-09T16:17:37Z" Version="2.0">
<saml:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
Example
</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=Joe Developer,CN=Users,DC=Vordel,DC=com
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches" />
</saml:Subject>
<saml:Conditions NotBefore="2011-11-09T16:17:36Z"
NotOnOrAfter="2011-11-09T16:22:36Z" />
<saml:AuthnStatement AuthnInstant="2011-11-09T16:17:37Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="telephoneNumber"
NameFormat="urn:vordel:attribute:1.0">
<saml:AttributeValue>123456</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<Add xmlns="http://startvbdotnet.com/web/">
<a>1</a>
<b>2</b>
</Add>
</soap:Body>
</soap:Envelope>
So that's it! That's all you need to do to authenticate a user against an LDAP directory, look up attributes, and insert attributes into an Attribute Statement in a SAML Assertion. You can find out more about the Vordel Gateway here, or email us at info@vordel.com to get a copy.
Read the original blog entry...
Published November 9, 2011 Reads 1,144
Copyright © 2011 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Mark O'Neill
Mark O'Neill is Chief Technology Office of Vordel. Vordel connects applications to applications, businesses to other businesses, and SOA to Cloud Computing. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.
- Service Design Patterns: Fundamental Design Solutions for SOAP/WSDL
- SharePoint 2010 Development with Silverlight Book Review
- The New ROI: A Return on Innovation, and Using Data to Do It
- How MRP and Production Planning and Scheduling Software Differ
- Book Review: Decision Management Systems
- Bluegiga Enables the Development of Bluetooth® 4.0 Accessories for iPhone 4S
- XML Security Gateway plugging holes for Public Clouds
- Planning, Scoping and Recon Techniques
- Bluegiga facilite le développement d'accessoires Bluetooth® 4.0 pour iPhone 4S
- Bluegiga ermöglicht die Entwicklung von Bluetooth® 4.0 Zubehör für das iPhone 4S
- Software Architecture: A Comprehensive Framework and Guide for Practitioners Book Review
- Are You Your Own Worst Enemy?
- Service Design Patterns: Fundamental Design Solutions for SOAP/WSDL
- SharePoint 2010 Development with Silverlight Book Review
- The New ROI: A Return on Innovation, and Using Data to Do It
- Reading an Attribute from an LDAP Directory
- How MRP and Production Planning and Scheduling Software Differ
- Book Review: Decision Management Systems
- Bluegiga Enables the Development of Bluetooth® 4.0 Accessories for iPhone 4S
- XML Security Gateway plugging holes for Public Clouds
- Monitis-Top… Adding Support for FullPage Monitors and Code Optimizations
- Planning, Scoping and Recon Techniques
- Bluegiga facilite le développement d'accessoires Bluetooth® 4.0 pour iPhone 4S
- Where Are RIA Technologies Headed in 2008?
- Processing XML with C# and .NET
- AJAX World RIA Conference & Expo Kicks Off in New York City
- JSON vs XML - A Jason vs Freddie Sequel
- Has the Technology Bounceback Begun?
- i-Technology Viewpoint: The Very Confused World of 3D and XML
- BPEL Processes and Human Workflow
- The Top 250 Players in the Cloud Computing Ecosystem
- The Top 250 Players in the Cloud Computing Ecosystem
- Generating XML from Relational Database Tables
- Open Source Database Special Feature: An Introduction to Berkeley DB XML
- "HP's Problem Ain't the SAP Install," Says Sun's Schwartz





































