Clever Geek Handbook

Create SAML claim and sign response

I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have this onelogin GitHub program to submit a request and receive a response. But it was not working properly. I created one account there. But I don't have a business account. When I run the application, it goes to the onelogin login page . I tried to login, but it doesn't return anyuthing in the response, showing that I don't have permission. If I provide incorrect credentials as well, it does not give a SAML response.

So I decided to create a statement and sign it.

  • Do I need to send a SAML request to the identity provider first?
  • How to create a SAML assertion example instead of going to IdP ( How good is that? )
  • Once I receive a SAML response, how can I sign it in the application and continue?

thank

UPDATE 1

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z" 
  Version="2.0">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                user@example.com
            </saml:NameID>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>
+3


source to share


2 answers


The first thing you need to do is read the SAML protocol. I have two blogs that I can recommend.

Then you can choose to integrate SAML in your application or use a third party application for integration. Typical 3rd party applications: Shibboleth and OpenAM .



If you decide to create it in your application, you can use OpenSAML for example. OpenSAML is a library that helps you work with SAML messages. I have several blogs on this subject and one book that is good to start with

About your questions.

  • You don't need to submit a request. IDP can start a process without being asked.
  • Ok, you can create it just by editing the one you found. You can also use OpenSAML to create a claim
  • You don't sign the response in your application, the IDP signs the response. signature verification is software dependent. This is how you do it in OpenSAML
+5


source


You can also use Java Saml from Onelogin to sign the response using your utility class (com.onelogin.saml2.util.Util):

// loads xml string into Document
Document document = Util.loadXML(saml);

// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);

// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);

You can also use another method .addSign

that takes Node

as the first parameter to sign the SAML response assertion.



Their Maven dependency:

<dependency>
    <groupId>com.onelogin</groupId>
    <artifactId>java-saml</artifactId>
    <version>2.0.0</version>
</dependency>
+1


source






More articles:


All Articles