Skip to main content

Setting up the security management system in Security Token Service

The Security Token Service is provided with all versions of Talend ESB. For Talend ESB, the security service is, by default, managed by the Talend Identity and Access Management, based on Apache Syncope. The use of the JAAS is also possible, within Talend ESB, by switching the module used from Talend Identity and Access Management to JAAS.

You are able to either use the Talend Identity and Access Management or the JAAS security management systems. To switch between those two systems, you have to change the loginModule value in the <TalendRuntimePath>/container/etc/org.talend.esb.sts.server.cfg configuration file:

  • To use Talend Identity and Access Management, set the parameter as follows: loginModule=TIDM. You also need to set the tidmServiceUrl, tidmUsername, and tidmPassword properties in the configuration file. For more information about how to install the Talend Identity and Access Management, see Installing and configuring Talend Identity and Access Management.
  • To use JAAS, set the parameter as follows: loginModule=JAAS.

This way, when executing the tesb:start-sts command, Talend Runtime Container checks which module is used and then installs either the tesb-sts or the tesb-sts-tidm feature. If the loginModule property does not exist, by default, tesb-sts-tidm will be installed.

To switch from one security management system to the other, simply use the following commands:

  • tesb:switch-sts-jaas

    If the Security Token Service is not started yet, this command only changes the configuration file property to loginModule=JAAS.

    If the Security Token Service using the Talend Identity and Access Management is started, this command stops it and starts the JAAS module instead.

  • tesb:switch-sts-tidm

    If the Security Token Service is not started yet, this command only changes the configuration file property to loginModule=TIDM.

    If the Security Token Service using the JAAS module is started, this command stops it and starts the Talend Identity and Access Management instead.

After setting up STS with JAAS, Talend Runtime STS exposes the following SOAP and REST endpoints. All REST endpoints are protected with Basic authentication except for the JWKS.
  • GET
    • http://localhost:8040/services/SecurityTokenService/openid-connect/jwks: JSON Web Key Set endpoint. It's a read-only endpoint that exposes the STS public key for invocation by JWT token consumers.
    • http://localhost:8040/services/SecurityTokenService/token/jwt: Endpoint to obtain JWT tokens. You can add optional query parameters appliesTo=http://dummy-service.com/dummy or claim=roles to this endpoint.
    • http://localhost:8040/services/SecurityTokenService/token/saml: Endpoint to obtain SAML2 tokens. You can add optional query parameters appliesTo=http://dummy-service.com/dummy or claim=roles to this endpoint.
  • POST
    • http://localhost:8040/services/SecurityTokenService/token: Endpoint to obtain JWT or SAML2 tokens by sending a request body.
      Information noteNote: When issuing tokens by sending POST with XML body in the request, to include roles in the tokens, the attribute Optional="true" needs to be included in the element ClaimValue.
    Simple token request body:
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <!-- for saml2, send 'urn:oasis:names:tc:SAML:2.0:assertion' -->
            <wst:TokenType>urn:ietf:params:oauth:token-type:jwt</wst:TokenType>
            <!-- optional -->
            <SecondaryParameters xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
                    <ClaimValue Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity">
                        <!-- if emptry, all roles will be included -->
                        <Value>dev, qa</Value>
                    </ClaimValue>
                </Claims>
            </SecondaryParameters>
            <!-- optional -->
            <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
                <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                    <wsa:Address>http://dummy-service.com/dummy</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
    </wst:RequestSecurityToken>
    OnBehalfOf token request body:
    <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
        <wst:TokenType>urn:ietf:params:oauth:token-type:jwt</wst:TokenType>
        <!-- for saml2, send '<wst:OnBehalfOf><saml2:Assertion>...</saml2:Assertion></wst:OnBehalfOf>' -->
        <wst:OnBehalfOf>
            <TokenWrapper xmlns:ns6="http://docs.oasis-open.org/ws-sx/ws-trust/200802">eyJhbGciOiJSUzI1NiIsImtpZCI6Im15c3Rza2V5In0.eyJzdWIiOiJib2IiLCJqdGkiOiI4MzUxMDM0Ni0zYmVlLTQ1MjYtYThlZS1lMjliOWUxMWI4MGQiLCJpc3MiOiJUYWxlbmRFU0JfU1RTSXNzdWVyIiwicm9sZXMiOiJxYSIsImlhdCI6MTcyMDQzNjI2OCwibmJmIjoxNzIwNDM2MjY4LCJleHAiOjE3MjA0MzgwNjgsImF1ZCI6WyJodHRwOi8vZHVtbXktc2VydmljZS5jb20vZHVtbXkiXX0.efk7RpIwOPF4zljF112KYrmg3usGe9Pt44rdosxFZmaulU2sEqYSIhQ0Qq_jJtUBtpkVcrxVCWfUuA4S_-PG3XwtCfIGl_FqEtuTHyDorJ2s3TQQ7KavNGPRCJqv89hBwg2_YcwRa7HY04dyCazTOrdBZl-g4pDIgAyFPORd8yTlZHguVvdws6rTarN2vaOILMARwBMlznkp_x83LUv3qJc2uzkoDzAYVEQSJr2SMioUXXq6GUHtqkzJ5W9_6_1WUgenFrqbJsXuUugnsxJbFXCYbsCBTzkCHj-8nLHQ39CVA7aeBuSd4slnoxWo_et1GknTSB5McvZxxReev9942g</TokenWrapper>
        </wst:OnBehalfOf>
        <!-- optional -->
        <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>http://dummy-service.com/dummy</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
        <!-- optional -->
        <SecondaryParameters xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
                <ClaimValue Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" xmlns="http://schemas.xmlsoap.org/ws/2005/05/identity">
                    <Value>developer,qa</Value>
                </ClaimValue>
            </Claims>
        </SecondaryParameters>
    </wst:RequestSecurityToken>
STS JAAS SOAP endpoint: http://localhost:8040/services/SecurityTokenService/UT.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security>
         <wsse:UsernameToken>
            <wsse:Username>tadmin</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">tadmin</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          <wst:RequestType><a href="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" class="external free" title="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" rel="nofollow">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</a>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
        <wst:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</wst:TokenType>
        <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
            <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
                <wsa:Address>http://dummy-service.com/dummy</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
      </wst:RequestSecurityToken>
   </soapenv:Body>
</soapenv:Envelope> 

You can also request JWT tokens, include roles inside the tokens and use the OnBehalfOf feature for JWT tokens from STS JAAS SOAP endpoint.

With the OnBehalfOf feature, the following token exchanges are possible:

  • JWT -> JWT
  • JWT -> SAML
  • SAML -> SAML
  • SAML -> JWT

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!