What is it? The SAML Web Browser SSO Profile is one of the profiles defined in the SAML specification. As described in my introductory post on SAML, profiles describes how to fulfill a specific use-case using SAML. In the realm of user authentication using SAML, the Web Browser Profile is very frequently used. The …

OpenSAML can be used to generate metadata. As with reading metadata, the library is pretty straight forward in relation to the metadata XML. This is an example for generating a SP metadata file We start by creating the EntityDescriptor, setting the EntityId and building the SSO descriptor. 1EntityDescriptor …

OpenSAML have several methods for reading and parsings SAML metadata. Meta data is loaded using providers. For example FilesystemMetadataProvider - Used to load data from a file on the filesystem HTTPMetadataProvider - Used to load data from an Internet address Here is an example on how to load meta data using the …

Meta data is essential to set up a integration between two parties in SAML. But what is it? How does it work? How do you exchange it and where does this create a trust? All these questions will be answered!

Creating SAML objects This is implementations of some of the methods in the SAMLUtil class referenced in other examples. OpenSAML has a bit struggling way to create SAML objects using a factory pattern. The normal way to create a SAML object is like this. 1XMLObjectBuilderFactory builderFactory = …

For all cryptographic functions OpenSAML requires a Credential which is a basically a cryptographic key wrapped in an object. The Credential can contain either an symmetric key or an asymmetric key not both. The Credential can be created manually with BasicX509Credential and BasicCredential classes and then populated …

In my case the, after the sign on at the IdP is completed, the user is redirected to my `Assertion Consumer Service URL defined in meta data. The IdP sends an artifact back as a parameter.The artifact is a label pointing to the actual user data/login information(the assertion) at the IdP. The user data is not sent in …

To logout an user from the SP an LogoutRequest is sent. The data needed about the user is the SessionIndex and NameID from the data recived at login. I my case in the Assertion in the Artifact Resolve Response. 1//IPR Ergogroup AS 2public static void doSynchronousLogout(final HttpSession sessionToLogout, final …

Information and example on how to sign and send authnrequests in OpenSAML