A few days ago I downloaded java-saml-2.0.1 in the hope of using it to implement SSO via SAML in my (SP) app. I am actually not a Java developer (I am C#) but working on this nonetheless. Also very little familiar with SSO/SAML, so please forgive stupid questions.
1) How do I add a dependency to my project? I have this in my POM.xml file. Is this enough ?
<dependency>
<groupId>com.onelogin</groupId>
<artifactId>java-saml</artifactId>
<version>2.0.0</version>
</dependency>
2) I am reading this article: Code Your Java App to Provide SSO via OneLogin. Assuming this applies to java-saml-2.0.1, why does it say that I need the files under /com ? Am I supposed to copy those files in my project ? Do I not reference the whole package?
3) Looking at dologin.jsp, what does this code do?
Auth auth = new Auth(request, response);
if (request.getParameter("attrs") == null) {
auth.login();
} else {
String x = request.getPathInfo();
auth.login("/java-saml-tookit-jspsample/attrs.jsp");
}
It checks for request.getParameter("attrs"), but then does not use it. It sets String x, but then does not use it. Why?
4) When setting up AccountSettings, can I skip the certificate and do that later or is it always needed ?
5) Essentially we are implementing this and the first step is for my SP app to implement Step 2: (SP--> UA) Redirect to IdP SSO Service. So, when the user is trying to access my SP, I need to create a SAML Token (?) and send that to IdP. How do I do that? This is where I get stuck.
I looked at the sample, but I don't know hoe to config the settings so it does not work.
BTW: the IdP is an internal app managed by a different division.
1) As described here: https://mvnrepository.com/artifact/com.onelogin/java-saml/2.0.1
You need to add: com.onelogin java-saml 2.0.1
2) That documentation is old and belong the 1.X version of the java-saml.
On the github repository of java-saml https://github.com/onelogin/java-saml You will find the right documentation.
3) That code initiates the login process (send an AuthNrequest to the Identity Provider).
Initiates the Auth object and later calling the login method does the redirection.
The attrs parameter is a get parameter that can be send to the index view to set a custom RelayState to the attrs.jsp page.
4) AccountSettings object belong the 1.X code.
But you need to set the x509cert on the settings property before deploy your service.
5) On SP-initiate SSO flow, the SP sends to the IdP an AuthNRequest and the IdP replies a SAMLResponse. (Previously IdP and SP must exchange its metadata in order to set the circle of trust.