Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Purpose
The purpose of this module is to understand how to integrate a web application as SAML 2.0 Service Provider
Requirements
  • SSO installed


Overview

In a real case, your customers will have to connect one or more external services such as a CMS, ordering portal, support tools etc, which are called Service Providers (SP) in SAML terminology. In this lab, we will use SAML 2.0 as the authentication protocol and will connect to a Java sample application ubisp-sample. This will represent the target service.


Ubisecure SSO implements SAML Identity Provider (IdP) role.


SAML Refresher Course

SAML 2.0 Overview

As you see in the diagram:

  1. User navigates to SP service with his web browser
  2. User doesn’t have an SP session. SP sends an AuthnRequest to IDP
  3. IDP authenticates the user either by using an existing session or by requesting user credentials
  4. IDP forms a SAML Assertion and sends it to SP within Response message
  5. SP receives the Response message and grants access to the service

IDP: Identity Provider

SP: Service Provider


SAML 2.0 Metadata

SAML Metadata is an XML file describing how to communicate with a SAML SP or IDP

  • Which SAML protocol features are used (profiles, bindings)
  • Which HTTP addresses are used for messaging
  • Which public key should be used for verifying message integrity and encryption

Ubisecure products build the metadata automatically

Example SSO Endpoint definition:



Integration of SAML SP application for Java with Ubisecure SSO

Instructions

The instructions are in the how-to article How to install Sample SAML service provider application for Java from Ubisecure Developer and Partner Portal.


Install Tomcat on HTTP/1.1 Connector Port 8090

In summary, the main phases are:

  1. Generation of Service Provider metadata
  2. Agent creation
  3. IdP metadata copied to application server
  4. IdP metadata modification
  5. Configure authentication and authorization
  6. Sign in to the service

At the end of this lab, you will have successfully logged in to the web application ubisp-sample by using password authentication.

You will use this sample application later in Lab 2.2: Authorization Policy and Lab 2.4: Federation Configuration.



Additional information

Solicited and Unsolicited Response

  • AuthnRequest/Response sequence implements pull functionality
  • In the picture SP B requests an assertion from IDP

  • Unsolicited Response sequence enables implementation of push functionality
  • In the picture SP A requests IDP to send an Assertion to SP B
  • SP B receives an Unsolicited Response message, i.e. a message it has not requested


  • No labels