Resolve an artifact with OpenSAML
In my case the, after the sign on at the IdP is completed, the user is redirected to my `Assertion Consumer Service URL defined in meta data. The IdP sends an artifact back as a parameter.The artifact is a label pointing to the actual user data/login information(the assertion) at the IdP. The user data is not sent in the HTTP request of security reasons. Instead the consumer servlet send a Artifact Resolve Request over a SOAP back channel to get the data.
Here is an example of a servlet sending ArtifactResolveRequest
and receiving an ArtifactResolveResponse
.
1private Envelope sendArtifactResolve(final ArtifactResolve artifactResolve) throws SOAPException, SecurityException, CertificateEncodingException,
2 MarshallingException, SignatureException, IllegalAccessException {
3 Envelope envelope = SAMLUtil.wrapInSOAPEnvelope(artifactResolve);
4
5 BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
6 soapContext.setOutboundMessage(envelope);
7 HttpClientBuilder clientBuilder = new HttpClientBuilder();
8 HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool());
9
10 String artifactResolutionServiceURL = null;
11 for (ArtifactResolutionService ars : SAMLMetaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS)
12 .getArtifactResolutionServices()) {
13 if (ars.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
14 artifactResolutionServiceURL = ars.getLocation();
15 }
16 }
17
18 soapClient.send(artifactResolutionServiceURL, soapContext);
19
20 return (Envelope)soapContext.getInboundMessage();
21}
22
23private ArtifactResolve generateArtifactResolve(final String artifactString) throws CertificateEncodingException, MarshallingException, SignatureException, IllegalArgumentException, java.lang.SecurityException, IllegalAccessException {
24 ArtifactResolve artifactResolve = SAMLUtil.buildSAMLObjectWithDefaultName(ArtifactResolve.class);
25
26 Issuer issuer = SAMLUtil.buildSAMLObjectWithDefaultName(Issuer.class);
27 issuer.setValue(EvoteProperties.getProperty("SPEntityId"));
28 artifactResolve.setIssuer(issuer);
29 artifactResolve.setIssueInstant(new DateTime());
30
31 artifactResolveId = SAMLUtil.getSecureRandomIdentifier();
32 artifactResolve.setID(artifactResolveId);
33
34 for (ArtifactResolutionService sss : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getArtifactResolutionServices()) {
35 if (sss.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
36 artifactResolve.setDestination(sss.getLocation());
37 }
38 }
39
40 Artifact artifact = SAMLUtil.buildSAMLObjectWithDefaultName(Artifact.class);
41 artifact.setArtifact(artifactString);
42 artifactResolve.setArtifact(artifact);
43
44 return artifactResolve;
45 }
1<saml2p:artifactresolve
2 destination="http://myIDP.test.com:80/opensso/ArtifactResolver/metaAlias/idp1"
3 id="_586f2345b514f6214b511f389e30ef60"
4 issueinstant="2011-01-24T08:47:52.895Z"
5 version="2.0"
6 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
7 <saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
8 my-alias
9 </saml2:issuer>
10 <saml2p:artifact>
11 AAQAAKHWNqF94IiJ1SjFRLxjyBBxq3RIkRN7/tJdnT2sFDU1tUtBRKJQMDE=
12 </saml2p:artifact>
13</saml2p:artifactresolve>
1<samlp:artifactresponse
2 destination="https://myIDP.test.com/saml/consumer"
3 id="s2df8548d497d8c779a1abddfad72adda2f06eefdd"
4 inresponseto="_586f2345b514f6214b511f389e30ef60"
5 issueinstant="2011-01-24T08:47:53Z"
6 version="2.0"
7 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
8 <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
9 IDP-alias
10 </saml:issuer>
11 <samlp:status>
12 <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
13 </samlp:statuscode>
14 </samlp:status>
15 <samlp:response
16 destination="https://myIDP.test.com/saml/consumer"
17 id="s23a356af812e879b3bfbbded4b62f000c7c8c27bb"
18 inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178"
19 issueinstant="2011-01-24T08:47:50Z"
20 version="2.0">
21 <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
22 IDP-alias
23 </saml:issuer>
24 <samlp:status>
25 <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
26 </samlp:statuscode>
27 </samlp:status>
28 <saml:assertion
29 id="s2365479533bf942f8eaaa2c267f9bd4ff679ebc1f"
30 issueinstant="2011-01-24T08:47:50Z"
31 version="2.0"
32 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
33 <saml:issuer>
34 IDP-alias
35 </saml:issuer>
36 <saml:subject>
37 <saml:nameid
38 format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
39 namequalifier="IDP-alias"
40 spnamequalifier="my-alias">
41 5VkzP/MZ1PMJ62o45/7DdFms9y7K
42 </saml:nameid>
43 <saml:subjectconfirmation method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
44 <saml:subjectconfirmationdata
45 inresponseto="_bba7e8a2f7a7c51e339d614b2c2d1178"
46 notonorafter="2011-01-24T08:57:50Z"
47 recipient="https://myIDP.test.com/saml/consumer">
48 </saml:subjectconfirmationdata>
49 </saml:subjectconfirmation>
50 </saml:subject>
51 <saml:conditions
52 notbefore="2011-01-24T08:37:50Z"
53 notonorafter="2011-01-24T08:57:50Z">
54 <saml:audiencerestriction>
55 <saml:audience>
56 my-alias
57 </saml:audience>
58 </saml:audiencerestriction>
59 </saml:conditions>
60 <saml:authnstatement
61 authninstant="2011-01-24T08:47:50Z"
62 sessionindex="s212cd7811734a92405b6ef8308a1b1a98e32e6f01">
63 <saml:authncontext>
64 <saml:authncontextclassref>
65 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
66 </saml:authncontextclassref>
67 </saml:authncontext>
68 </saml:authnstatement>
69 <saml:attributestatement>
70 <saml:attribute name="uid">
71 <saml:attributevalue
72 xmlns:xs="http://www.w3.org/2001/XMLSchema"
73 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
74 xsi:type="xs:string">
75 03011700143
76 </saml:attributevalue>
77 </saml:attribute>
78 <saml:attribute name="mail">
79 <saml:attributevalue
80 xmlns:xs="http://www.w3.org/2001/XMLSchema"
81 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
82 xsi:type="xs:string">
83 something@test.com
84 </saml:attributevalue>
85 </saml:attribute>
86 <saml:attribute name="telephone">
87 <saml:attributevalue
88 xmlns:xs="http://www.w3.org/2001/XMLSchema"
89 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
90 xsi:type="xs:string">
91 546848134886
92 </saml:attributevalue>
93 </saml:attribute>
94 </saml:attributestatement>
95 </saml:assertion>
96 </samlp:response>
97</samlp:artifactresponse>