0

I have an application using Netty 4.x framework that functions as some kind of server. The authentication must be federated, so now I need to convert it to a SAML2.0 Service Provider.

I did some research, and my concern is that in order to use existing SAML2.0 solutions, i.e. OpenAM, PingFederate, the Service Provider has to be a web application running in some kind of web container, which, is not the case in my project. Is this true?

I am very new to the Single-sign On and Federation world, I'd truly appreciate any information and tip offered.

user3466814
  • 15
  • 1
  • 3

1 Answers1

0

SAML in general uses the browser to keep a common "session" between two sites.

This is done as follows:

  • One site A.org starts a session A in the browser.
  • It sees there is no SAML authentication, and posts to the SAML identity provider. Via the browser with automatic form submission (JavaScript),
  • The identity provider sees there is no SSO session, does a login form
  • After login form it posts back to the site A.org with an SSO session ID (so to say).
  • If the same browser now on Site B.net starts a new session B, it again posts to the SAML identity provider, which now has an existing SSO session ID to return.

The form posted to the SAML identity provider is automatically posted back, and the returned authentification is also an automatically posted form.A kinde of cross-site scripting.

A SAML servlet filter could accept this result and put a UserPrinciepal in the application request.

The configuration is not too difficult. You need your own unique key pair for your "server",

All-in-all it was rather time consuming. It helped to set up ones own Identity Provider too. Apache Shiro, a security solution outside the Java EE server world, did not have a SAML solution at the time I worked on SAML.

If you got a demo IdP and SP running, it should not be too difficult to short-cut everything. Maybe using FireFox with the TamperData add-on to inspect the communication.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Joop Eggen
  • 107,315
  • 7
  • 83
  • 138
  • Thanks for your excellent explanation, Joop. My questions: 1. I assume that this "SAML servlet filter" working on the SP side, but my Netty application cannot be a servlet, so it seems that I have to have a separate module for this purpose. Do you know what would be the common practice to do this? 2. I do have access to the IdP, the problem I am trying to solve is how to get my application functioning as a SP. – user3466814 Jun 24 '14 at 15:20
  • If you indeed to do it yourself, having a working IdP / SP1 / SP2 helps. The data exchange is probably simple, copying it as template and using apache HttpClient to post a filled in text should be simple. _(It still does need developing perseverance.)_ – Joop Eggen Jun 24 '14 at 15:54