Create SAML Assertion and Sign the response

Question

I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it

Answer 1

The first thing you need to do is to read up on the SAML protocol. I have two blogs I can recommend.

• Intro to SAML

• Intro to the Web Profile

Next you can choose to build the SAML integration in your app or you can use a third party application to do the integration. Typical third party applications are Shibboleth and OpenAM.

If you decide to build it in to your application, you can for example use OpenSAML. OpenSAML is a library that helps to work with SAML messages. I have several blogs on the subject and one book that is good to start with

About your questions.

1. You dont need to send a request. The IDP can start the process without a request.
2. Well you can create one just by editing the one that you found. You can also use OpenSAML to create the assertion
3. You do not sign the response in your application, the IDP signs the response. he signature verification depends on the software. Here is how you do it in OpenSAML

Answer 2

You can also use Java Saml from Onelogin to sign the response using their utility class (com.onelogin.saml2.util.Util):

// loads xml string into Document
Document document = Util.loadXML(saml);

// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);

// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);

You can also use another .addSign method that takes Node as first parameter to sign the assertion of the SAML response.

Their Maven dependency is:

<dependency>
    <groupId>com.onelogin</groupId>
    <artifactId>java-saml</artifactId>
    <version>2.0.0</version>
</dependency>