Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See Configuring SAML2 SSO for a sample on how this can be set up.

Single Sign On In Reality

Single Sign On is widely used in web technologies. Google is one of the best examples.

...

Single Sign On (SSO) allows you to sign in only once but provides access to multiple resources without having to re-enter your username and password.

SAML 2.0 Web Browser Based SSO Profile

SAML 2.0 Web Browser based SSO profile is defined under the SAML 2.0 Profiles specification. SAML 2.0 provides five main specifications:

...

The message MUST contain an element which uniquely identifies the service provider who created the message. Optionally the message may contain elements such as , etc. More information regarding the message can be found in SAML Core Specification.

The message MUST contain , , , , elements. The message MUST be integrity protected. More information regarding the message can be found in SAML Core Specification.The following diagram illustrates the scenario:

 

SAML 2.0 SSO Assertion Consumers

Service providers act as SAML assertion consumers. They have two basic functions:

...

The complete source code can be checked out here.

<AuthnRequest> Message

To create an <AuthnRequest> message using the OpenSAML library:

  1. Add the OpenSAML library to the build path of the project. You can download the open SAML JAR file from here.
  2. A sample <AuthnRequest> message can be found here.
  3. According to SAML 2.0 specifications, the message must contain an element. Create the Issuer element first.

    Code Block
    // the issuerUrl is the url of the service provider who generates the  message
    String issuerUrl = "http://localhost:8080/saml2.demo/consumer";
    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
    issuer.setValue(issuerUrl);
  4. Create the <AuthnRequest> next.

    Code Block
    DateTime issueInstant = new DateTime();
    AuthnRequestBuilder authnRequestBuilder = new AuthnRequestBuilder();
    AuthnRequest authnRequest = authnRequestBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");
    authnRequest.setForceAuthn(new Boolean(false));
    authnRequest.setIsPassive(new Boolean(false));
    authnRequest.setIssueInstant(issueInstant);
    authnRequest.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
    authnRequest.setAssertionConsumerServiceURL(issuerUrl);
    authnRequest.setIssuer(issuer);
    authnRequest.setID(aRandomId);
    authnRequest.setVersion(SAMLVersion.VERSION_20); 


    The message may contain many other elements like , etc. those elements can be created and added to the message in the same way.

  5. Next encode the message.

    Code Block
    Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(authnRequest);
    Element authDOM = marshaller.marshall(authnRequest);
    
    
    StringWriter rspWrt = new StringWriter();
    XMLHelper.writeNode(authDOM, rspWrt);
    String requestMessage = rspWrt.toString();
    	     
    Deflater deflater = new Deflater(Deflater.DEFLATED, true);
    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
    DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
    deflaterOutputStream.write(requestMessage.getBytes());
    deflaterOutputStream.close();
    	     
    /* Encoding the compressed message */
    String encodedRequestMessage = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
    String encodedAuthnRequest = URLEncoder.encode(encodedRequestMessage,"UTF-8").trim();
  6. Construct the redirection URL.

    Panel

    redirectionUrl = identitypProviderUrl+ "?SAMLRequest=" + encodedRequestMessage;

  7. Redirect the user to the identity provider.

    Panel

    response.sendRedirect(redirectionUrl);

<Response> Message

To read the <Response> message issued by the WSO2 Identity Server:

...