When exchanging information with SAML it is highly recommended to sign and verify signatures on all messages. This to ensure the the sender really is how he says he is and that the information sent has not been manipulated during transport. Every SAML object that implements the SignableXMLObject interface can be …

Read More

Some helpful examples of projects using OpenSAML

Read More

What is it? The SAML Web Browser SSO Profile is one of the profiles defined in the SAML specification. As described in my introductory post on SAML, profiles describes how to fulfill a specific use-case using SAML. In the realm of user authentication using SAML, the Web Browser Profile is very frequently used. The …

Read More

OpenSAML can be used to generate metadata. As with reading metadata, the library is pretty straight forward in relation to the metadata XML. This is an example for generating a SP metadata file We start by creating the EntityDescriptor, setting the EntityId and building the SSO descriptor. 1EntityDescriptor …

Read More

OpenSAML have several methods for reading and parsings SAML metadata. Meta data is loaded using providers. For example FilesystemMetadataProvider - Used to load data from a file on the filesystem HTTPMetadataProvider - Used to load data from an Internet address Here is an example on how to load meta data using the …

Read More

Meta data is essential to set up a integration between two parties in SAML. But what is it? How does it work? How do you exchange it and where does this create a trust? All these questions will be answered!

Read More

During my work with OpenSAML I have created a few helper methods to make it easier to do common things in OpenSAML such as object creation and logging of SAML XML. I my code samples I keep this in the SAMLUtil class. Creating SAML objects OpenSAML has a bit complex way of creating SAML objects using a factory pattern. …

Read More

For all cryptographic functions OpenSAML requires a Credential which is a basically a cryptographic key wrapped in an object. The Credential can contain either an symmetric key or an asymmetric key not both. The Credential can be created manually with BasicX509Credential and BasicCredential classes and then populated …

Read More

In my case the, after the sign on at the IdP is completed, the user is redirected to my `Assertion Consumer Service URL defined in meta data. The IdP sends an artifact back as a parameter.The artifact is a label pointing to the actual user data/login information(the assertion) at the IdP. The user data is not sent in …

Read More

To logout an user from the SP an LogoutRequest is sent. The data needed about the user is the SessionIndex and NameID from the data recived at login. I my case in the Assertion in the Artifact Resolve Response. 1//IPR Ergogroup AS 2public static void doSynchronousLogout(final HttpSession sessionToLogout, final …

Read More