4

I am testing SSO with SP (Spring-SAML) and IDP (WSO2IS). They are working fine on browser.

Now I want to bring it to a Java standalone application. Providing user credentials and SP URL, then a user can log in the application and access SP. To implement this, basically I need to use HTTPClient (for handling Cookie, POST, Redirect, Auto-POST) and follow the SAML message flow as it happens on browser.

I would like to know the most efficient way to do it. Is there any library or example?

Your help is highly appreciated.

Community
  • 1
  • 1
Rocherlee
  • 2,536
  • 1
  • 20
  • 27
  • This seams like a clumpsy way to use SAML. Why do you want to do this, what is the purpose of the application? – Stefan Rasmusson Nov 25 '14 at 11:24
  • Actually the standalone application does not require SSO feature. Because IDP has user data store, the application wants to validate users via IDP and let them use SP to which they can perform some REST requests. Is there a better approach? – Rocherlee Nov 25 '14 at 15:14
  • 1
    Ok, the best would be if the IDP implemeted some other protocoll to use because this is not really optimal. But i lock of better solutions you could try to search for some headless browser to use in you code – Stefan Rasmusson Nov 25 '14 at 21:56

1 Answers1

0

I managed to create a relatively simple solution using the HtmlUnit headless browser. In my case i had to download a PDF file from a website which required SAML authentication.

import com.gargoylesoftware.htmlunit.UnexpectedPage;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.*;
import java.io.InputStream;
import org.apache.commons.io.IOUtils;

...

private static byte[] samlAuthenticateAndDownloadFile(String url, String username, String password) throws Exception {
    byte[] fileBytes;
    try (final WebClient webClient = new WebClient()) {
      final HtmlPage loginPage = webClient.getPage(url);

      final HtmlForm loginForm = loginPage.getForms().get(0);

      final HtmlSubmitInput button = loginForm.getInputByName("login");
      final HtmlTextInput usernameField = loginForm.getInputByName("username");
      final HtmlPasswordInput passwordField = loginForm.getInputByName("password");

      usernameField.setValueAttribute(username);
      passwordField.setValueAttribute(password);

      final UnexpectedPage pdfPage = button.click();

      InputStream inputStream = pdfPage.getInputStream();

      fileBytes = IOUtils.toByteArray(inputStream);
    }

    return fileBytes;
  }
jgosar
  • 2,469
  • 1
  • 16
  • 14
  • that's an anti-pattern that locks the authentication down to username/password only and defeats one of the primary purposes of SAML; it is also very brittle since it may work with your current SAML provider software but may break on upgrades or changes which is besides the point of implementing/using a standard – Hans Z. Aug 26 '16 at 06:00