New post
Question
· May 24, 2023

Unveiling the Mystery: Sending SAML Assertion in SOAP Header - Need Your Expertise!

#Code Snippet #Interoperability #Security #SOAP #InterSystems IRIS

Hello,

We currently have the following scenario: We have a bussiness SOAP Operation, where we get a SAML String and we convert it into a %SAML.Assertion object correctly.

👩‍💻👨‍💻 We would need to send the SAML Assertion inside the SOAP Header to the Target System.

First of all thanks for reading, and thanks for answering.

We currently have opened Log Soap and we do not observe it being added to the SOAP Header, as you would observe in the following Log Soap:

05/24/2023 08:53:37 *********************
Output from Web client with SOAP action = urn:ihe:iti:2007:CrossGatewayQuery
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://www.w3.org/2003/05/soap-envelope' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:s='http://www.w3.org/2001/XMLSchema' xmlns:wsa='http://www.w3.org/2005/08/addressing'>
	<SOAP-ENV:Header>
		<wsa:Action>urn:ihe:iti:2007:CrossGatewayQuery</wsa:Action>
		<wsa:MessageID>urn:uuid:1753BD54-FA08-11ED-B9D9-005056AAA48E</wsa:MessageID>
		<wsa:ReplyTo>
			<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
		</wsa:ReplyTo>
		<wsa:To>...</wsa:To>
	</SOAP-ENV:Header>
	<SOAP-ENV:Body>
		<RespondingGatewayCrossGatewayQuery xmlns="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0">
[...]
		</RespondingGatewayCrossGatewayQuery>
	</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

 

In fact in the Web Service Client used by our SOAP Operation, we do insert the SAML as you could read here:

Include Ensemble

Class WSCLIENTE.RESNS.ConsultaRecetas Extends %SOAP.WebClient [ ProcedureBlock ]
{

/// This is the URL used to access the web service.
/// This is the namespace used by the Service
Parameter NAMESPACE = "urn:ihe:iti:xds-b:2007";
/// Use xsi:type attribute for literal types.
Parameter OUTPUTTYPEATTRIBUTE = 0;
/// Determines handling of Security header.
Parameter SECURITYIN = "ALLOW";
/// This is the name of the Service
Parameter SERVICENAME = "RespondingGateway_Service";
/// This is the SOAP version supported by the service.
Parameter SOAPVERSION = 1.2;
Method RespondingGatewayCrossGatewayQuery(RequestSlotList As EsquemasDatos.RESNS.rim.SlotListType, ResponseOption As EsquemasDatos.RESNS.query.ResponseOptionType, AdhocQuery As EsquemasDatos.RESNS.rim.AdhocQueryType(REFELEMENTQUALIFIED=1,REFNAMESPACE="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0",XMLREF=1), federation As %xsd.anyURI(XMLPROJECTION="attribute"), ByRef startIndex As %Integer(XMLPROJECTION="attribute"), maxResults As %Integer(XMLPROJECTION="attribute"), id As %xsd.anyURI(XMLPROJECTION="attribute"), comment As %String(XMLPROJECTION="attribute"), federated As %Boolean(XMLPROJECTION="attribute"), Output ResponseSlotList As EsquemasDatos.RESNS.rim.SlotListType, Output RegistryErrorList As EsquemasDatos.RESNS.rs.RegistryErrorList(REFELEMENTQUALIFIED=1,REFNAMESPACE="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0",XMLREF=1), Output RegistryObjectList As EsquemasDatos.RESNS.rim.RegistryObjectListType(REFELEMENTQUALIFIED=1,REFNAMESPACE="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0",XMLREF=1), Output requestId As %xsd.anyURI(XMLPROJECTION="attribute"), Output totalResultCount As %Integer(XMLPROJECTION="attribute"), Output status As %xsd.anyURI(XMLPROJECTION="attribute"), CabeceraSAML As %String(MAXLEN="")) [ Final, ProcedureBlock = 1, SoapBindingStyle = document, SoapBodyUse = literal, SoapTypeNameSpace = "urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0", WebMethod ]
{
 $$$LOGALERT("Dentro de WSCLIENTE.RESNS.ConsultaRecetas la CabeceraSAML: "_CabeceraSAML)
 do ##class(Ens.Util.XML.Reader).ObjectFromString(.objetoSAML,CabeceraSAML,"%SAML.Assertion",)
 $$$LOGALERT("Dentro de WSCLIENTE.RESNS.ConsultaRecetas el objetoSAML: "_objetoSAML)
 
 #dim objetoSAML As %SAML.Assertion
 set NameID = objetoSAML.Issuer.NameID
 $$$LOGASSERT("objetoSAML.Issuer.NameID: "_objetoSAML.Issuer.NameID)
 
 set x509alias = ##class(Util.TablasMaestras).getValorMaestra("PARAMETROS","aliasCertMSSSI")
 set password = ##class(Util.TablasMaestras).getValorMaestra("PARAMETROS","pwdCertMSSSI")
 Set credset = ##class(%SYS.X509Credentials).GetByAlias(x509alias,password)
 $$$LOGWARNING("credset.%ClassName(): "_credset.%ClassName())
 
 set ref=$$$KeyInfoX509Certificate
 set assertion=##class(%SAML.Assertion).CreateX509(credset,ref)
 $$$LOGINFO("assertion.%ClassName(): "_assertion.%ClassName())
 ;do ..SecurityOut.AddElement(assertion)
  // 23 05 2023 We do not see this SAML object being added to the SOAP Header
 do ..SecurityOut.AddElement(objetoSAML) 
 
 /*
    24 05 2023 We debug
 */
 set SecurityOut = ..GetSecurityOut()
 $$$LOGALERT("SecurityOut: "_SecurityOut)
 
 set writer=##class(%XML.Writer).%New()
 set status=writer.OutputToString()
 If $$$ISERR(status)

 Do $system.OBJ.DisplayError(status)
 set status=writer.RootObject(SecurityOut)
 If $$$ISERR(status) Do $system.OBJ.DisplayError(status)

 set stringSecurityOut = writer.GetXMLString()
 $$$LOGASSERT("stringSecurityOut: "_stringSecurityOut) 

 Do (..WebMethod("RespondingGatewayCrossGatewayQuery")).Invoke($this,"urn:ihe:iti:2007:CrossGatewayQuery",.RequestSlotList,.ResponseOption,.AdhocQuery,.federation,.startIndex,.maxResults,.id,.comment,.federated,.ResponseSlotList,.RegistryErrorList,.RegistryObjectList,.requestId,.totalResultCount,.status)
}


XData parameters
{
<parameters xmlns="http://www.intersystems.com/configuration" xmlns:cfg="http://www.intersystems.com/configuration">
  <method name="RespondingGatewayCrossGatewayQuery">
    <request>
      <Action>urn:ihe:iti:2007:CrossGatewayQuery</Action>
    </request>
    <response>
      <Action>urn:ihe:iti:2007:CrossGatewayQueryResponse</Action>
    </response>
  </method>
  <method name="RespondingGatewayCrossGatewayRetrieve">
    <request>
      <Action>urn:ihe:iti:2007:CrossGatewayRetrieve</Action>
    </request>
    <response>
      <Action>urn:ihe:iti:2007:CrossGatewayRetrieveResponse</Action>
    </response>
  </method>
</parameters>
}

}

Where the flow chart in the Visual Trace shows:

And currently we observe the following logs being outputted in the Visual Trace:

[3]

Tipo: Alerta
Texto: Dentro de WSCLIENTE.RESNS.ConsultaRecetas la CabeceraSAML: <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="89D4A260-F88E-11ED-AE60-005056AAA48E" ...

[4]

Tipo: Alerta
Texto: Dentro de WSCLIENTE.RESNS.ConsultaRecetas el objetoSAML: 1322@%SAML.Assertion

[5]

Tipo: Afirmar
Texto: objetoSAML.Issuer.NameID: urn:initgw:countryB

[6]

Tipo: Advertencia
Texto: credset.%ClassName(): X509Credentials

[7]

Tipo: Info
Texto: assertion.%ClassName(): Assertion

[8]

Tipo: Alerta
Texto: SecurityOut: 1594@%SOAP.Security.Header

[9]

Tipo: Afirmar
Texto: stringSecurityOut: <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex..."><saml:Assertion xmlns="" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="89D4A260-F88E-11ED-AE60-005056AAA48E" ...

 

We have also read:

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

https://docs.intersystems.com/healthconnectlatest/csp/docbook/DocBook.UI...

https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...

https://community.intersystems.com/post/help-soap-security-and-ws-policy

 

 

👩‍💻👨‍💻 How could we send the SAML Assertion inside the SOAP Header to the Target System?


 

 

 

Thanks again for reading and answering this question.

Thanks.

Greetings.

Product version: IRIS 2020.1
$ZV: IRIS for UNIX (Red Hat Enterprise Linux for x86-64) 2020.1.1 (Build 408U) Sun Mar 21 2021 22:21:14 EDT
Discussion (1)1
Log in or sign up to continue