Authentication solution using SAML, OAuth2 Token

Many well-known websites and applications use SAML, OAuth2 or Social Authentication solutions to provide secure access to their products and services.
Here is simple but effect solution that provides token based, authenticated file upload service.

We would use OpenAM as an example access management platform provided by FORGEROCK.

Before going through this solution, please read some basics about OpenAM, SAML, OAuth2 and Social Authentication.
There is lot of data available on internet about these topics.
Some information of OpenAM on Wiki.

Let us see how these solutions work..
We are sharing two approaches of authentication. You can choose which suits best for your requirement.

List of Tools and Technologies required

1. Apache Tomcat 8
2. OpenAM 12
3. Java 8

How to Deploy OpenAM in Tomcat –

1. Download Apache Tomcat 8 (zip) and unzip it.

2. Download OpenAM war file.

3. Copy openam.war in apache-tomcat’s webapps folder.

4. Start apache tomcat.

Configuring OpenAM –

1. If tomcat server is started successfully, use following link to access OpenAM console.
http://:/openam
note – host must be in proper FQDN format with at least two dots (.)
e.g. – example.openam.com

2. Configuration options screen would come up. Click on New or Custom configuration.
3. For custom configuration follow wizard screens.
4. Once configuration is done and successful, login with admin ID (amadmin).

User Authentication Approaches –

Approach 1 – SP Initiated:

i. IdP would call getToken rest service hosted by SP. Request to this service would contain JSON string containing username and password.
ii. getToken service in SP would retrieve username and password and send it to OpenAM. OpenAM hosts restful APIs that would be used by SP.
e.g. – authenticate service hosted by OpenAM to authenticate given user. http://openam.example.com/openam/identity/authenticate?username=&password= iii. OpenAM would authenticate given username and password from its LDAP configuration and return a token. If authentication fails, error message would be sent back.
iv. SP would read response from OpenAM and forward it to IdP as response to getToken service call.
v. IdP would read this response and retrieve token from response.
e.g. – token.id=AQIC5wM2LY4SfcxP8EOZAuJGO-g1lm–jnDWpBppZ1gDMaU.*AAJTSQACMDEAAlNLABQtMzk4MTc3OTk3MjgxMDgzMDcyNA..*
vi. IdP can now call upload document service with this token. For this, IdP would create JSON request containing token and data.
e.g. – {“tokenId: “AQIC5wM2LY4SfcxP8EOZAuJGO-g1lm–jnDWpBppZ1gDMaU.*AAJTSQACMDEAAlNLABQtMzk4MTc3OTk3MjgxMDgzMDcyNA..*”,”data”:””}
vii. IdP would call uploadDocument service on SP with this request. On SP side, token and data to be processed would be retrieved from request.
viii. SP would call isTokenValid rest API of OpenAM to validate token sent by IdP.
e.g. – http://openam.example.com/openam/identity/isTokenValid?tokenid=
OpenAM validates token and sends back response in following format.
Boolean=true (if valid)
Boolean=false (if invalid)
ix. If token is valid, SP would read data (file content) to be uploaded, from IdP’s request and push it ahead on main, file upload flow (http/s listener or direct on queue).
If token is not valid, error message would be sent back to IdP.

Approach 2 – IdP Initiated:

i. IdP would call authenticate rest API of OpenAM, providing username and password to authenticate.
e.g. – authenticate service hosted by OpenAM to authenticate given user. http://openam.example.com/openam/identity/authenticate?username=&password= ii. OpenAM would authenticate given username and password from its LDAP configuration and return a token. If authentication fails, error message would be sent back.
iii. IdP would read this response and retrieve token from response.
e.g. – token.id=AQIC5wM2LY4SfcxP8EOZAuJGO-g1lm–jnDWpBppZ1gDMaU.*AAJTSQACMDEAAlNLABQtMzk4MTc3OTk3MjgxMDgzMDcyNA..*
iv. IdP can now call upload document service with this token. For this, IdP would create JSON request containing token and data.
e.g. – {“tokenId: “AQIC5wM2LY4SfcxP8EOZAuJGO-g1lm–jnDWpBppZ1gDMaU.*AAJTSQACMDEAAlNLABQtMzk4MTc3OTk3MjgxMDgzMDcyNA..*”,”data”:””}
v. IdP would call uploadDocument service on SP with this request. On SP side, token and data to be processed would be retrieved from request.
vi. SP would call isTokenValid rest API of OpenAM to validate token sent by IdP.
e.g. – http://openam.example.com/openam/identity/isTokenValid?tokenid=
OpenAM validates token and sends back response in following format.
Boolean=true (if valid)
Boolean=false (if invalid)
vii. If token is valid, SP would read data (file content) to be uploaded, from IdP’s request and push it ahead on main, file upload flow (http/s listener or direct on queue).
If token is not valid, error message would be sent back to IdP.

Hope these details of token based authentication solutions helps someone, somewhere.
If it helps you somehow, please do share your thoughts in comments.

Leave a Reply

Your email address will not be published. Required fields are marked *