问题
I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing in the response, showing I don't have permission. If I provide wrong credentials also, it is not giving any SAML response.
So I decided to create an assertion and sign it.
- Do I need to send a SAML request to any identity provider first?
- How to create a sample SAML assertion instead of going to IdP(Like this is fine?)
- Once I get the SAML response, how do I sign it in my application and proceed?
Thanks
UPDATE 1
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z"
Version="2.0">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
user@example.com
</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
回答1:
You can also use Java Saml from Onelogin to sign the response using their utility class (com.onelogin.saml2.util.Util):
// loads xml string into Document
Document document = Util.loadXML(saml);
// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);
// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);
You can also use another .addSign method that takes Node as first parameter to sign the assertion of the SAML response.
Their Maven dependency is:
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.0.0</version>
</dependency>
回答2:
The first thing you need to do is to read up on the SAML protocol. I have two blogs I can recommend.
Intro to SAML
Intro to the Web Profile
Next you can choose to build the SAML integration in your app or you can use a third party application to do the integration. Typical third party applications are Shibboleth and OpenAM.
If you decide to build it in to your application, you can for example use OpenSAML. OpenSAML is a library that helps to work with SAML messages. I have several blogs on the subject and one book that is good to start with
About your questions.
- You dont need to send a request. The IDP can start the process without a request.
- Well you can create one just by editing the one that you found. You can also use OpenSAML to create the assertion
- You do not sign the response in your application, the IDP signs the response. he signature verification depends on the software. Here is how you do it in OpenSAML
来源:https://stackoverflow.com/questions/26482902/create-saml-assertion-and-sign-the-response