Using SAML based authentication

LiveCycle ES supports various web service authentication modes when invoking services. One authentication modes is specifying both a user name and password value using a basic authorization header in the web service call. LiveCycle ES also supports SAML assertion based authentication. This section provides details related to using SAML authentication and demonstrate it in .NET and Java based clients.

When a client application invokes a LiveCycle ES service using a web service, the client application can provide authentication information in one of the following ways:

•	Passing credentials as part of Basic Authorization

•	Passing username token as part of WS-Security header

•	Passing a SAML assertion as part of WS-Security header

•	Passing Kerberos token as part of WS-Security header

LiveCycle ES does not support standard certificate based authentication but it does support certificate based authentication in a different form.

Note: The web service quick starts in Programming with LiveCycle ES specifies user name and password values to perform authorization.

The identity of LiveCycle ES users can be represented through a SAML assertion signed using a secret key. The following XML code shows an example of a SAML assertion.

<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"

	xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"

	xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"

	AssertionID="fd4bd0c87302780e0d9bbfa8726d5bc0" IssueInstant="2008-04-17T13:47:00.720Z" Issuer="LiveCycle"

	MajorVersion="1" MinorVersion="1">

	<Conditions NotBefore="2008-04-17T13:47:00.720Z" NotOnOrAfter="2008-04-17T15:47:00.720Z">

	</Conditions>

	<AuthenticationStatement

		AuthenticationInstant="2008-04-17T13:47:00.720Z"

		AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">

		<Subject>

			<NameIdentifier NameQualifier="DefaultDom">administrator</NameIdentifier>

			<SubjectConfirmation>

				<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>

			</SubjectConfirmation>

		</Subject>

	</AuthenticationStatement>

	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

		<ds:SignedInfo>

			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

			<ds:SignatureMethod	Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></ds:SignatureMethod>

			<ds:Reference URI="#fd4bd0c87302780e0d9bbfa8726d5bc0">

				<ds:Transforms>

					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>

					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

						<ec:InclusiveNamespaces	xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"

							PrefixList="code ds kind rw saml samlp typens #default">

						</ec:InclusiveNamespaces>

					</ds:Transform>

				</ds:Transforms>

				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

				<ds:DigestValue>hVrtqjWr+VzaVUIpQx0YI9lIjaY=</ds:DigestValue>

			</ds:Reference>

		</ds:SignedInfo>

		<ds:SignatureValue>UMbBb+cUcPtcWDCIhXes4n4FxfU=</ds:SignatureValue>

	</ds:Signature>

</Assertion>

This example assertion is issued for an administrator user. This assertion contains the following noticeable items:

•	It is valid for certain duration.

•	It is issued for a particular user.

•	It is digitally signed. So any modification done to it would break the signature.

•	It can be presented to LiveCycle ES as a token of user's identity similar to user name and password.

A client application can retrieve the assertion from any LiveCycle ES AuthenticationManager API which returns an AuthResult object. You can obtain an AuthResult instance by performing one of the following two methods:

•	Authenticating the user using any of the authenticate methods exposed by AuthenticationManager API. Typically one would use the user name and password; however, you can also use the certificate authentication.

•	Using the AuthenticationManager.getAuthResultOnBehalfOfUser method. This method lets a client application get an AuthResult object for any LiveCycle ES user.

A LiveCycle ES user can be authenticated using a SAML token that is obtained. This SAML assertion (xml fragment) can be send as part of the WS-Security header with the web service call for user authentication. Typically, a client application has authenticated a user but has not stored the user credentials (or the user has logged on to that client through a mechanism other than using a user name and password). In this situation, the client application has to invoke LiveCycle ES and impersonate a specific user which is allowed to invoke LiveCycle ES.

To impersonate a specific user, you have to invoke the AuthenticationManager.getAuthResultOnBehalfOfUser method using a web service. This method returns an AuthResult instance which contains the SAML assertion for that user.

Next, use that SAML assertion to invoke any LiveCycle service that requires authentication. This involves sending the assertion as part of the SOAP header. When a web service call is made with this assertion, LiveCycle ES identifies the invoking user as the one represented by that assertion. That is, the user specified in the assertion is the user who is invoking the service.

Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/help/001503.html

Add Comment