opensaml

I implement a SAML 2.0 SP. I have a login servlet with endpoint https://my.domain.com/mng/samlLogin , so in the SP metadata file I define: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.domain.com/mng/samlLogin" index="0" isDefault="true"/> And send this endpoint in the AuthenRequest under the AssertionConsumerServiceURL. Now, I have another servlet with a different functionality, and it needs to validate the user against SAML as part of its flow. So I need to define the new servlet's URL as an additional endpoint, let's say https:/

We have a website running on Caucho Resin. The great majority of the site is JSP/Java. We have our own custom authentication on the site, meaning we aren't using any third party authentication frameworks. We host the website, not our clients. Our large clients want to have their users log into our site with their active directory credentials. For this I'm assuming I will be talking to ADFS with SAML, please correct me if that is wrong. So my question is how do I go about doing that with Java? from what I can tell there is OpenSAML which sounds like it doesn't do everything, and if I want more

SAML sp-based authentication has following short workflow. User wants to access application at sp. sp sends SAMLRequest token to idp. idp consume it and generate SAMLResponse token. idp sends this SAMLResponse token to AC-URL given by sp. My Question is how sp consume this SAMLResponse token. What is the logic? If I can get some JAVA code help it will be beneficial. Gaucho The next recipe is working for me: Get the SAMLResponse token and decode it and inflate: // Base64 decode Base64 base64Decoder = new Base64(); byte[] xmlBytes = encodedXmlString.getBytes("UTF-8"); byte[]

In SAML metadata file there are several NameID format defined, for example: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> Can anybody explain what are these used for? What are the differences? mavis Refer to Section 8.3 of this SAML core pdf of oasis SAML specification. SP and IdP usually communicate each other about a subject. That subject should be identified through a NAME-IDentifier , which should be in

I am running this code at opensaml2.6 Element metadataRoot = document.getDocumentElement(); // Unmarshall UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(metadataRoot); if (unmarshaller == null) { System.out.println("Error receiving unmarshaller for this document."); return; } For the document <?xml version="1.0" encoding="UTF-8"?><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> Unmarshaller return a null , Can you help me to undertand how are the criterias to lookup

I have a problem while trying to decrypt encrypted assertion using SAML 2.0. The library I am using is OpenSAML Java libraries 2.5.2. The encrypted assertion looks like this: <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <enc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:enc="http://www.w3.org/2001/04/xmlenc#"> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org

I've seen a bunch of flow chart on how it is passed around between Identity Provider (IdP), Service Provider (SP), and Browser via Redirects. However it seems unnecessary to me right now, so i know i'm missing something. Can someone provide me a use case where a SAML Artifact is required (or very useful) compared to not using one? Thank you. Typically, the intent of the artifact binding is to reduce the flow of SAML messages through the browser itself. This could be due to browser restrictions (browsers that have limits on query string / POST payload size) or no support for JavaScript (for