2

I have a customer who wants to implement SSO using SAML2 assertion based approach. The customer will be the Identity Provider (IDP) and my application will effectively be the Service Provider (SP).

In the past I've implemented SSO solutions where the IDP was Oracle Access Manager and therefore we were provided with the idp.xml file which allowed us to configure our SP environment using the supplied Fedlet. This conveniently created a relevant WAR file which, when deployed, allowed me to distribute the sp.xml file to the customer who imported it into their IDP. This all worked fine and I understand the concepts i.e. We receive the initial request, the fedlet handles this and takes the user to the IDP where they authenticate, then they're passed back to our SP with a SAML response which the Fedlet allows us to parse and extract some data identifying the user. I then do what's required to sign them into our application.

However the current requirement is not using any backend framework to provide the IDP, they've stated that it's custom built one. They've given me the IDP URL and a cert file and are asking for our "AssertionConsumerServiceURL" and "AudienceURI".

The application which I'm enabling SSO for is largely Java based. My investigation so far has led me to Forgerock's OpenAM solution as well as Shibboleth's OpenSAML. However I'm struggling with the first step, essentially where do what I start building a custom SP application connecting to a third party IDP using OpenAM/Shibboleth/AnotherFramework.

Any pointers would be very useful.

Thanks, Lee

lee_mcmullen
  • 2,801
  • 32
  • 39

4 Answers4

1

Depends on what what you requirements are. OpenAM feldlet or Shibboleth i probably the best approach since you don't have to do so much coding on your own.

OpenSAML is a very low level toolkit for handling SAML messages. I would not recommend it if, not really needed.

As for the things they are asking for, the AssertionConsumerServiceURL is the service endpoint where you recieve your SSO SAML messages.

Defenition of AudienceURI is quite gray. Basically you send them an identifier, they include this in their messages and you validate that identifier is the same you gave them. I my self do not understand the difference between this and Destination...

I'm a bit surprised that they ask you for this. The standard way to do this first exchange of information is by SAML metadata documents.

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • Hi Stefan, yes I too was surprised that they've asked to go about it this way. It seems to me that they've rolled their own IDP solution rather than use a readily available one (e.g. OpenAM etc) and their solution doesn't have the IDP metadata. So I've extracted the X509 certificate from the cert they sent and attempted to build the IDP metadata on their behalf. Then I've imported this into an OpenAM fedlet and deployed to Tomcat. They're attempting to run IDP initiated SSO but I'm getting "Issuer in Response is Invalid" which I'm now trying to troubleshoot. – lee_mcmullen Feb 20 '13 at 12:04
  • 1
    IPD initiated SSO? Not SP initiated? The problem with Issuer, is that the issuer in the SAML response must be the same as the entityID of you IDP. – Stefan Rasmusson Feb 20 '13 at 13:19
  • Thanks. I'd updated the entityID within the IDP metadata to what they advised the Issuer was going to be but they had since changed it (without letting me know!). So I updated the config to match again and now I'm getting "This service provider is not the intended audience". The SAMLResponse contains the saml:Audience element, presumably this needs to match something in my config somewhere, just going through everything to find out what. – lee_mcmullen Feb 20 '13 at 14:12
  • Just found this article (http://fusionsecurity.blogspot.co.uk/2011/08/5-minutes-or-less-on-saml-audiences.html) which suggests the element should match the "entityID" of my SP. So I'll get them to update that and give it a try. – lee_mcmullen Feb 20 '13 at 14:17
  • Yep, I don't thing it has to be the entity ID but its a normal way to do it. If you have any more questions i think its better to start a new question. Do you consider the question answered? – Stefan Rasmusson Feb 20 '13 at 14:23
  • Yep, updating the audience to match my SP entity ID sorted it. All working now. Thanks for your help. Marked as answered. – lee_mcmullen Feb 20 '13 at 15:07
0

As you may know OpenAM also provides the FedLet, which is a lightweight SAML2.0 SP implementation. If you want to do it all yourself you have to build an SAML2.0 SP yourself.

If you want to mess around with Spring you could also use Spring Security SAML2 extension ..'http://static.springsource.org/spring-security/site/extensions/saml/index.html'

Bernhard Thalmayr
  • 2,674
  • 1
  • 11
  • 7
  • Hi, yes I've gone down the OpenAM fedlet route but had to manually create the IDP metadata based on their cert which was a pain (see my comment on Stefan's answer above). Now trying to troubleshoot the fallout! In response to your other point about Spring, unfortunately this isn't on a Spring project. – lee_mcmullen Feb 20 '13 at 12:06
0

Why roll out those heavy SAML solutions? Have you taken a look at PingOne APS (Application Provider Services) or PingFederate from Ping Identity? You can implement APS in less than a day and you first customer config is free. Includes dashboard reporting, IDP self service functionality for config and a dead simple REST API integration for your application. [Note: I work for Ping.]

Ian
  • 4,227
  • 18
  • 19
  • Thanks Ian. I've never used your products so what benefit would using PingFederate give me over using the OpenAM fedlet? – lee_mcmullen Feb 20 '13 at 12:08
0

You can setup the Spring Security SAML Extension. The extension creates an AssertionConsumerServiceURL and if they want to access your metadata just as you are accessing theirs, they would just need to go to www.yourwebsite.com/saml/metadata and your SP metadata will be downloaded by them.

Calvin Raveenthran
  • 311
  • 2
  • 10