7

I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing in the response, showing I don't have permission. If I provide wrong credentials also, it is not giving any SAML response.

So I decided to create an assertion and sign it.

  1. Do I need to send a SAML request to any identity provider first?
  2. How to create a sample SAML assertion instead of going to IdP(Like this is fine?)
  3. Once I get the SAML response, how do I sign it in my application and proceed?

Thanks

UPDATE 1

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z" 
  Version="2.0">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                user@example.com
            </saml:NameID>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>
Community
  • 1
  • 1

2 Answers2

12

You can also use Java Saml from Onelogin to sign the response using their utility class (com.onelogin.saml2.util.Util): 

// loads xml string into Document
Document document = Util.loadXML(saml);

// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);

// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);

You can also use another .addSign method that takes Node as first parameter to sign the assertion of the SAML response.

Their Maven dependency is:

<dependency>
    <groupId>com.onelogin</groupId>
    <artifactId>java-saml</artifactId>
    <version>2.0.0</version>
</dependency>
shimon001
  • 733
  • 9
  • 24
5

The first thing you need to do is to read up on the SAML protocol. I have two blogs I can recommend.

Next you can choose to build the SAML integration in your app or you can use a third party application to do the integration. Typical third party applications are Shibboleth and OpenAM.

If you decide to build it in to your application, you can for example use OpenSAML. OpenSAML is a library that helps to work with SAML messages. I have several blogs on the subject and one book that is good to start with

About your questions.

  1. You don't need to send a request. The IDP can start the process without a request.
  2. Well you can create one just by editing the one that you found. You can also use OpenSAML to create the assertion
  3. You do not sign the response in your application, the IDP signs the response. The signature verification depends on the software. Here is how you do it in OpenSAML
so-random-dude
  • 15,277
  • 10
  • 68
  • 113
Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • OK. So I can hard code the XML String as in other example as SAML assertion. That I don't need to sign. Then how can I validate it? I haven't stored any certificate in keystore. –  Oct 21 '14 at 10:24
  • I dont what the XML string is. you validate using a certifcate. This you can get from a file or from the SAML metadata – Stefan Rasmusson Oct 21 '14 at 11:30
  • Please see the **Update 1**. The assertion I copied from other SO question. How to validate? Do I need to install a certificate before validating? –  Oct 21 '14 at 11:39
  • Well the Assertion you posted is not signed so you do nt need to validate. You will need the certificate. How it is used of if you need to install it depends on the software you use. – Stefan Rasmusson Oct 21 '14 at 11:42
  • Sorry don't get it. I am not using any software. –  Oct 21 '14 at 11:47
  • You need some code or software to do validation. if you start using OpenSAML you cna use the link I provided in my answere – Stefan Rasmusson Oct 21 '14 at 12:21
  • Ok. But first I need to install Certificate right? I have a sample certificate I downloaded with extension **.cer** . Is there any link or sample code on how tp store that in keystore and update public key so that I can validate it against the SAML assertion and then get attributes like user-id and email? –  Oct 21 '14 at 12:25