如何通过有效的SAML 2.0断言登录？

Question

I'm working on an Android project which has to strongly interact with a SSO Shibboleth authentication protected website. I have, therefore, to create a Java class in order to make a valid SAML assertion and to login into the website.

I googled a lot, and I find this piece of code: http://blog.keksrolle.de/2010/07/27/how-to-create-a-valid-saml-2-0-assertion-with-opensaml-for-java.html In fact I discovered that it was not needed, since that I was able to get the SAML response through some HttpConnection requests.

The code I wrote was able to perform steps 1-5 of this list: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#The_SAML_Use_Case The last thing it does is getting the value of the SAMLResponse parameter, which is the base64 encoding of a element. Then it issues a POST request to the assertion consumer service. Here the pseudo-code :

/* discover the IdP */
connect to the link (/idp/login/) which redirects to the form page (/Authn/UserPassword)
get cookies from the link in order to gain access to the form page
/* end */
/* get SAML response climbing the redirects */
set goTo var to the link of the form page
do {
    send POST data (+ cookies) to the goTo page
    get cookies of the new page and saves them with the others
    set goTo to connection.getHeaderField("Location");
} while (!(responseCode==200));
read the source of the last redirect 
get the specific SAMLResponse
/* end */
send it to website.com/Shibboleth.sso/SAML2/POST
get cookies, session data

But afterward the response of the server is a 500 error code, or an on page error code ("Something went wrong. Retry."). In fact, I'm not able to gain the access to the session, even if I have a valid SAML assertion which I send (encoded) to the server. Is it a problem of session? Once I issued the POST request, I supposed that the server reconized me via cookies (JSESSIONID) and via querystring (/home.do;jsessionid=XXXFAEC60AXXX7A7B9XXXAA9EXXXE71X.jvm2c), but I think that maybe something went totally wrong.

How can I login into a SAML authenticated website via Java?

Another (marginal) problem: I performed all the request without encryption (https). Can this be a problem from the point of view of security (packets sniffing etc)?

Answer 1

Unfortunately I can't picture what is your exact problem. I can only redirect you to Shibboleth Web page , which can enlighten you in terms of shibboleth workflow. There is also documentation of SAML profiles (page 14 WB-SSO). I found it helpfull during extending my application with Single Logout Profile

As for lack of https... it's a major security leak. The purpose of using Shibbolethh or WBSSO at all is to grant maximum protection to both resources and confident user information. First of all you need secure login credential exchange with IdP. Secondly, if someone sniff signed (and maybe even encrypted) assertion, which idp sends back to your application, he may not be able to obtain user information from it (due to encryption) but he can access your secured service for as long as assertion is valid (5 min, 15 min or even sevral hours - depends on IdP configuration)

Edit 1: As for sample codes, check out Guanxi (Shibboleth implementation in Java), maybe you it will help you