Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Purpose
The purpose of this module is to understand how to integrate a web application as SAML 2.0 Service Provider
Requirements
  • SSO installed


Overview

In a real case, your customers will have to connect one or more external services such as a CMS, ordering portal, support tools etc, which are called Service Providers (SP) in SAML terminology. In this lab, we will use SAML 2.0 as the authentication protocol and will connect to a Java sample application ubisp-sample. This will represent the target service.


Ubisecure SSO implements SAML Identity Provider (IdP) role.


SAML Refresher Course

SAML 2.0 Overview

As you see in the diagram:

  1. User navigates to SP service with his web browser
  2. User doesn’t have an SP session. SP sends an AuthnRequest to IDP
  3. IDP authenticates the user either by using an existing session or by requesting user credentials
  4. IDP forms a SAML Assertion and sends it to SP within Response message
  5. SP receives the Response message and grants access to the service

IDP: Identity Provider

SP: Service Provider


SAML 2.0 Metadata

SAML Metadata is an XML file describing how to communicate with a SAML SP or IDP

  • Which SAML protocol features are used (profiles, bindings)
  • Which HTTP addresses are used for messaging
  • Which public key should be used for verifying message integrity and encryption

Ubisecure products build the metadata automatically

Example SSO Endpoint definition:



Integration of SAML SP application for Java with Ubisecure SSO

Instructions

In summary, the main phases of integrating a SAML SP application for Java with Ubisecure SSO are:

  1. Generation of Service Provider metadata
  2. Agent creation
  3. IdP metadata copied to application server
  4. IdP metadata modification
  5. Configure authentication and authorization
  6. Sign in to the service

At the end of this lab, you will have successfully logged in to the web application ubisp-sample by using password authentication. You will use this sample application later in Lab 2.2: Authorization Policy and Lab 2.4: Federation Configuration.

The instructions are in the following section.

Step-by-step guide

  1. Install a separate Tomcat 9.0 on your system (in order to avoid potential conflicts with SSO's Tomcat installation). Use the 32-bit/64-bit Windows Service Installer file located in C:\Users\Administrator\Desktop\Ubisecure\apache-tomcat-9.0.8.exe

    During the installation, select port 8090 (or another that is not taken) for HTTP/1.1 Connector Port.


    The path to install Java is C:\Program Files\Java\jdk1.8.0_144\jre

    The system is running when the address http://localhost:8090/ answers as follows:


    You can also modify the port number after installation. Do edit the file C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml


  2. Install "ubisp-sample"

    The package is available at C:\Users\Administrator\Desktop\Ubisecure\ubisp-sample-2.5.zip

    Unzip the package and extract all files in directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\

  3. Create private and public keys:

    cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\sample\WEB-INF"

    "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -jar lib/ubisaml2.jar Generate http://localhost:8090/sample/spsso -o saml2/sp -y

  4. Create service provider metadata:

    cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\sample\WEB-INF"

    "C:\Program Files\Java\jdk1.8.0_144\bin\java.exe" -jar lib/ubisaml2.jar Metadata saml2/sp -f sp-metadata.xml -y

  5. Open Ubisecure SSO management console. Save the identity provider's SAML 2.0 metadata file (metadata.xml) to directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\sample\WEB-INF\saml2\sp\metadata\





  6. Restart Apache Tomcat using Services. The application will re-read the configuration during startup.
  7. Create an application in Ubisecure SSO management console.
    First, create a site ("Application site" on the screenshot below).
    Select the site, Site Methods, and select Add Methods... and choose the authentication methods that will need to be used on this site.
  8. Go back to "Site" tab and then click "New Application." When the popup window appears, write the name of your application, select "SAML Service Provider" and click on "Enabled" box. Finally, accept with the "OK" button.



  9. At "ID and Activation" press "Activate" and select the metadata from C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\sample\WEB-INF\sp-metadata.xml

  10.  Then go to "Allowed Methods" and add "Password"



  11. Create group


  12. Create user CUSTOMER and set a password


  13. Add user to group "Sample application group." In order to do that, select the user and go to "Member Of" tab and select "Sample application group."

  14. Go to Applications site, Applications, and select "sample." In "Allowed to" add "Sample application group"
  15. Create authorization policy for application.


  16. In the next screen you will see this. Then go to "Attributes" tab


  17. The Attributes screen looks empty at first:


  18. Click "Add" button at the bottom. On the left side, select "Applications site", and then on the right side "Sample application" (or the group you have created).


  19. Once you click "OK" you will see the following view. The attribute name is listed, and you can click on "Show values" to see more details.


  20. Now you can add as many attributes as you wish to transmit to the application. Let's add: first name, last name, mobile phone and roles. In order to do that, you must edit the "Value" that appears when you show values. Also, make sure that "Name" field doesn't have spaces but a single word. The following table shows the values you must add for each attribute:

    AttributeNameValue
    First namenameuser:givenname
    Surnamesurnameuser:sn
    Mobile phone numbermobilenumberuser:mobile
    Rolesroleseidm:roles

    In order to add roles, you must select "eIDM Groups" in Site Navigator, and then select eIDMUser group.


  21. Once all attributes are added, you would see something like this. Make sure that you have ticked "show values" for all attributes.


  22. Attach the authorization policy to the sample application using the Applications tab. Select the sample application.
  23. Now open your browser: http://localhost:8090/sample/  (Ignore security warning if you haven't installed HTTPS:)



  24. Now you will be prompted to log in using the configured authentication method:




  25. Finally, you will see a page like this which displays the user's attributes. The attributes shown are determined by the settings made in the authorization policy.



  26. You're done.




Additional information

Solicited and Unsolicited Response

  • AuthnRequest/Response sequence implements pull functionality
  • In the picture SP B requests an assertion from IDP

  • Unsolicited Response sequence enables implementation of push functionality
  • In the picture SP A requests IDP to send an Assertion to SP B
  • SP B receives an Unsolicited Response message, i.e. a message it has not requested


  • No labels