SAML For Java Application Running on Tomcat

java tomcat single-sign-on saml-2.0 opensaml
Jerry picture Jerry · Oct 14, 2016 · Viewed 8.2k times · Source

I have a Java Application running on tomcat server. I am storing the user information in mysql table and for authentication using Java Rest service. Now when I land on customer.myapp.com I want to check if there is an active session in the browser for customer.com, if so login to my app using that session internally . If no session then redirect the user to customer.com login portal and after login land in customer.myapp.com home page.

How can I implement this using SAML . I have gone through the theory parts and got an idea about SP(in this case customer.myapp.com) and IdP(I assume it will the the customer's login portal customer.com) . I even downloaded the OpenSAML jar. I have no idea how the configuration is to be done. In my case I don't have any access to the IDP.

public class EMSAMLObjectBuilder {
// Get the builder factory
XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();

// Get the assertion builder based on the assertion element name
@SuppressWarnings("unchecked")
SAMLObjectBuilder<Assertion> builder = (SAMLObjectBuilder<Assertion>) builderFactory.getBuilder(Assertion.DEFAULT_ELEMENT_NAME);

// Create the assertion
Assertion assertion = builder.buildObject();

}

This is the only piece of code I could find. Any help ?

Answer

Stefan Rasmusson picture Stefan Rasmusson · Oct 14, 2016

Sound like a standard use case for the SAML Web Browser Profile. I would suggest reading up on in it. There is a lot of information on the Internet.

Basically the process goes like this.

  1. The SP and the IDP exchange metadataXML. This can be done by any means for example email or by publishing the xml on a webserver. This is only done once between a SP and IDP.
  2. When the SP wants to authenticate the user, it sends it to the IDP using for example redirect together with a SAML Authentication Request.
  3. The IDP authenticates the user.
  4. The IDP send the user back to the SP together with a SAML Authentication Response

SAML is a very flexible protocol so the flow above can vary. How the communication is doen is generally closer specified in the metadata.

There are several ways this could be implemented, OpenSAML is one of them. The OpenSAML official website have some helpful examples.

I write a blog on OpenSAML with lots of helpful post on the subject. I have also written a book, A Guide to OpenSAML, that details step by step the implementation of a SAML Web Browser Profile service provider.

Coincidently the sample application in the book runs on embedded tomcat.

Related questions

How to deploy a war file in Tomcat 7

I have copied the sample.war file into the webapps directory of Tomcat, and I can access localhost:8080. Now how will Tomcat deploy it, I mean do I need to open it in browser? How can I access the application?

Read More
Several ports (8005, 8080, 8009) required by Tomcat Server at localhost are already in use

I'm getting the following error when I try to run a simple JSP program on Tomcat in Eclipse. Several ports (8005, 8080, 8009) required by Tomcat v6.0 Server at localhost are already in use. The server may already be running in another process, …

Read More
Tomcat 404 error: The origin server did not find a current representation for the target resource or is not willing to disclose that one exists

I was following the tutorial on o7planning and got stuck at step 6: http://o7planning.org/en/10169/java-servlet-tutorial It's just a simple project that show HelloWorld but for some reason I keep getting 404 error. Detail: However the Tomcat welcome …

Read More