Now we meet a new problem. Our system is very old, still use Java 1.4. The
SAML I just create is using opensaml-2.3.3.jar which support by Java 1.5. I
have to go back opensaml-1.1.jar which support by Java 1.4.
Using org.opensaml.SAMLResponse in opensaml-1.1b.jar to create assertion
responses. The assertion response looks like: ......
Not particularly familiar with OpenSAML. But from its web site, it says it
is a just library, and do not provide a complete SAML identity (IdP) or
service provider (SP). You'll need IdP and SP to get things working.
SAML itself is a fairly complicated process, there are at least five or six
steps behind the scene between clicking the SSO link to the landing page. I
found wikipedia has a good explanation of SAML. Google also provide some SSO
API. PingIdentity is a decent vendor with good document
Actually, I believe we are the Id provider. Now we are developing a website
for a bank.
I contact Ping Identity at first, but now we will use mFoundry product as
the bank client said. The thing is that they did not give us an example how
to use it.
Do you know how to make a URL, which includes SSO ? I think I have a lot
information about server side code, but how does it interact with the web
sites?
Assuming the bank is the SP, they should tell you what URL your should post
SAML assertion to, URL of the landing page (optional), and attributes used
within SAML (assuming you are using browser post). You two also need to
exchange certificates for encryption and signature purpose.
Don't know mFoundry, however, SAML is a standard, the point to use standard
is to have a vendor independent solution. I can't think about a reason you
have to use mFoundry.
In PingFederate server, you can set up a Id
1. you are supposed to return the above HTML to the client browser, as the
result/respones when user click the SSO link. The browser will POST the data
to the bank site by .
2. Value of SAMLResponse is based 64 encoded, and url encoded SAML assertion
. SAML Assertion uses XML. You should be able to read it and understand the
structure.
3. You are not sending keystore, you are suppose to send public key file.
Keystore is where Java reads keys f
Today I use keytool to create a keystore file, and import the certificate
they give to me into the keystore. Then I create an assertion. I found an
assertion debug tool online. Now I can read the assertion after decode.
I put the assertion to a test web page and submit the form. I do not think I
got a correct response after submit the form. It shows the login error.
How do I know my assertion correct?
How do I change/define the key name in the keystore file?
thank you a lot.
what kind of assertion debug tool did you find?
You'll need first to make sure you are posting the entire message as the
bank instructed, the entire HTML post, not just the SAML
After that the only thing you can do is to see if your SAML assertion is in
a good SAML/XML format, with all required SAML elements. You'll need to talk
to your bank folks, they normally has detail debug info in their log.
Normally we don't expose these details for security reasons.
Do I have to change my current XML namespace to follow their standard?
If so, do you know a converter?
Thank you.
I believe that the different namespace is the only problem I may have right
now.
why don't you just use some opensource SAML framework, so you can focus more
on business requirements. It'll be painful to manage federation parterners
when the business grows.
more on business requirements. It'll be painful to manage :federation
parterners when the business grows.
Good suggestion.
their end.
I wrote to Shadi at mFoundry company before I post this question here. That
person still does not reply my email yet. Now I just wrote to our client,
the bank, about this matter.
