实施SAML断言

Question

I have a Java Web Application and I want to serve it as a Service Provider and implement SAML. I am not sure about the workflow of how to do it.

I have read this SO question and still not able to understand completely. In the question they are saying they need to send request to IDP, called as Assertion if I am right.

How do I create assertion? I saw the sample there. But where to pass the login credentials with that?

Also how do I register my application with IDP and do I need to install some certificate given by IDP for that? what is the workflow?

Thanks

Answer 1

Typically you use some kind of third party software to provide SAML integration. Examples of this is OpenAM and Shibboleth. It is a good idea to use software like this becaouse SAML is a complex protocol and it is easy to make mistakes, leaving your solution vulnerable.

I have a blog post on SAML and the work flow you can have a look at.
This one about SAML and this one about the SAML Web profile flow that you want

If you insist on doing the whole integration yourself in code. OpneSAML is one library you can use. This will require you to have a good understanding of SAML. My book, A Guide to OpenSAML , gives a good introduction to SAML and the OpenSAML library.

I also have some blog posts on OpenSAML

About your questions. The Assertion is something that is sent to you from the IDP, this is the proof of an authentication of a user. What you need to do is to send a AuthnRequest to the IDP to start and authentication.

The registration on the IDP depends completely on what software is used to implment SAML in the IDP side. Usually it involves you sending a SAML Metadata XML to the IDP. This is a configuration file containing certificates, endpoint and more. Here is a post on SAML Metadata
In return the IDP send you metadata the you use to communicate with it.