Announcement Announcement Module
No announcement yet.
SAML2 IDP initiated SSO - implementation help Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML2 IDP initiated SSO - implementation help

    I'm new to Spring, SAML & Security dev in general. I have been tasked with integration of a Spring Web App I'm developing, in an SAML2 IDP initiated SSO use case. In the last few weeks I have plunged heads-on to learning all this stuff and successfully configured the sample application in Tomcat 6, using ssocircle as IDP with HTTP-POST bindings and default selection of IDP - so I'm feeling more confident now.

    However, I'd appreciate your guidance with my use case - just showing me the ropes will be much help.

    A third-party that supports IDP initiated federation only, provides links to my app acting as SP. SP will receive SAML responses via HTTP-POST. Authentication assertions will be signed by a Verisign signed certificate - in p7b format. No authorization (user permissions) information will be provided from the IDP side - it will only authenticate. IDP will not participate in any session management and no Single Signout process will be available.

    My app-SP will grant access/authorizations for logged on users, and provide local sign out only.

    1.- How do I constrain SAML extension to only accept IDP initiated SSO?
    2.- How do I map IDP authenticated users to a repository of SP maintained users?
    3.- How do I check Verisign CRL (certification revocation list) and certificate expiration before verifying signature?
    4.- I'll need to validate response element contents (Issuer, Audience, Element, AuthnContextClassRef) against fixed values. How to do this?
    5.-How do I prevent message replay attacks in SAML extension?

    And finally, but most importantly:

    How does one test this kind of scenario in a local dev environment??

    Last edited by reyabreu; Mar 19th, 2013, 11:05 AM. Reason: minor grammar

  • #2

    I can't answer the Spring specific questions (I wrote my own implementation on top of openSaml).
    But I can help you to setup the local environment.
    What I did is, install on my local apache2 server.

    From there what you want to do is setup an idp in simplesamlphp. It's pretty easy.
    Just follow the documentation here :
    For the authentication source I suggest you to go with the simple user/password example

    Once you're done, you can do an idp initiated sso using that kind of url

    where "myspid" is the entity ID of your service provider.

    good luck !


    • #3
      You can disable the SAMLEntryPoint by not including it in the security:http element and remove the security:filter-chain with pattern /saml/login. That way no user of your SP will be able to initialize SSO. To assure that global logout never gets invoked you can e.g. replace bean SAMLLogoutFilter with gout.LogoutFilter.

      You can implement interface SAMLUserDetailsService which has access to complete content of the data received from IDP including NameID. As part of the implementation you return your own object representing your user (typically an instance of UserDetails interface). The implementation is then plugged to the samlAuthenticationProvider bean. More details can be found in chapter 4.10 of the SAML Extension manual.

      Certificate expiration is validated automatically for you once you enable PKIX security profile (see chapter 4.6 in the manual). You can customize trust evaluation (including adding of CRLs) by overriding method populateTrustEngine in the SAMLContextProviderImpl.

      The values are validated for you according to the SAML 2.0 standard (this includes, among many other, issuer and audience). If you'd like some additional validation, e.g. the AuthnContextClassRef, you can do so by overriding methods in the WebSSOProfileConsumerImpl class, e.g. method verifyAuthnContext or processAdditionalData.

      Preventing replays is more difficult with IDP-initialized SSO and HTTP-POST, as there's neither InResponseTo field available nor an Artifact which can only be retrieved once. Similar question has been answered here . If you'd like additional protection you can add your custom processing logic which remembers previous message IDs and rejects messages with the repeated ID in the same place as in 4.

      There are also other options for testing of this on top of what Nico's already mentioned - e.g. Shibboleth, OpenAM. But getting a test account with your IDP is typically the best way.

      Hope this helps,


      • #4
        Hello Nico, thanks for your reply! I've been looking at OpenAM until now, but will give your suggestion a shot too.


        • #5
          Hi Vladimir, your answer is very helpful. Thanks for your guidance and kudos for your excellent work on this extension.


          • #6

            I am struggling with this also. I believe it is not as simple as disabling the SAMLEntryPoint (as described in 1).

            Which Security mechanism should I use instead?

            Is there any guide on how to configure IdP initiated SSO (apart from this thread)?

            Best regards,


            • #7
              A guide would be helpful indeed

              Hi ttjarl,

              I had to cut my development short because the project that required this spec was abruptly ended. So I'm sorry I can't provide you with a full experience - mostly limited to some use cases. On the date I posted my query, there were no readily available guides on implementing Idp Initiated SSO with this extension (At least, I could not find any).

              Having said this, I had it successfully working on the spring SAML demo project - get it form GitHub. Perhaps it can be a starting point for you to try out a plausible solution.

              Some links that helped me at the time:





              Originally posted by ttjarl View Post

              I am struggling with this also. I believe it is not as simple as disabling the SAMLEntryPoint (as described in 1).

              Which Security mechanism should I use instead?

              Is there any guide on how to configure IdP initiated SSO (apart from this thread)?

              Best regards,


              • #8

                Can you describe in more detail what problems are you facing? Enabling IDP initialized SSO is not different from enabling the SP initialized one (you generate your SP metadata with supported bindings/profiles, send it to your IDP and import metadata of your IDP). That's the reason why there's no additional documentation related to this.

                Cheers, Vladi