Create SAML Assertion and Sign the response
Question
I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing in the response, showing I don't have permission. If I provide wrong credentials also, it is not giving any SAML response.
So I decided to create an assertion and sign it.
- Do I need to send a SAML request to any identity provider first?
- How to create a sample SAML assertion instead of going to IdP( Like this is fine? )
- Once I get the SAML response, how do I sign it in my application and proceed?
Thanks
UPDATE 1
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z"
Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@example.com
</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
2 answers
solution1
5 2014-10-21 10:11:38
The first thing you need to do is to read up on the SAML protocol. I have two blogs I can recommend.
Next you can choose to build the SAML integration in your app or you can use a third party application to do the integration. Typical third party applications are Shibboleth and OpenAM .
If you decide to build it in to your application, you can for example use OpenSAML. OpenSAML is a library that helps to work with SAML messages. I have several blogs on the subject and one book that is good to start with
About your questions.
- You dont need to send a request. The IDP can start the process without a request.
- Well you can create one just by editing the one that you found. You can also use OpenSAML to create the assertion
- You do not sign the response in your application, the IDP signs the response. he signature verification depends on the software. Here is how you do it in OpenSAML
solution2
5 2017-09-01 12:42:49
You can also use Java Saml from Onelogin to sign the response using their utility class (com.onelogin.saml2.util.Util):
// loads xml string into Document
Document document = Util.loadXML(saml);
// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);
// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);
You can also use another .addSign method that takes Node as first parameter to sign the assertion of the SAML response.
Their Maven dependency is:
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.0.0</version>
</dependency>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.