In a single sign on system there are two roles; Service Providers and Identity Providers (IP). The important characteristic of a single sign on system is the pre-defined trust relationship between the service providers and the identity providersidentity providers. Service providers trust the assertions issued by the identity providers and the identity providers issue assertions based on the results of authentication and authorization of principles which access services on the service provider's side.
The following are some of the advantages you can have with SSO:
...
The message MUST contain an element which uniquely identifies the service provider who created the message. Optionally the message may contain elements such as , etc. More information regarding the message can be found in SAML Core Specification.The message MUST contain , , , , elements. The message MUST be integrity protected. More information regarding the message can be found in SAML Core Specification.
The following diagram illustrates the scenario:
...
The complete source code can be checked out here.
<AuthnRequest> Message
To create an <AuthnRequest> message using the OpenSAML library:
...
To initiate IdP Initiated SSO you need to perform a HTTP GET/POST to the following URL (assume the registered service provider Issuer issuer ID is travelocityfoo.com)
https://localhost:9443/samlsso?spEntityID=travelocityfoo.com
This request will authenticate and redirect the user to the registered Assertion Consumer URL. Optionally you can send in a RelayState parameter as follows:
https://localhost:9443/samlsso?spEntityID=travelocityfoo.com&RelayState=http://localhost:8080/travelocityfoo.com/my-home.jsp
This request will authenticate and redirect the user to the URL in the RelayState parameter itself.
...