Page tree
Skip to end of metadata
Go to start of metadata
Purpose
The purpose of this module is to understand how to integrate a web application as SAML 2.0 Service Provider
Requirements
  • SSO installed


Overview

In a real case, your customers will have to connect one or more external services such as a CMS, ordering portal, support tools etc, which are called Service Providers (SP) in SAML terminology. In this lab, we will use SAML 2.0 as the authentication protocol and will connect to a Java sample application SmartPlan Application. This will represent the target service.


Ubisecure SSO implements SAML Identity Provider (IdP) role.


SAML Refresher Course

SAML 2.0 Overview

As you see in the diagram:

  1. User navigates to SP service with his web browser
  2. User doesn’t have an SP session. SP sends an AuthnRequest to IDP
  3. IDP authenticates the user either by using an existing session or by requesting user credentials
  4. IDP forms a SAML Assertion and sends it to SP within Response message
  5. SP receives the Response message and grants access to the service

IDP: Identity Provider

SP: Service Provider


SAML 2.0 Metadata

SAML Metadata is an XML file describing how to communicate with a SAML SP or IDP

  • Which SAML protocol features are used (profiles, bindings)
  • Which HTTP addresses are used for messaging
  • Which public key should be used for verifying message integrity and encryption

Ubisecure products build the metadata automatically

Example SSO Endpoint definition:



Integration of SAML SP application for Java with Ubisecure SSO

Instructions

In summary, the main phases of integrating a SAML SP application for Java with Ubisecure SSO are:

  1. Generation of Service Provider metadata
  2. Application creation
  3. IdP metadata copied to application server
  4. Configure authentication and authorisation
  5. Sign in to the service

At the end of this lab, you will have successfully logged in to the web application SmartPlan Application by using password authentication. You will use this application later in Lab 2.4: Authorisation Policy and Lab 2.5: Federation Configuration.

The instructions are in the following section.

Step-by-step guide

  1. Install a separate Tomcat 9.0 on your system (in order to avoid potential conflicts with SSO's Tomcat installation). Use the 32-bit/64-bit Windows Service Installer file located in C:\Users\Administrator\Desktop\Ubisecure\apache-tomcat-9.0.19.exe

    During the installation, select port 8090 (or another that is not taken) for HTTP/1.1 Connector Port.



    The path to install Java is C:\Program Files\Java\jdk1.8.0_144\jre

    The system is running when the address http://localhost:8090/ answers as follows:





    You can also modify the port number after installation. Do edit the file C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml


  2. Install SmartPlan Application

    The package is available at C:\Users\Administrator\Desktop\Ubisecure\ubisp-sample-2.5-smartplan.zip

    Unzip the package and extract all files in directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\


  3. Create private and public keys:

    cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF"

    "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -jar lib/ubisaml2.jar Generate http://localhost:8090/smartplanapplication/spsso -o saml2/sp -y

  4. Create service provider metadata:

    cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF"

    "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -jar lib/ubisaml2.jar Metadata saml2/sp -f sp-metadata.xml -y

  5. Open Ubisecure SSO management console https://login.smartplan.com:8443/ubilogin. Right click [SAML 2.0] to save the identity provider's SAML 2.0 metadata file (metadata.xml) to directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF\saml2\sp\metadata\





  6. Restart Apache Tomcat using Services. The application will re-read the configuration during startup.



  7. Create an application in Ubisecure SSO management console.
    First, create a site ("SmartPlan" on the screenshot below).



    Select the site "SmartPlan", Site Methods, and select Add Methods... and choose the authentication methods that will need to be used on this site. For now, add "CustomerID Password."


  8. Go back to "Site" tab and then click "New Application." When the popup window appears, write the name of your application (SmartPlan Application), select "SAML Service Provider" and click on "Enabled" box. Finally, accept with the "OK" button.





  9. At "ID and Activation" press "Activate" and select the metadata from C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF\sp-metadata.xml



  10.  Then go to "Allowed Methods" and add "CustomerID Password." Click "Update"



  11. Go to SmartPlan site, Applications, and select "SmartPlan Application." In "Allowed to" add "eIDMUser" group.



  12. Now open your browser:http://localhost:8090/smartplanapplication/  (Ignore security warning if you haven't installed HTTPS:)



  13. Now log in with username scott.long@smartplan.com (imported as part of lab 1.1) using the configured authentication method:



  14. Finally, you will see a page like this which displays the user's id and the authentication methods. In Lab 2.4 (Authorisation Policy) you will learn how to send user attributes and display them in this page.



  15. You're done.



Additional information

Solicited and Unsolicited SAML Response

  • AuthnRequest/Response sequence implements pull functionality
  • In the picture SP B requests an assertion from IDP

  • Unsolicited Response sequence enables implementation of push functionality
  • In the picture SP A requests IDP to send an Assertion to SP B
  • SP B receives an Unsolicited Response message, i.e. a message it has not requested

Application integration methods:

In this lab we used SAML for integration. There are many compatibility flags to integrate diverse SAML applications

SAML Compatibility Flags

Other integration methods can be found under the link below.

Application integration - SSO




  • No labels