OpenIG as SAML 2.0 Service Provider

Home Forums ForgeRock Products Identity Gateway OpenIG as SAML 2.0 Service Provider

Learn more about our upcoming Identity Summits

Tagged: , , , ,

This topic has 3 replies, 2 voices, and was last updated 7 years, 4 months ago by Mark Craig.

  • Author
    Posts
  • March 23, 2015 at 6:04 pm #3633
     JLS
    Participant

    Hello,
    I’m trying to understand how OpenIG works as Service Provider with SAML 2.0.
    The “SamlFederationHandler” handler receives the SAML response from the IDP, and maps the assertions. But how this handler works when it has to send an authentication request to the IDP?

    Referring to the example in Forgerock documentation (par. 6.9): http://docs.forgerock.org/en/openig/3.1.0/gateway-guide/index/chap-federation.html
    The URL to intiate an auth. request is “http://www.example.com:8080/saml/SPInitiatedSSO”, but there isn’t a specific route for “/saml/SPInitiatedSSO”. The only route that matches is “/saml”, which is the following:
    {
    “handler”: {
    “type”: “SamlFederationHandler”,
    “config”: {
    “assertionMapping”: {
    “username”: “mail”,
    “password”: “employeenumber”
    },
    “subjectMapping”: “subjectName”,
    “redirectURI”: “/federate”
    }
    },
    “condition”: “${matches(exchange.request.uri.path, ‘^/saml’)}”,
    “session”: “JwtSession”
    }

    It seems that this handler only receives the responses from the IDP. Who sends the auth. request to the IDP?

    March 23, 2015 at 6:10 pm #3634
     Mark Craig
    Participant

    There’s a second configuration file mentioned a bit further down in the chapter you cite, 05-federate.json. That is the route than handles the redirect to /federate. As you see in the content of the example you posted, that redirect is to OpenIG, rather than to some endpoint on the protected server.

    Notice that it calls the SPInitiatedSSO endpoint when exchange.session.username is empty.

    March 23, 2015 at 6:14 pm #3635
     JLS
    Participant

    Hi,
    yes, it calls the “saml/SPInitiatedSSO” endpoint when the username is empty, but who handles this endopint?

    April 1, 2015 at 6:25 pm #3805
     Mark Craig
    Participant

    Missed your follow up question, sorry.

    Underneath the covers, the SamlFederationHandler wraps requests to the Fedlet library that OpenIG bundles. The Fedlet is a library from OpenAM that works as a lightweight SAML 2.0 Service Provider. So it is the Fedlet that handles the Web SSO profile together with the Identity Provider. In the example, it initiates SSO from the Service Provider side.

    The Fedlet configuration files are briefly described in http://docs.forgerock.org/en/openig/3.1.0/gateway-guide/index/chap-federation.html#federation-configuration-files
    For more documentation on the Fedlet library if you need that, have a look at the OpenAM developer’s guide chapter, http://docs.forgerock.org/en/openam/12.0.0/dev-guide/index.html#chap-fedlet-java

    Hope it helps,
    Mark

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?