How to implement SAML SSO
Solution 1
The way this works is that, after authenticating the user, the SAML identity provider (IdP) renders a form to the browser containing the SAML response - the form's 'action' (i.e. target) is the service provider (SP). In the HTML, there is a JavaScript onLoad event that submits the form, so the net effect is that the user is automatically taken from the IdP to the SP, SAML response in hand.
The only time a user would have to click anything to submit the form is if they have JavaScript disabled. In this case, SAML implementations typically provide a message with a button to press in the <noscript>
tag.
For more detail see this article I wrote a few years ago - but note, 'Lightbulb' is long obsolete now - for PHP SAML see simpleSAMLphp.
It's a shame your client wants to use CA SiteMinder - the open source OpenAM (formerly known as OpenSSO) does this pretty easily.
Solution 2
This article explains is very well. There are examples for different platforms too.
Haider
Updated on July 03, 2020Comments
-
Haider almost 4 years
How is SAML SSO typically implemented?
I've read this (n.b. obsolete) about using SAML with Google Apps, and the wikipedia entry on SAML.
The wikipedia entry talks about responding with forms containing details of the SAMLRequest and SAMLResponse. Does this mean that the user has to physically submit the form in order to proceed with the single sign on?
The google entry talks about using redirects, which seems more seemless to me. However, it also talks about using a form for the response which the user must submit (although it does talk about using JavaScript to automatically submit the form).
Is this the standard way of doing this? Using redirects and JavaScript for form submission?
Does anyone know of any other good resources about how to go about implementing SSO between a Windows Domain and a J2EE web application. The web application is on a separate network/domain. My client wants to use CA Siteminder (with SAML).
-
Ashwin over 12 yearsYes there are classes for sending the authrequest, but there are not classes for receving the request, analyzing it and the sending the response.
-
Admin about 12 yearsOpenSSO is dead, I believe it has been reincarnated as OpenAM
-
metadaddy about 12 yearsYou are correct, @TobyHobson. I edited my answer.
-
IcedDante almost 11 yearsThe article link no longer works. Is it still out there? Thanks.
-
metadaddy almost 11 yearsThanks, @IcedDante - I updated the link.
-
JokiRuiz almost 10 yearsI'm developing a SSO request with simplesamlphp, how can I insert parameters in the subject of the xml?
-
metadaddy almost 10 years@JokiRuiz You should as this as a new question - no one is going to see it here
-
Jerry over 7 yearsLink no loner exists. Any updates?
-
Taylor D. Edmiston about 6 years@Jerry I replaced the broken link with a cached version of the article from archive.org