I have a Java Web Application and I want to serve it as a Service Provider and implement SAML. I am not sure about the workflow of how to do it.
I have read this SO question and still not able to understand completely.
In the question they are saying they need to send request to IDP, called as Assertion if I am right.
How do I create assertion? I saw the sample there. But where to pass the login credentials with that?
Also how do I register my application with IDP and do I need to install some certificate given by IDP for that? what is the workflow?
Thanks
Typically you use some kind of third party software to provide SAML integration. Examples of this is OpenAM and Shibboleth. It is a good idea to use software like this becaouse SAML is a complex protocol and it is easy to make mistakes, leaving your solution vulnerable.
I have a blog post on SAML and the work flow you can have a look at.
This one about SAML and this one about the SAML Web profile flow that you want
If you insist on doing the whole integration yourself in code. OpneSAML is one library you can use. This will require you to have a good understanding of SAML.
My book, A Guide to OpenSAML, gives a good introduction to SAML and the OpenSAML library.
I also have some blog posts on OpenSAML
About your questions. The Assertion is something that is sent to you from the IDP, this is the proof of an authentication of a user. What you need to do is to send a AuthnRequest to the IDP to start and authentication.
The registration on the IDP depends completely on what software is used to implment SAML in the IDP side. Usually it involves you sending a SAML Metadata XML to the IDP. This is a configuration file containing certificates, endpoint and more. Here is a post on SAML Metadata
In return the IDP send you metadata the you use to communicate with it.
Related
I have a Java Application running on tomcat server. I am storing the user information in mysql table and for authentication using Java Rest service.
Now when I land on customer.myapp.com I want to check if there is an active session in the browser for customer.com, if so login to my app using that session internally . If no session then redirect the user to customer.com login portal and after login land in customer.myapp.com home page.
How can I implement this using SAML . I have gone through the theory parts and got an idea about SP(in this case customer.myapp.com) and IdP(I assume it will the the customer's login portal customer.com) . I even downloaded the OpenSAML jar. I have no idea how the configuration is to be done. In my case I don't have any access to the IDP.
public class EMSAMLObjectBuilder {
// Get the builder factory
XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
// Get the assertion builder based on the assertion element name
#SuppressWarnings("unchecked")
SAMLObjectBuilder<Assertion> builder = (SAMLObjectBuilder<Assertion>) builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
// Create the assertion
Assertion assertion = builder.buildObject();
}
This is the only piece of code I could find. Any help ?
Sound like a standard use case for the SAML Web Browser Profile. I would suggest reading up on in it. There is a lot of information on the Internet.
Basically the process goes like this.
The SP and the IDP exchange metadataXML. This can be done by any means for example email or by publishing the xml on a webserver. This is only done once between a SP and IDP.
When the SP wants to authenticate the user, it sends it to the IDP using for example redirect together with a SAML Authentication Request.
The IDP authenticates the user.
The IDP send the user back to the SP together with a SAML Authentication Response
SAML is a very flexible protocol so the flow above can vary. How the communication is doen is generally closer specified in the metadata.
There are several ways this could be implemented, OpenSAML is one of them. The OpenSAML official website have some helpful examples.
I write a blog on OpenSAML with lots of helpful post on the subject. I have also written a book, A Guide to OpenSAML, that details step by step the implementation of a SAML Web Browser Profile service provider.
Coincidently the sample application in the book runs on embedded tomcat.
My feeling is that you should never directly use libraries like OpenSAML which are really low-level and complicated to master.
If you want to secure your web application with a SAML login process, you should certainly use a security library for that.
Disclaimer: I'm the creator of pac4j, so I can recommend using one of the pac4j implementations: http://www.pac4j.org/implementations.html for SAML: http://www.pac4j.org/docs/clients/saml.html
I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.
I see two possibilities:
Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.
Case 1: It's a good solution because we are still RESTful but:
SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.
Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.
Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.
Is someone had already to do it and give me some pointers (for design or implementation)?
Is there a better way to do it with SAML?
Any help or advice are welcome.
It is still draft, but: the OAuth2 SAML bearer profile may a possible solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17
Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.
Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.
It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.
I've tested the Spring Security SAML Extension for integration in my project and it looks good for me.
But I have one problem with this implementation:
How can I change the authentication to a form based login?
I have an application with a login form. And the requirement is that the authentication goes against an Active Directory Federation Services.
But up to now I found no way in the SAML Extension.
Sorry about this question, but my experience in Spring Security are not very good. I hope the someone here can help me in a simple way.
Best Regards
Thomas
The main point of federation protocols (like SAML) is that user's credentials are only used at the Identity Provider (= ADFS), and are not revealed to the Service Providers. In other words when using SAML you can't have a form login on your SP page.
If you want to combine multiple authentication methods - e.g. SAML + form login against local database, it is of course possible.
I have a customer who wants to implement SSO using SAML2 assertion based approach. The customer will be the Identity Provider (IDP) and my application will effectively be the Service Provider (SP).
In the past I've implemented SSO solutions where the IDP was Oracle Access Manager and therefore we were provided with the idp.xml file which allowed us to configure our SP environment using the supplied Fedlet. This conveniently created a relevant WAR file which, when deployed, allowed me to distribute the sp.xml file to the customer who imported it into their IDP. This all worked fine and I understand the concepts i.e. We receive the initial request, the fedlet handles this and takes the user to the IDP where they authenticate, then they're passed back to our SP with a SAML response which the Fedlet allows us to parse and extract some data identifying the user. I then do what's required to sign them into our application.
However the current requirement is not using any backend framework to provide the IDP, they've stated that it's custom built one. They've given me the IDP URL and a cert file and are asking for our "AssertionConsumerServiceURL" and "AudienceURI".
The application which I'm enabling SSO for is largely Java based. My investigation so far has led me to Forgerock's OpenAM solution as well as Shibboleth's OpenSAML. However I'm struggling with the first step, essentially where do what I start building a custom SP application connecting to a third party IDP using OpenAM/Shibboleth/AnotherFramework.
Any pointers would be very useful.
Thanks,
Lee
Depends on what what you requirements are. OpenAM feldlet or Shibboleth i probably the best approach since you don't have to do so much coding on your own.
OpenSAML is a very low level toolkit for handling SAML messages. I would not recommend it if, not really needed.
As for the things they are asking for, the AssertionConsumerServiceURL is the service endpoint where you recieve your SSO SAML messages.
Defenition of AudienceURI is quite gray. Basically you send them an identifier, they include this in their messages and you validate that identifier is the same you gave them. I my self do not understand the difference between this and Destination...
I'm a bit surprised that they ask you for this. The standard way to do this first exchange of information is by SAML metadata documents.
As you may know OpenAM also provides the FedLet, which is a lightweight SAML2.0 SP implementation. If you want to do it all yourself you have to build an SAML2.0 SP yourself.
If you want to mess around with Spring you could also use Spring Security SAML2 extension ..'http://static.springsource.org/spring-security/site/extensions/saml/index.html'
Why roll out those heavy SAML solutions? Have you taken a look at PingOne APS (Application Provider Services) or PingFederate from Ping Identity? You can implement APS in less than a day and you first customer config is free. Includes dashboard reporting, IDP self service functionality for config and a dead simple REST API integration for your application. [Note: I work for Ping.]
You can setup the Spring Security SAML Extension. The extension creates an AssertionConsumerServiceURL and if they want to access your metadata just as you are accessing theirs, they would just need to go to www.yourwebsite.com/saml/metadata and your SP metadata will be downloaded by them.
Has anyone had any experience creating a JAAS LoginModule that uses SAML to authenticate and authorize a user? As I understand JAAS, this would likely require a custom CallbackHandler that understand and can parse a SAML message.
In my case, the authorization is defined as a set of roles in a database, but like your typical Database Login Module. There are, however, no passwords stored in this system. Instead users are authenticated on another site and a SAML exchange is used to pass that authentication event to our system.
My hope is to enable our application code to not have to deal with SAML directly and to be able to leverage standards JAAS techniques for managing permissions/roles/etc.
An example would be most welcome, but any links you may have found would also be wonderful.
The main issue you'll run in to is that there is no standard way to send the user's credentials to the IdP. In the SAML Web SSO flow you have the browser so the IdP can just put up a page asking for the credentials. In the ECP flow, which does not assume browser, does not provide a standard way for delivering the credentials. HTTP BASIC auth? WS-Security? Something else?
So, before you go further you'll need to know which SAML profiles the IdPs support and, if ECP is supported, which mechanisms are available for accepting the user's credentials.