Web Authentication Service as a Security Token Service

The following section describes a mechanism by which a SAML ticket for a particular user can be queried in a WAS, without knowing the password. This mechanism is useful in situations in which a user has already performed a login but a SAML ticket for delegating the identity of a user to an external system is required and the delegating system is only aware of the user’s name but not his password. The mechanism is also useful in any situation where a trusted client application needs the user information, like name, address data or the roles.

The following method is available to users that are authenticated via de.conterra.suite.policy.common.usermanagement.adapter.UserManagementLoginModule. These are usually all users with the exception of the 'super user'.

For querying SAML tickets, the password authentication method (urn:opengeospatial:authNMethod:OWS:1.0:password) is used but the password is filled with a special value in the CREDENTIALS parameter. The normal CREDENTIALS parameter comprises the Base64-encoded username and the Base64-encoded user password, both separated by commas. Because the password is unknown, it must be filled in as follows:

Password = <issuer-id>|<encrypted-data>
encrypted-data = <issuedate>|<username>

The issuer-id is the ID of the person issuing the query; in the case of a standard security.manager installation, this is equivalent to the alias of the public certificates, which is also used for signing SAML tickets. IDs can be added to the keystore by importing certificates.

The ID of the person issuing the query is separated from the encrypted-data component by a pipe symbol (|).

The encrypted-data component consists of the issuing date of the query formatted in accordance with ISO 8601, for example 2016-11-17T13:28:17.235Z and the username, with both sections separated by a pipe symbol. The encrypted-data section must be digitally encrypted using the private key appropriate to the issuer’s ID. The bytes generated by the encryption must be added after the pipe symbol of the issuer ID, using Base64 encoding.

During the login procedure, the system decrypts the encrypted-data portion and checks the correctness of the values it contains. If the decryption and examination are both successful, a SAML ticket is issued. Because the mechanism is based on private/public key mechanisms, it is more secure than regular password authentication.