Before you can deploy the sample, you must have created the security profiles, as detailed in Setting up the Security Policy Enforcement Point (PEP) sample. When the security profiles have been created, you can deploy and run the sample.
You can run the sample by using the following input messages:
The Security Policy Enforcement Point (PEP) sample demonstrates how a user name and password identity in the input message can be authenticated and authorized at a SecurityPEP node.
<?xml version="1.0" encoding="UTF-8"?> <Envelope> <Body> <MessageIdentity> <Username>broker01</Username> <Password>password01</Password> <IssuedBy>Issuer1</IssuedBy> <DemonstrateTokenType>UP</DemonstrateTokenType> <Status>UPA1A2_Successful</Status> </MessageIdentity> </Body> </Envelope>
The Security Policy Enforcement Point (PEP) sample demonstrates how a user name and password identity in the input message can be authenticated at an HTTPInput node and mapped to SAML 2.0
In a message, the mapped SAML 2.0 content is forwarded to a service that is implemented in another message flow that contains a SecurityPEP node that invokes validation of the SAML content.
<SAML> <Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="Assertion-uuidfb27f9fa-0127-1712-b05a-9d8ed95980ec" IssueInstant="2010-04-14T07:10:53Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> UsernamePasswordToSAML2.0 </saml:Issuer> <saml:Subject> <saml:NameID>NewPwd1</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2010-04-14T07:00:53Z" NotOnOrAfter="2010-04-15T07:10:53Z"> <saml:AudienceRestriction> <saml:Audience>PEP_UP2SAML2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2010-04-14T07:10:53Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="FirstName"> <saml:AttributeValue xsi:type="xs:string"> FirstNameHere </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="Surname"> <saml:AttributeValue xsi:type="xs:string"> SurnameHere </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </Assertion> <Status>SAMLA1 Successful</Status> </SAML>
The Security Policy Enforcement Point (PEP) sample demonstrates how a security failure, caused by the input message containing an unknown identity, is handled.
<?xml version="1.0" encoding="UTF-8"?> <Envelope> <Body> <MessageIdentity> <Username>dummy_usr</Username> <Password>password01</Password> <IssuedBy>Issuer1</IssuedBy> <DemonstrateTokenType>UP</DemonstrateTokenType> <Status>A1_Failed</Status> <Response>[{http://docs.oasis-open.org/ws-sx/ws-trust/200512} FailedAuthentication]--Dummy_STS: An unknown user name was presented.</Response> </MessageIdentity> </Body> </Envelope>
If you want to extend the sample to interact with your security trust server, for example a TFIM server, you must first configure the sample to use the server. To configure the sample to use an external system, see Extending the Security Policy Enforcement Point (PEP) sample.