Create SAML Assertion and Sign the response

java single-sign-on saml-2.0 opensaml
iUser picture iUser · Oct 21, 2014 · Viewed 29.6k times · Source

I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing in the response, showing I don't have permission. If I provide wrong credentials also, it is not giving any SAML response.

So I decided to create an assertion and sign it.

  1. Do I need to send a SAML request to any identity provider first?
  2. How to create a sample SAML assertion instead of going to IdP(Like this is fine?)
  3. Once I get the SAML response, how do I sign it in my application and proceed?

Thanks

UPDATE 1

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  ID="123" InResponseTo="abc" IssueInstant="2014-11-21T17:13:42.872Z" 
  Version="2.0">
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0">
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                [email protected]
            </saml:NameID>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2014-11-21T17:13:42.899Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

Answer

shimon001 picture shimon001 · Sep 1, 2017

You can also use Java Saml from Onelogin to sign the response using their utility class (com.onelogin.saml2.util.Util): 

// loads xml string into Document
Document document = Util.loadXML(saml);

// loads certificate and private key from string
X509Certificate cert = Util.loadCert(pubKeyBytes);
PrivateKey privateKey = Util.loadPrivateKey(privKeyBytes);

// signs the response
String signedResponse = Util.addSign(document, privateKey, cert, null);

You can also use another .addSign method that takes Node as first parameter to sign the assertion of the SAML response.

Their Maven dependency is:

<dependency>
    <groupId>com.onelogin</groupId>
    <artifactId>java-saml</artifactId>
    <version>2.0.0</version>
</dependency>

Related questions

SAML simple example for beginners

I am beginner to the SAML v2.0 technology and I get the theory knowledge but I didn't find any examples on Google. Can anybody provide me with a step by step example for simple "SAML for v2.0". Upto now I've …

Read More
How to Implement SSO on existing tomcat web application

I have a tomcat 7 setup with oldApp.war and newApp.war deployed on it. Both the applications share the same login credentials for users on the database. I can access the apps using https://localhost/oldApp and https:localhost/newApp …

Read More
Web SSO using Java and SAML 2.0

I'd like to write a web application which does the authentication using SAML 2.0 tokens, issued by an identity provider. I understand, according to this question, that there is a viable solution in the PHP world using simpleSAMLphp. Is there an …

Read More