How to implement SAML SSO

java security single-sign-on saml
49,798

Solution 1

The way this works is that, after authenticating the user, the SAML identity provider (IdP) renders a form to the browser containing the SAML response - the form's 'action' (i.e. target) is the service provider (SP). In the HTML, there is a JavaScript onLoad event that submits the form, so the net effect is that the user is automatically taken from the IdP to the SP, SAML response in hand.

The only time a user would have to click anything to submit the form is if they have JavaScript disabled. In this case, SAML implementations typically provide a message with a button to press in the <noscript> tag.

For more detail see this article I wrote a few years ago - but note, 'Lightbulb' is long obsolete now - for PHP SAML see simpleSAMLphp.

It's a shame your client wants to use CA SiteMinder - the open source OpenAM (formerly known as OpenSSO) does this pretty easily.

Solution 2

This article explains is very well. There are examples for different platforms too.

Share:
49,798
Haider
Author by

Haider

Updated on July 03, 2020

Comments

  • Haider
    Haider almost 4 years

    How is SAML SSO typically implemented?

    I've read this (n.b. obsolete) about using SAML with Google Apps, and the wikipedia entry on SAML.

    The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on?

    The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form).

    Is this the standard way of doing this? Using redirects and JavaScript for form submission?

    Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).

  • Ashwin
    Ashwin over 12 years
    Yes there are classes for sending the authrequest, but there are not classes for receving the request, analyzing it and the sending the response.
  • Admin
    Admin about 12 years
    OpenSSO is dead, I believe it has been reincarnated as OpenAM
  • metadaddy
    metadaddy about 12 years
    You are correct, @TobyHobson. I edited my answer.
  • IcedDante
    IcedDante almost 11 years
    The article link no longer works. Is it still out there? Thanks.
  • metadaddy
    metadaddy almost 11 years
    Thanks, @IcedDante - I updated the link.
  • JokiRuiz
    JokiRuiz almost 10 years
    I'm developing a SSO request with simplesamlphp, how can I insert parameters in the subject of the xml?
  • metadaddy
    metadaddy almost 10 years
    @JokiRuiz You should as this as a new question - no one is going to see it here
  • Jerry
    Jerry over 7 years
    Link no loner exists. Any updates?
  • Taylor D. Edmiston
    Taylor D. Edmiston about 6 years
    @Jerry I replaced the broken link with a cached version of the article from archive.org

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Adfs: Difference between token decrypting certificate and relying party signature verification certificate
How do I access Windows credentials from Java?
Web SSO using Java and SAML 2.0
SAML simple example for beginners
How to validate WS-Federation SAML tokens with Java Service Provider
understanding Shibboleth and SAML
How do I integrate HSM encryption with JAVA?
Java 8 Update 20 Missing security options
Which JAR contains the weblogic.servlet.security.ServletAuthentication class?
BouncyCastle in Java