Anyone know SAML 2.0 and OpenSAML ?
any example for it? Links?
Thanks
j**z 发帖数: 109
2
Rule of thumb: google
I might be able to help if you have specific questions.
j*******y 发帖数: 965
3
网上有例子,我下载了运行了一下。 Java code 好象不复杂。 但是,我想把它用在网
页上。 网上好象没有直接的 OpenSAML 应用在网页上的例子。
我们现在的网页大多数部分没有用到 Web Service. 如何整合 OpenSAML 和网页呢?
Thank you in advance.
【在 j**z 的大作中提到】 : Rule of thumb: google : I might be able to help if you have specific questions.
j**z 发帖数: 109
4
Not particularly familiar with OpenSAML. But from its web site, it says it
is a just library, and do not provide a complete SAML identity (IdP) or
service provider (SP). You'll need IdP and SP to get things working.
SAML itself is a fairly complicated process, there are at least five or six
steps behind the scene between clicking the SSO link to the landing page. I
found wikipedia has a good explanation of SAML. Google also provide some SSO
API. PingIdentity is a decent vendor with good document
j*******y 发帖数: 965
5
Actually, I believe we are the Id provider. Now we are developing a website
for a bank.
I contact Ping Identity at first, but now we will use mFoundry product as
the bank client said. The thing is that they did not give us an example how
to use it.
Do you know how to make a URL, which includes SSO ? I think I have a lot
information about server side code, but how does it interact with the web
sites?
j**z 发帖数: 109
6
Assuming the bank is the SP, they should tell you what URL your should post
SAML assertion to, URL of the landing page (optional), and attributes used
within SAML (assuming you are using browser post). You two also need to
exchange certificates for encryption and signature purpose.
Don't know mFoundry, however, SAML is a standard, the point to use standard
is to have a vendor independent solution. I can't think about a reason you
have to use mFoundry.
In PingFederate server, you can set up a Id
j*******y 发帖数: 965
7
Thank you a lot. I think I need more study.
post
standard
You
【在 j**z 的大作中提到】 : Assuming the bank is the SP, they should tell you what URL your should post : SAML assertion to, URL of the landing page (optional), and attributes used : within SAML (assuming you are using browser post). You two also need to : exchange certificates for encryption and signature purpose. : Don't know mFoundry, however, SAML is a standard, the point to use standard : is to have a vendor independent solution. I can't think about a reason you : have to use mFoundry. : In PingFederate server, you can set up a Id
j*******y 发帖数: 965
8
Today they provide certificates, URL which we should redirect to, many jar
files, and some code for SAML hand off.
base64 encoded string”/>
1) They ask me
【在 j**z 的大作中提到】 : Assuming the bank is the SP, they should tell you what URL your should post : SAML assertion to, URL of the landing page (optional), and attributes used : within SAML (assuming you are using browser post). You two also need to : exchange certificates for encryption and signature purpose. : Don't know mFoundry, however, SAML is a standard, the point to use standard : is to have a vendor independent solution. I can't think about a reason you : have to use mFoundry. : In PingFederate server, you can set up a Id
j**z 发帖数: 109
9
1. you are supposed to return the above HTML to the client browser, as the
result/respones when user click the SSO link. The browser will POST the data
to the bank site by .
2. Value of SAMLResponse is based 64 encoded, and url encoded SAML assertion
. SAML Assertion uses XML. You should be able to read it and understand the
structure.
3. You are not sending keystore, you are suppose to send public key file.
Keystore is where Java reads keys f
j*******y 发帖数: 965
10
Today I use keytool to create a keystore file, and import the certificate
they give to me into the keystore. Then I create an assertion. I found an
assertion debug tool online. Now I can read the assertion after decode.
I put the assertion to a test web page and submit the form. I do not think I
got a correct response after submit the form. It shows the login error.
How do I know my assertion correct?
How do I change/define the key name in the keystore file?
thank you a lot.
data
.
assertion
th
【在 j**z 的大作中提到】 : 1. you are supposed to return the above HTML to the client browser, as the : result/respones when user click the SSO link. The browser will POST the data : to the bank site by . : 2. Value of SAMLResponse is based 64 encoded, and url encoded SAML assertion : . SAML Assertion uses XML. You should be able to read it and understand the : structure. : 3. You are not sending keystore, you are suppose to send public key file. : Keystore is where Java reads keys f
what kind of assertion debug tool did you find?
You'll need first to make sure you are posting the entire message as the
bank instructed, the entire HTML post, not just the SAML
After that the only thing you can do is to see if your SAML assertion is in
a good SAML/XML format, with all required SAML elements. You'll need to talk
to your bank folks, they normally has detail debug info in their log.
Normally we don't expose these details for security reasons.
【在 j**z 的大作中提到】 : what kind of assertion debug tool did you find? : You'll need first to make sure you are posting the entire message as the : bank instructed, the entire HTML post, not just the SAML : After that the only thing you can do is to see if your SAML assertion is in : a good SAML/XML format, with all required SAML elements. You'll need to talk : to your bank folks, they normally has detail debug info in their log. : Normally we don't expose these details for security reasons.
j*******y 发帖数: 965
13
Today I got the success response from the bank. In the last few days, they
give us wrong action links.
Now I feel very great. Thank you for help.
in
talk
【在 j**z 的大作中提到】 : what kind of assertion debug tool did you find? : You'll need first to make sure you are posting the entire message as the : bank instructed, the entire HTML post, not just the SAML : After that the only thing you can do is to see if your SAML assertion is in : a good SAML/XML format, with all required SAML elements. You'll need to talk : to your bank folks, they normally has detail debug info in their log. : Normally we don't expose these details for security reasons.
j*******y 发帖数: 965
14
Now we meet a new problem. Our system is very old, still use Java 1.4. The
SAML I just create is using opensaml-2.3.3.jar which support by Java 1.5. I
have to go back opensaml-1.1.jar which support by Java 1.4.
Using org.opensaml.SAMLResponse in opensaml-1.1b.jar to create assertion
responses. The assertion response looks like: ...... 【在 j**z 的大作中提到】 : what kind of assertion debug tool did you find? : You'll need first to make sure you are posting the entire message as the : bank instructed, the entire HTML post, not just the SAML : After that the only thing you can do is to see if your SAML assertion is in : a good SAML/XML format, with all required SAML elements. You'll need to talk : to your bank folks, they normally has detail debug info in their log. : Normally we don't expose these details for security reasons.
j**z 发帖数: 109
15
looks good, just different XML namespace from what you posted above
j*******y 发帖数: 965
16
Do I have to change my current XML namespace to follow their standard?
If so, do you know a converter?
Thank you.
I believe that the different namespace is the only problem I may have right
now.
【在 j**z 的大作中提到】 : looks good, just different XML namespace from what you posted above
c*c 发帖数: 447
17
why don't you just use some opensource SAML framework, so you can focus more
on business requirements. It'll be painful to manage federation parterners
when the business grows.
right
【在 j*******y 的大作中提到】 : Do I have to change my current XML namespace to follow their standard? : If so, do you know a converter? : Thank you. : I believe that the different namespace is the only problem I may have right : now.
more on business requirements. It'll be painful to manage :federation
parterners when the business grows.
Good suggestion.
their end.
I wrote to Shadi at mFoundry company before I post this question here. That
person still does not reply my email yet. Now I just wrote to our client,
the bank, about this matter.
【在 c*c 的大作中提到】 : why don't you just use some opensource SAML framework, so you can focus more : on business requirements. It'll be painful to manage federation parterners : when the business grows. : : right