Create SAML claim and sign response
I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have this onelogin GitHub program to submit a request and receive a response. But it was not working properly. I created one account there. But I don't have a business account. When I run the application, it goes to the onelogin login page . I tried to login, but it doesn't return anyuthing in the response, showing that I don't have permission. If I provide incorrect credentials as well, it does not give a SAML response.
So I decided to create a statement and sign it.
- Do I need to send a SAML request to the identity provider first?
- How to create a SAML assertion example instead of going to IdP ( How good is that? )
- Once I receive a SAML response, how can I sign it in the application and continue?
thank
UPDATE 1
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z"
Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@example.com
</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
source to share
The first thing you need to do is read the SAML protocol. I have two blogs that I can recommend.
Then you can choose to integrate SAML in your application or use a third party application for integration. Typical 3rd party applications: Shibboleth and OpenAM .
If you decide to create it in your application, you can use OpenSAML for example. OpenSAML is a library that helps you work with SAML messages. I have several blogs on this subject and one book that is good to start with
About your questions.
- You don't need to submit a request. IDP can start a process without being asked.
- Ok, you can create it just by editing the one you found. You can also use OpenSAML to create a claim
- You don't sign the response in your application, the IDP signs the response. signature verification is software dependent. This is how you do it in OpenSAML
source to share
You can also use Java Saml from Onelogin to sign the response using your utility class (com.onelogin.saml2.util.Util):
// loads xml string into Document
Document document = Util.loadXML(saml);
// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);
// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);
You can also use another method .addSign
that takes Node
as the first parameter to sign the SAML response assertion.
Their Maven dependency:
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.0.0</version>
</dependency>
source to share