diff --git a/README.md b/README.md index c53dc75..7d1a173 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,9 @@ A simple SAML application built with opensaml and pac4j to understand the SAML w An example SAML authentication webflow: -There are three parties involved in the authentication: the user's -browser, the Service Provider (SP) - saml-example in this example, and -the Identity Provider (IDP). The IDP can be any SAML 2.0 identity +There are three parties involved in the authentication: the *user's +browser*, the Service Provider *(SP) - saml-example in this example*, and +the Identity Provider *(IDP)*. The IDP can be any SAML 2.0 identity provider. The negotiation looks like this: @@ -22,13 +22,13 @@ authenticated session for the browser, so it returns a special "SAML Login 1" response. This is generated by pac4j and opensaml in saml-example. The response is a form that auto-submits itself (request 2) to the IDP. The form includes a SAMLRequest parameter -that encodes it's identity. +that encodes its identity. The IDP determines the user is not yet authenticated, and presents a login form where the user enters their IDP creds (requests 3 and 4). The response to the successful login is another auto-submitting form, -this time with a SAMLResponse parameter. This is auto-sumbitted to +this time with a SAMLResponse parameter. This is auto-submitted to the SP callback URL. When the form is submitted the SP decodes the SAMLResponse and gets @@ -42,5 +42,29 @@ Create a java keystore and create a key pair with alias saml in the current dire keytool -genkey -keyalg RSA -alias saml -keypass changeit -keystore trust.keystore -storepass changeit Copy the IDP metadata XML document to -src/main/resources/idp-metadata.xml. Build, run and browse to -localhost:8080. +`src/main/resources/idp-metadata.xml`. + +Build (`mvn compile`), run (`mvn exec:java -Dexec.mainClass="ca.redtoad.Main"`) and browse to http://localhost:8080. + +Testing on samltest.id +---------------------- + +To test this project against https://samltest.id saml service (there is IdP and also SP), +you first need to prepare your custom sp metadata, with custom entityID. +One minimal example generated on online tool, https://www.samltool.com/sp_metadata.php +is in `sp-metadata.xml` in this repo. + +Most important is entityId (in sample file, `http://localhost:8080/callback?skúškaaaa`). +Another important info in this file is a callback url. It contains domain, path and +client name. Client name is configured in `SAML2ClientBuilder` class and it is +set to `SAMLExample`. We can keep it as-is. +EntityId is also used by samltest.id service as a primary key when uploading config. +Then [upload](https://samltest.id/upload.php) your sp-metadata.xml to the service. + +Change your entityId also in source code, in `SAML2ClientBuilder` class, there is +a call to `config.setServiceProviderEntityId` method. + +To obtain `idp-metadata.xml` file, you can go to https://samltest.id/download/ page and +download given file +(Direct link is https://samltest.id/saml/idp, and you need to save it +to `src/main/resources/idp-metadata.xml` file). diff --git a/sp-metadata.xml b/sp-metadata.xml new file mode 100644 index 0000000..51136dc --- /dev/null +++ b/sp-metadata.xml @@ -0,0 +1,13 @@ + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + + diff --git a/src/main/java/ca/redtoad/SAML2ClientBuilder.java b/src/main/java/ca/redtoad/SAML2ClientBuilder.java index 093b2de..da47f4f 100644 --- a/src/main/java/ca/redtoad/SAML2ClientBuilder.java +++ b/src/main/java/ca/redtoad/SAML2ClientBuilder.java @@ -8,6 +8,7 @@ public class SAML2ClientBuilder { public SAML2Client build() { SAML2Configuration config = new SAML2Configuration(); + config.setServiceProviderEntityId("http://localhost:8080/callback?skúškaaaa"); config.setIdentityProviderMetadataResourceUrl(getClass().getResource("/idp-metadata.xml").toString()); config.setSpLogoutRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);