Support for Google Search Appliance Batch Authorizations (multiple children of SOAP body)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Support for Google Search Appliance Batch Authorizations (multiple children of SOAP body)

jcraw62

 

I’m trying to support SAML authorization requests from a Google Search Appliance. The appliance sends a non-standard SOAP message (multiple children in the body of the request and the response).

 

Axis2 on the request side handles this – I can simply do the following to get all the <AuthzDecisionQuery> children of the SOAP Body.

 

 

public OMElement authorize(OMElement authzElement){

             

            Iterator iter = authzElement.getParent().getChildren();

            Object o;

            try {

                  while (iter.hasNext()) {

                        o = iter.next();

                        if (o instanceof OMElement) {

                              authzElement = (OMElement) o;

                              if (authzElement==null) {

                                    break;

                              }

                              if (authzElement.getLocalName().equals("AuthzDecisionQuery")) {

                                    // provide an authorization decision

                              }

                        }

                       

                  }

                 

            } catch (Exception e) {

                  // TODO Auto-generated catch block

                  e.printStackTrace();

            }

             return authzElement;

       }

 

My problem is that I need to respond with a corresponding number of <Response> nodes (1 for each AuthzDecisionQuery node).

 

I cannot find any way to accomplish this ?

 

I have not tried data binding as:

 

1.  I haven’t been able to get any data binding framework to handle the SAML 2.0 schema successfully

2.  Being that this interface doesn’t use SAML 2.0 but a non-standard SAML (requiring multiple SOAP body children) I’m pretty sure that the binding frameworks will choke even if I were to develop some custom schema representing this Google interface.

 

Below are sample request/response.

 

I would be most appreciative of help.

 

 

Regards,

 

Jack

 

 

 

 

POST /authz HTTP/1.1

Host: ac.example.com

Content-Type: text/xml

SOAPAction: http://www.oasis-open.org/committees/security

Content-length: nnn

 

 

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope 

  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/

  xmlns:xsd="http://www.w3.org/2001/XMLSchema

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 

  <soapenv:Body>

    <samlp:AuthzDecisionQuery 

      ID="kmigpcackfenaibdninipcnmkmajfplommhfapbk" 

      IssueInstant="2009-10-20T17:52:29Z" 

      Version="2.0" 

      Resource="http://www.example.com/document1.html

      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 

      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

      <saml:Subject> 

        <saml:NameID>Polly Hedra</saml:NameID> 

      </saml:Subject> 

      <saml:Action 

        Namespace="urn:oasis:names:tc:SAML:1.0:action:ghpp"> 

        GET 

      </saml:Action>

    </samlp:AuthzDecisionQuery>

    <samlp:AuthzDecisionQuery 

      ID="laskdjklgjgueiuhsdkjhsfkjshfksjhgoiuoiwd" 

      IssueInstant="2009-10-20T17:52:29Z" 

      Version="2.0" 

      Resource="http://www.example.com/document2.html

      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 

      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 

      <saml:Subject> 

        <saml:NameID>Polly Hedra</saml:NameID> 

      </saml:Subject> 

      <saml:Action 

        Namespace="urn:oasis:names:tc:SAML:1.0:action:ghpp"> 

        GET 

      </saml:Action> 

    </samlp:AuthzDecisionQuery>

  </soapenv:Body>

</soapenv:Envelope>

 

 

 

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: nnn

 

 

<soapenv:Envelope 

  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 

  <soapenv:Body>

    <samlp:Response 

      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 

      ID="blahblah" 

      Version="2.0" 

      IssueInstant="2009-10-08T14:38:05Z"> 

      <samlp:Status> 

        <samlp:StatusCode 

          Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> 

      </samlp:Status> 

      <saml:Assertion 

        Version="2.0" 

        ID="kmigpcackfenaibdninipcnmkmajfplommhfapbk" 

        IssueInstant="2004-10-08T14:38:05Z"> 

        <saml:Issuer>example.com</saml:Issuer> 

        <saml:Subject> 

          <saml:NameID>Polly Hedra</saml:NameID> 

        </saml:Subject> 

        <saml:AuthzDecisionStatement 

          Resource="http://www.example.com/document1.html

          Decision="Permit"> 

          <saml:Action 

            Namespace="urn:oasis:names:tc:SAML:1.0:action:ghpp"> 

            GET 

          </saml:Action>  

        </saml:AuthzDecisionStatement> 

      </saml:Assertion> 

    </samlp:Response>

 

    <samlp:Response 

      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 

      ID="blahblah" 

      Version="2.0" 

      IssueInstant="2009-10-08T14:38:05Z"> 

      <samlp:Status> 

        <samlp:StatusCode 

          Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

        </samlp:Status> 

        <saml:Assertion 

          Version="2.0" 

          ID="laskdjklgjgueiuhsdkjhsfkjshfksjhgoiuoiwd" 

          IssueInstant="2004-10-08T14:38:05Z"> 

          <saml:Issuer>example.com</saml:Issuer> 

          <saml:Subject> 

            <saml:NameID>Polly Hedra</saml:NameID> 

          </saml:Subject> 

          <saml:AuthzDecisionStatement 

            Resource="http://www.example.com/document2.html

            Decision="Permit"> 

            <saml:Action 

              Namespace="urn:oasis:names:tc:SAML:1.0:action:ghpp"> 

              GET 

            </saml:Action> 

          </saml:AuthzDecisionStatement> 

        </saml:Assertion> 

    </samlp:Response> 

  </soapenv:Body>

</soapenv:Envelope>