Search code examples
javasamlsaml-2.0assertions

Create SAML response based on SAML request

I have developed a Java web application, and I want to implement SAML. These are the steps I believe is right to implement SAML.

  1. The Service Provider(SP, my application in this case) sends a SAML authentication request to IdP.
  2. The IdP then validates it and create a SAML response assertion and signs it with the certificate, and send back to SP.
  3. SP then validates it with public key of certificate in keystore, and proceeds further based on that.

I have got a sample code and I am able to create SAML request and its like this

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="_c7b796f4-bc16-4fcc-8c1d-36befffc39c2" Version="2.0"
    IssueInstant="2014-10-30T11:21:08Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost:8080/mywebapp/consume.jsp">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/mywebapp
    </saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
        AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

I can encode it and send to IdP.

I want to create sample Java code to get this SAML request and then create a SAML response. How can I decode the request and validate it and create response? And Do I need to sign the saml response with certificate? and then send back to the SP?

Thanks.

Solution

  • The steps you've listed are more or less correct. The only thing I'd point to is that you have to be careful with the meaning if the word sends (ex. in "SP ... sends a SAML authentication request to IdP"). SAML allows authentications scenarios with zero direct communication between SP and IdP.

    Another small addition is that SP may also sign his request, so you may have signature validation on both sides. Validation on the SP side is obligatory.

    If you want to implement SAML, you may want to check one of the existing solutions, for example Shibboleth. If you're on platforms like Spring and JBoss you may want to check Spring Security SAML or JBoss PicketLink. If you want to go lower-level, check OpenSAML.

    In my corp we have JBoss as standard and are very happy with PicketLink.