Signing and Sending AuthnRequests in OpenSAML V3

calendar Aug 10, 2016 · 2 min read · SAML OpenSAMLV3 Digital signature  ·
Share on: linkedin copy

This article discusses singing and sending in OpenSAML 3. If you're looking for an article on OpenSAML 4, you will find it here and if you're looking for an article on OpenSAML 2, you will find it here

Signing and sending a AuthnRequest in OpenSAML V3 is fortunately not that different from how it was done in OpenSAML V2.

As described in this post on AuthnRequests OpenSAML V2, the AuthnRequest is the SAML request that starts a typical SSO authentication process. This is the SP requesting the IDP to authenticate a user.

As in V2 the HTTPRedirectDeflateEncoder is used to send messages using HTTP redirect, the main difference lays in the message context.

One of the major changes between V2 and V3 is the message contexts. In version 2, the message contexts where basically one object containing general properties about the message and its destination. In V3 the message context concept has been expanded to be more flexible contain more information. In the new context structure there is a context object per purpose.

In my book A Guide to OpenSAML V3 I cover the use of the new message contexts in detail.

To sign and send a AuthnRequest, three contexts are needed.

The main context is created and the AuthnRequest is set.

1MessageContext context = new MessageContext();
2context.setMessage(authnRequest);

The SAMLPeerEntityContext and SAMLEndpointContext are created and configured to point to the endpoint of the message.

1SAMLPeerEntityContext peerEntityContext = context.getSubcontext(SAMLPeerEntityContext.class, true);
2SAMLEndpointContext endpointContext = peerEntityContext.getSubcontext(SAMLEndpointContext.class, true);
3endpointContext.setEndpoint(idpEndpoint);
Next, the security parameters context is created and populated with signing information

1SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
2signatureSigningParameters.setSigningCredential(SPCredentials.getCredential());
3signatureSigningParameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
4context.getSubcontext(SecurityParametersContext.class, true).setSignatureSigningParameters(signatureSigningParameters);

Next, the HTTPRedirectDeflateEncoder is created and populated with context and the http request object.

1HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder();
2encoder.setMessageContext(context);
3encoder.setHttpServletResponse(httpServletResponse);

Lastly the encoder is initialized and the message is encoded

1encoder.initialize();
2encoder.encode();