Connect2id server 3.7 enables SAML 2.0 integration

Web API access token

SAML 2.0 integration

The latest release of the Connect2id server enables enterprises with applications utilising existing SAML IdP and SSO infrastructure to obtain OAuth access tokens for protected resources, typically web APIs.

How does this work?

  1. A user initiates login to an application;
  2. The application as a SAML 2.0 Service Provider (SP) redirects the user to the SAML 2.0 Identity Provider (IdP) and receives a SAML 2.0 assertion on success;
  3. If access to an OAuth 2.0 protected resource (e.g. web API) is required, the client exchanges the SAML 2.0 assertion for an access token at the token endpoint of the Connect2id server.

Use of SAML 2.0 assertions as OAuth grants is governed by RFC 7522. We ventured a step beyond the spec and added one potentially useful feature not present there -- the ability to use the SAML assertion to request an OpenID identity token.

In case you need to meet complex requirements, the Connect2id server provides plenty of freedom and flexibility in defining how the SAML 2.0 assertions are to be converted to OAuth 2.0 access tokens:

  • Support for arbitrary credential sources and logic for validation of the SAML 2.0 assertions;
  • Logic to determine the scope of the issued OAuth tokens and its encoding, lifetime and other properties;
  • Mapping of client identifiers between the SAML IdP and the OAuth authorisation server.

Check out the SAML 2.0 assertion grant SPI docs for more information, or get in touch with our support team.

The Connect2id SDK for developing OAuth 2.0 and OpenID Connect apps was also upgraded and includes comprehensive support for handling SAML 2.0 assertions now.

Extended LDAP metrics

The monitoring API was extended to gather measurements and stats on the time it takes to complete LDAP requests to the directory backend:

  • LDAP get, search, modify and delete operations for the client registrations;
  • LDAP get, search, modify and delete operations for the long-lived authorisations.

Download

To download a ZIP package of Connect2id server 3.7:

https://connect2id.com/assets/products/server/download/3.7/Connect2id-server.zip

As WAR package only:

https://connect2id.com/assets/products/server/download/3.7/c2id.war https://connect2id.com/assets/products/server/download/3.7/c2id-3.7.war

Questions?

Please contact Connect2id support.

Connect2id Server 3.7 release notes

Configuration

  • No changes

Web API

  • Discovery endpoint .well-known/openid-configuration:

    • Renames OpenID Provider metadata parameter for token introspection endpoint from "token_introspection_endpoint" to "introspection_endpoint" to match upcoming OAuth 2.0 specification (see draft-jones-oauth-discovery-00).

    • Renames OpenID Provider metadata parameter for token revocation endpoint from "token_revocation_endpoint" to "revocation_endpoint" to match upcoming OAuth 2.0 specification (see draft-jones-oauth-discovery-00).

  • Monitoring API monitor/v1/metrics:

    • Adds clientStore.ldapConnector.getTimer

    • Adds clientStore.ldapConnector.searchTimer

    • Adds clientStore.ldapConnector.addTimer

    • Adds clientStore.ldapConnector.modifyTimer

    • Adds clientStore.ldapConnector.deleteTimer

    • Adds authzStore.ldapConnector.getTimer

    • Adds authzStore.ldapConnector.searchTimer

    • Adds authzStore.ldapConnector.addTimer

    • Adds authzStore.ldapConnector.modifyTimer

    • Adds authzStore.ldapConnector.deleteTimer

Bug fixes

  • Ensures proper signature validation of self-issued OAuth 2.0 JWT bearer assertion grants (issue server/177).

  • Ensures proper shutdown of SPI implementations for handling OAuth 2.0 JWT bearer assertion grants issued by a third-party (issue server/178).

  • Logs asynchronous authorisation store LDAP results with codes 68 (entry already exists) and 32 (no such object) at info instead of error level.

  • Fixes AS00030 log message code (issue authz-store/107).

Dependencies

  • Upgrades to com.nimbusds:c2id-server-sdk:3.7.1

  • Upgrades to com.nimbusds:oauth2-authz-store:3.2

  • Upgrades to com.nimbusds:oidc-session-store:3.2.1

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.1

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.11

  • Upgrades to com.unboundid:unboundid-ldapsdk:3.1.0

  • Upgrades to org.apache.commons:commons-collections4:4.1

  • Upgrades to org.apache.logging.log4j:log4j-web:2.5

  • Upgrades to org.apache.logging.log4j:log4j-slf4j-impl:2.5

Other

  • Adds Java Service Provider Interface (SPI) for handling SAML 2.0 bearer assertion grants which are self-issued (created by the requesting client).

  • Adds Java Service Provider Interface (SPI) for handling SAML 2.0 bearer assertion grants which are issued by a third-party Security Token Service (STS).