Login page less SAML assertion single sign on

This topic contains 1 reply, has 2 voices, and was last updated by  wetjabba 1 week ago.

  • Author
    Posts
  • #21722
     avinash 
    Participant

    Hi,

    I have a service provider with spring security SAML enabled.

    SAML SSO works fine with IDP-initiated or with the SP-initiated regular login process.

    I want to access/sign on to my service provider without login page. For that, I am trying to use Rest STS service as mentioned below.

    First Rest call:
    ——————
    curl -X POST -H “X-OpenAM-Username: demo” -H “X-OpenAM-Password: changeit” -H “Content-Type: application/json” http://mysite.com:8080/openam/json/authenticate

    Response:
    {
    “tokenId”: “AQIC5wM2LY4SfcyJlDwocsCFre5fQzdtl1bm1b_0T8b5tEY.*AAJTSQACMDIAAlNLABM3MTA5NDU1OTMyNzAwMDUwNzQ5AAJTMQACMDE.*”,
    “successUrl”: “/fsso/console”
    }

    Using the above token id making actual STS Rest call as mentioned below

    curl -X POST -H “Content-Type: application/json” -d ‘{
    “input_token_state”: { “token_type”: “OPENAM”, “session_id”: “AQIC5wM2LY4SfcyJlDwocsCFre5fQzdtl1bm1b_0T8b5tEY.*AAJTSQACMDIAAlNLABM3MTA5NDU1OTMyNzAwMDUwNzQ5AAJTMQACMDE.*” },
    “output_token_state”: { “token_type”: “SAML2”, “subject_confirmation”: “BEARER”, “service_provider_assertion_consumer_service_url”: “http://sp.example.com:8080/openam/users/metaAlias/sp” }
    }’ ‘http://mysite.com:8080/openam/rest-sts/callidus/samlSTS?_action=translate’

    As I have correctly configured the STS service with SAML configurations in openam, I have received the following SAML assertion as shown below

    {“issued_token”:”
    <saml:Assertion xmlns:saml=\”urn:oasis:names:tc:SAML:2.0:assertion\” ID=\”s2b0557da9a686380f4758c137812a4dfdc1de63d8\” IssueInstant=\”2018-05-01T15:46:42Z\” Version=\”2.0\”>\n
    <saml:Issuer>https://um-apache.calliduscloud.com/fsso</saml:Issuer&gt;
    <ds:Signature xmlns:ds=\”http://www.w3.org/2000/09/xmldsig#\”>
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm=\”http://www.w3.org/2001/10/xml-exc-c14n#\”/>
    <ds:SignatureMethod Algorithm=\”http://www.w3.org/2000/09/xmldsig#rsa-sha1\”/>
    <ds:Reference URI=\”#s2b0557da9a686380f4758c137812a4dfdc1de63d8\”>
    <ds:Transforms>
    <ds:Transform Algorithm=\”http://www.w3.org/2000/09/xmldsig#enveloped-signature\”/>
    <ds:Transform Algorithm=\”http://www.w3.org/2001/10/xml-exc-c14n#\”/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm=\”http://www.w3.org/2000/09/xmldsig#sha1\”/>
    <ds:DigestValue>wHCxUj4eXXKDlbmLhGqhLbFTFeU=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>GlmiRU+vh/B++XecKChhlzgzVjw6LZ+QS9CWrq2aTtW4gvmtGN0G6y9gssilID4I914fffada3Pw5Jb9GptIi6P/uVDfoWvPukYowM/kfZ1FtxIIpWFcI1sdr16QdFseIVllzRrz9imBM+AJVJzZNKJYb2cFECIuS7tvxgiVBULwP3Ap6isq4NW0e7RbzrFDGsdNZbtUIuaBKZiBbSfcsFsLCV1qUwkOdnD5i+WuJVblxMEMuuqyYdB6M6CRGNalRBHJVJmbI77fDFH7ZQyhSY+ETLXytPCOa4AFM47cYxSH7nwtSOi3xJhxDMhN7kw/9glrs1aZ8Mf/qLkolDKFFA==</ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>MIIFaTCCBFGgAwIBAgIQDQh1RSxOd7sEr7rNTXubmDANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xNjA2MTUwMDAwMDBaFw0xOTA3MjQxMjAwMDBaMG4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKUGxlYXNhbnRvbjEfMB0GA1UEChMWQ2FsbGlkdXMgU29mdHdhcmUgSW5jLjEcMBoGA1UEAwwTKi5jYWxsaWR1c2Nsb3VkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANXpEZrneIxnRAmDiH2Hbhe2dMoiiBsIse6JbHToyi+dI6zcSovB43SvI0fVSlxdXtDgRn19alkCAB1aOfHhPNIjJ63fWIwfzbHyw7b4JsGLgUamX00V4AtJWrnxDqgRKUTujD4DNBzQtQFKZoFGv8HniqOIDlVAci5K3ml0G7ENBKum8SSOCyRJQE5qaaeajFIEKmcUU+/8wv1wo05B/dQnfq8GrqOgiA5FkxoOjVaidHBhNBhYDj1d4i2v90JwxA6y+yiYwiRiOPIbiiySJsMxsjg3lmg2xKcKRvU9FVGDbFz9vi7+pdvzUo45yKXfQVFNtuI5rF4+oMcvTOixOJsCAwEAAaOCAf8wggH7MB8GA1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBTwZMPw1kkgROSyqsX1N5TE4lhW+DAxBgNVHREEKjAoghMqLmNhbGxpZHVzY2xvdWQuY29tghFjYWxsaWR1c2Nsb3VkLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAc5an96jeg2dDoz9H9SpL48o/5FDoOwbEdIMJX5zdgPX8eqnImDALppKlroXrOikuOHEbsuNTha5t/CIvzALcnxpFAb7uthRF8aEo5nyEZwVJJQ57hcszChH036qFtb5FzOWnLXUcnPSinvF3Esp6JtemZkHwXw8TJahT7Cf9yLe48l0/rKaiRo884XwfSeJoxXBdvPP/lE97OtdSDu1fvuSpL9iKmiLi+gxXNI1UsRKzfYuuSPUOyjsyHq0/oAWuGaFAa2qgMVH6cQkdrjU0aarfmHIlHKuj8SzPjQYMKrxtxvT+5Xx3gySlPUUl6pjt/S+AGJ+VZnZ1KxKXFRi9K</ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>\n
    <saml:NameID Format=\”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\”>6b3feb80-d946-41c5-9106-d99f885e2134</saml:NameID>
    <saml:SubjectConfirmation Method=\”urn:oasis:names:tc:SAML:2.0:cm:bearer\”>\n
    <saml:SubjectConfirmationData NotOnOrAfter=\”2018-05-01T15:56:42Z\” Recipient=\”https://um-apache.calliduscloud.com/portal/saml/SSO\”/>
    </saml:SubjectConfirmation>\n
    </saml:Subject>
    <saml:Conditions NotBefore=\”2018-05-01T15:46:42Z\” NotOnOrAfter=\”2018-05-01T15:56:42Z\”>\n
    <saml:AudienceRestriction>\n
    <saml:Audience>com:calliduscloud:landingportal</saml:Audience>\n
    </saml:AudienceRestriction>\n
    </saml:Conditions>\n
    <saml:AuthnStatement AuthnInstant=\”2018-05-01T15:46:42Z\”>
    <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml:AuthnContextClassRef>
    </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
    <saml:Attribute Name=\”SCIM.familyName\”>
    <saml:AttributeValue xmlns:xs=\”http://www.w3.org/2001/XMLSchema\” xmlns:xsi=\”http://www.w3.org/2001/XMLSchema-instance\” xsi:type=\”xs:string\”>challa</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name=\”SCIM.userName\”>
    <saml:AttributeValue xmlns:xs=\”http://www.w3.org/2001/XMLSchema\” xmlns:xsi=\”http://www.w3.org/2001/XMLSchema-instance\” xsi:type=\”xs:string\”>areddy_33</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name=\”SCIM.givenName\”>
    <saml:AttributeValue xmlns:xs=\”http://www.w3.org/2001/XMLSchema\” xmlns:xsi=\”http://www.w3.org/2001/XMLSchema-instance\” xsi:type=\”xs:string\”>avinash</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name=\”SCIM.id\”>
    <saml:AttributeValue xmlns:xs=\”http://www.w3.org/2001/XMLSchema\” xmlns:xsi=\”http://www.w3.org/2001/XMLSchema-instance\” xsi:type=\”xs:string\”>6b3feb80-d946-41c5-9106-d99f885e2134</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>”}

    Now, how do I send this assertion to Service provider(my application) in order to do a valid assertion at its end and give the requested resource.

    I hope my service provider expects SAML message with <samlp:Response> root tag, however, I am receiving the message with <saml:Assertion> as the root tag from Rest STS.

    Please tell me how to receive a SAML response from STS with <samlp:Response> tag and also how to post the received response to my service provider(web application)

    #22833
     wetjabba 
    Participant

    I am looking for the same information.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?