|
By Jim Faut, with contributions from Rick Palkovic, October 2009
|
|
|
[Part
1] [Part
2] [Part 3] [Part 4] [Part 5]
In this example, you explore an OpenSSO Fedlet deployment. Using the Live
HTTP Headers and HackBar add-ons for the popular Mozilla Firefox web
browser, you can gain insight into OpenSSO Fedlet interactions and better
understand how the system works.
For an overview, software configuration details, and
links to other examples, see Troubleshooting
OpenSSO with Firefox Add-Ons: Part 1, Introduction.
Contents
This example explores the interaction between an Identity Provider (IDP) and a
Service Provider (SP), configured on two separate hosts. You can find instructions for
setting up this configuration in the
Setting
Up and Configuring the Fedlet chapter of Sun OpenSSO Enterprise 8.0 Deployment Planning Guide.
Details of the configuration used to capture the messages between the IDP and SP are shown in the following table.
Application |
Container |
URL |
IDP (OpenSSO) |
Glassfish |
http://host.idp.com:8080/opensso |
SP (Fedlet) |
Tomcat |
http://host.sp.com:8081/fedlet |
Some of the steps in this article rely on inspection of the OpenSSO debug
logs. Enable debug logging before you try out the following
examples.
To enable debug logging:
-
Log in to the OpenSSO administration console.
-
Navigate to Configuration > Servers and Sites.
-
Click the name of the server in the Servers list.
-
In the Debugging section, change the Debug Level to
message.
-
Save your changes.
The debug files are located in the directory
<opensso-config-dir>/opensso/opensso/debug
This example shows how an application can integrate with OpenSSO by means
of a Fedlet and configured attribute mappings. The user can authenticate
using Fedlet Service Provider (SP) Initiated Single Sign-On. The
integration results in a SAML exchange whereby the user is authenticated
and attribute mappings are passed to the Fedlet SP application. The
sequence diagram in Figure 1 summarizes the control flow for the integrated
process.
Figure 1: Fedlet SP Initiated Single Sign-On Sequence Diagram
|
As with the previous examples in this series, you can examine the
HTTP traffic with the Live HTTP Headers and HackBar Firefox
add-ons.
In your Firefox Browser, navigate to the Validate Fedlet Setup
application at http://host.sp.com:8081/fedlet.
The browser is redirected to the OpenSSO login page, and the
corresponding HTTP traffic is captured in the Live HTTP Headers window. For
the OpenSSO Identity Provider and Fedlet Service Provider, data will be
captured as described in the following sections.
1. SP Application Initiates Single Sign-On
Click on the link Run Fedlet (SP) Initiated Single Sign-On, as shown in
Figure 2.
Figure 2: Running Fedlet (SP) Initiated Single Sign-On
|
Clicking the link initiates the single sign-on process by calling the
Fedlet, which acts as the service provider.
|
http://host.sp.com:8081/fedlet/saml2/jsp/fedletSSOInit.jsp?metaAlias=/sp&idpEntityID=http://host.idp.com:8080/opensso
GET
/fedlet/saml2/jsp/fedletSSOInit.jsp?metaAlias=/sp&idpEntityID=http://host.idp.com:8080/opensso
HTTP/1.1
Host: host.sp.com:8081
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host.sp.com:8081/fedlet/
Cookie: JSESSIONID=B3B047C66F0BCCF10B925C7E3EF15D29
|
2. Fedlet Sends Redirect to IDP
The Fedlet redirects the browser to the IDP. The metaAlias and
idpEntityID parameters are used to generate a URL that contains a
SAML Request for the IDP.
|
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CBE6B39626BD9AA147871F3BD031F9D8; Path=/fedlet
Location: http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp?
SAMLRequest=nVTfb9owEH7vXxH5HeJCGcECJAaahtStGWF96NvhXIYlx858Tsv
%2B%2B9kpRVSrmMRTpMuXu%2B%2BXMiWodSMWrd%2BbDf5ukXySHGptS
HRvZqx1RlggRcJAjSS8FMXi270Y9LlonPVWWs1u1qsZo8F4BHw3koO7MVSYZT
CGyViWu3GFnO%2BqYQUjCaPsjrPkER0pa2YsrGHJmqjFtSEPxocR55Me%2F9S7
nWwHXIyGYjh4YskqUFMGfPfV3vtGpOneku%2BrsulLW4uMZzy1DRoimxbFww
ZL5VD6tEYPC62A0gBlyRfrJHaCZ6wCTRjv50CknvE0yY%2FKPitTKvPrsg27Vx
CJr9tt3ssfii1LFkToItmlNdTW6Ap0z0riz839e%2Fp0Yn%2BbVlhq9McHNI1WshP
M5jfTGIfojHJnAV0mBm8k2PzyyWl6tv54rBHfw8L1KreBxp9rWhGtrsFfRseJKnt
VBxXegSGFxrOkyOP9Hy1oVSl0%2F3MtWK61fVk6BB9y9K5FNn%2FV9V7JSd
6x71h2ZQg5eTz4a2Qubd2AUxSbiQeQPhzu%2FDxfvNQhjQ1W14R3ESaFjKvDO
Jb4xboyljcUH8ttdLOx7i3fj%2FicPPrQjmBW%2Bu8vYv4X
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Fri, 19 Jun 2009 20:53:32 GMT
|
This redirect contains a URL parameter named SAMLRequest. The value of
this parameter is an encoded SAML Request. The value of SAMLRequest is
Base64 encoded and Zip compressed. It is not possible to fully decode
this value using the HackBar add-on. Instead, you can find the value in
the debug log files.
Locate the Federation debug log file and open it for viewing.
The debug files are located in the directory
<opensso-config-dir>/opensso/opensso/debug.
The SAML Request appears in the log as follows:
|
IDPSSOFederate.getAuthnRequest: saml request =
nVRfb9owEH/vp4j8DgnpoGABEgNNQ+rWjLA+9M3Yl2HJsTPfpWXffnZKEdUqJvEQWTqf737/lCmK2jR80dLebuB3C0hJcqiNRd7dzFjrLXcCNXIrakBOkpeLb/c872e88Y6cdIbdrFczhvl4lA1vR4Ph7VDmOxW+QV6pKpuIT2O1242U3I3vxHA0YskjeNTOzlgYw5I1YgtriyQshVKWTXrZXS+fbLOcDyY8y59YsgrQtBXUvdoTNTxN9
w6pr1XTl67m42ycpa4Bi+jSsnzYgNIeJKU1kFgYLTANrSz54ryEjvCMVcIgxP2FQNTPcKoUR2aftVXa/rosw+61CfnX7bboFQ/lliULRPAR7NJZbGvwJfhnLeHn5v49fDyhH6QVKAN0PETTGC07wmx+M4128E4of2bQZWDiDQSbX145Tc/GH5c1/HsYuF4VLsD4c00qotS1oMvdsaJVr+paOXlhUYMllpRF3P+jFUZXGvz/VAuSG+Nelh4EBR/Jt8Dmr7zeMznRO+YdVBeG4BPBga6huXR1I7zGmEw4CElhcafn+eClCW5soLrGvIttkss4OpRjiF+cVzG8IfigtlHNxvk3fz/Cc9LoQzmCWOm/v4j5Xw==
libSAML2:07/28/2009 10:19:02:582 PM EDT:
Thread[httpSSLWorkerThread-8080-1,10,Grizzly]
SAML2Utils.decodeFromRedirect: input string length : 620
libSAML2:07/28/2009 10:19:02:582 PM EDT:
Thread[httpSSLWorkerThread-8080-1,10,Grizzly]
SAML2Utils.decodeFromRedirect: input string is
===>nVRfb9owEH/vp4j8DgnpoGABEgNNQ+rWjLA+9M3Yl2HJsTPfpWXffnZKEdUqJvEQWTqf737/lCmK2jR80dLebuB3C0hJcqiNRd7dzFjrLXcCNXIrakBOkpeLb/c872e88Y6cdIbdrFczhvl4lA1vR4Ph7VDmOxW+QV6pKpuIT2O1242U3I3vxHA0YskjeNTOzlgYw5I1YgtriyQshVKWTXrZXS+fbLOcDyY8y59YsgrQtBXUvdoTN
TxN9w6pr1XTl67m42ycpa4Bi+jSsnzYgNIeJKU1kFgYLTANrSz54ryEjvCMVcIgxP2FQNTPcKoUR2aftVXa/rosw+61CfnX7bboFQ/lliULRPAR7NJZbGvwJfhnLeHn5v49fDyhH6QVKAN0PETTGC07wmx+M4128E4of2bQZWDiDQSbX145Tc/GH5c1/HsYuF4VLsD4c00qotS1oMvdsaJVr+paOXlhUYMllpRF3P+jFUZXGvz/VAuSG+Nelh4EBR/Jt8Dmr7zeMznRO+YdVBeG4BPBga6huXR1I7zGmEw4CElhcafn+eClCW5soLrGvIttkss4OpRjiF+cVzG8IfigtlHNxvk3fz/Cc9LoQzmCWOm/v4j5Xw==<===
libSAML2:07/28/2009 10:19:02:583 PM EDT:
Thread[httpSSLWorkerThread-8080-1,10,Grizzly]
SAML2Utils.decodeFromRedirect: Return value:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s28605361535c2bdc2b12fdf09a48dbb6dcb87a566" Version="2.0"
IssueInstant="2009-07-29T02:19:02Z"
Destination="http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp"
ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://host.sp.com:8081/fedlet/fedletapplication">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.sp.com:8081/fedlet</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SPNameQualifier
="http://host.sp.com:8081/fedlet"
AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"><saml:AuthnContextClassRef
xmlns:saml="urn:oasis:
names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
|
3. Browser Follows Redirect
The browser follows the redirect and sends the SAML Request as a URL
parameter.
|
http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp?SAMLRequest=nVTfb9owEH7vXxH5HeJCGcECJAaahtStGWF96NvhXIYlx858Tsv%2B%2B9kpRVSrmMRTpMuXu%2B%2BXMiWodSMWrd%2BbDf5ukXySHGptSHRvZqx1RlggRcJAjSS8FMXi270Y9LlonPVWWs1u1qsZo8F4BHw3koO7MVSYZTCGyViWu3GFnO%2BqYQUjCaPsjrPkER0pa2YsrGHJmqjFtSEPxocR55Me%2F9S7nWwHXIyGYjh4YskqUFMGfPfV3vtGpOneku%2BrsulLW4uMZzy1DRoimxbFwwZL5VD6tEYPC62A0gBlyRfrJHaCZ6wCTRjv50CknvE0yY%2FKPitTKvPrsg27VxCJr9tt3ssfii1LFkToItmlNdTW6Ap0z0riz839e%2Fp0Yn%2BbVlhq9McHNI1WshPM5jfTGIfojHJnAV0mBm8k2PzyyWl6tv54rBHfw8L1KreBxp9rWhGtrsFfRseJKntVBxXegSGFxrOkyOP9Hy1oVSl0%2F3MtWK61fVk6BB9y9K5FNn%2FV9V7JSd6x71h2ZQg5eTz4a2Qubd2AUxSbiQeQPhzu%2FDxfvNQhjQ1W14R3ESaFjKvDOJb4xboyljcUH8ttdLOx7i3fj%2FicPPrQjmBW%2Bu8vYv4X
GET
/opensso/SSORedirect/metaAlias/idp?SAMLRequest=nVTfb9owEH7vXxH5HeJCGcECJAaahtStGWF96NvhXIYlx858Tsv%2B%2B9kpRVSrmMRTpMuXu%2B%2BXMiWodSMWrd%2BbDf5ukXySHGptSHRvZqx1RlggRcJAjSS8FMXi270Y9LlonPVWWs1u1qsZo8F4BHw3koO7MVSYZTCGyViWu3GFnO%2BqYQUjCaPsjrPkER0pa2YsrGHJmqjFtSEPxocR55Me%2F9S7nWwHXIyGYjh4YskqUFMGfPfV3vtGpOneku%2BrsulLW4uMZzy1DRoimxbFwwZL5VD6tEYPC62A0gBlyRfrJHaCZ6wCTRjv50CknvE0yY%2FKPitTKvPrsg27VxCJr9tt3ssfii1LFkToItmlNdTW6Ap0z0riz839e%2Fp0Yn%2BbVlhq9McHNI1WshPM5jfTGIfojHJnAV0mBm8k2PzyyWl6tv54rBHfw8L1KreBxp9rWhGtrsFfRseJKntVBxXegSGFxrOkyOP9Hy1oVSl0%2F3MtWK61fVk6BB9y9K5FNn%2FV9V7JSd6x71h2ZQg5eTz4a2Qubd2AUxSbiQeQPhzu%2FDxfvNQhjQ1W14R3ESaFjKvDOJb4xboyljcUH8ttdLOx7i3fj%2FicPPrQjmBW%2Bu8vYv4X
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host.sp.com:8081/fedlet/
Cookie: JSESSIONID=a2aa87313862008a0bc33e9418c3; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcx46p+bYbldmFl8X8+gwVTcnHzzFzocNN0=@AAJTSQACMDE=#;
AMAuthCookie=AQIC5wM2LY4SfcyEKbsaTLbvRSohD1ekAgpAiiRE9oyFxF0=@AAJTSQACMDE=#
|
4. IDP Sends Redirect to Login Page
The IDP does not receive a valid SSO Token from the browser, so OpenSSO
redirects the browser to the login page.
|
HTTP/1.x 302 Moved Temporarily
X-Powered-By: JSP/2.1
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: JSESSIONID=a4baf1c1020ab58ac8edfac9fb45; Path=/opensso
Location: http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Fri, 19 Jun 2009 20:53:32 GMT
|
5. Browser Follows Redirect
The browser follows the redirect to the OpenSSO login page. Note that
the goto parameter is preserved.
|
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840
GET
/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host.sp.com:8081/fedlet/
Cookie: JSESSIONID=a4baf1c1020ab58ac8edfac9fb45; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcx46p+bYbldmFl8X8+gwVTcnHzzFzocNN0=@AAJTSQACMDE=#;
AMAuthCookie=AQIC5wM2LY4SfcyEKbsaTLbvRSohD1ekAgpAiiRE9oyFxF0=@AAJTSQACMDE=#
|
6. OpenSSO Renders Login Page
The OpenSSO login page is rendered, prompting the user for
credentials.
|
HTTP/1.x 200 OK
X-Powered-By: JSP/2.1
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Enterprise 8.0 Build 6(2008-October-31 09:07)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4Sfcz+n/ttW2wX/KeU1PQsthFsaMVL/BrNyoA=@AAJTSQACMDE=#;
Domain=.idp.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.idp.com; Path=/
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 19 Jun 2009 20:53:32 GMT
|
7. User Submits AuthN Credentials
The user enters his AuthN credentials. In this case, they are the user
name and password. These values are represented as IDToken1 and
IDToken2in the HTTP POST.
|
http://host.idp.com:8080/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4Sfcz%2Bn%2FttW2wX%2FKeU1PQsthFsaMVL%2FBrNyoA%3D%40AAJTSQACMDE%3D%23
POST
/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4Sfcz%2Bn%2FttW2wX%2FKeU1PQsthFsaMVL%2FBrNyoA%3D%40AAJTSQACMDE%3D%23
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840
Cookie: JSESSIONID=a4baf1c1020ab58ac8edfac9fb45; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4Sfcx46p+bYbldmFl8X8+gwVTcnHzzFzocNN0=@AAJTSQACMDE=#;
AMAuthCookie=AQIC5wM2LY4Sfcz+n/ttW2wX/KeU1PQsthFsaMVL/BrNyoA=@AAJTSQACMDE=#
Content-Type: application/x-www-form-urlencoded
Content-Length: 243
IDToken0=&IDToken1=idpuser1&IDToken2=password&IDButton=Submit&goto=aHR0cDovL2hvc3QuaWRwLmNvbTo4MDgwL29wZW5zc28vU1NPUmVkaXJlY3QvbWV0YUFsaWFzL2lkcD9SZXFJRD1zMjc1YTBiNWMyNDdhZmU4OGE3YTk3Y2RiN2ZlMDBiZjNmYTVjYTU4NDA%3D&encoded=true&gx_charset=UTF-8
|
8. OpenSSO Sends Redirect
OpenSSO validates the user's credentials and creates a new session. The
subsequent response contains a Set-Cookie instruction,
which creates
the SSO Token representing the user's single sign-on session. This
response also contains a redirect that goes back to the location previously
referenced by the goto parameter.
|
HTTP/1.x 302 Moved Temporarily
X-Powered-By: Servlet/2.5
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Enterprise 8.0 Build 6(2008-October-31 09:07)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY=@AAJTSQACMDE=#;
Domain=.idp.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.idp.com; Path=/
Set-Cookie:
iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY=@AAJTSQACMDE=#;
Domain=.idp.com; Path=/
Set-Cookie: AMAuthCookie=LOGOUT; Domain=.idp.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/
X-AuthErrorCode: 0
Location:
http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp?ReqID=s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840&iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY%3D%40AAJTSQACMDE%3D%23
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
Date: Fri, 19 Jun 2009 21:01:51 GMT
|
9. Browser Follows Redirect
The browser follows the redirect back to OpenSSO. The browser sends the
SSO Token contained in the iPlanetDirectoryPro cookie.
|
http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp?ReqID=s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840&iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY%3D%40AAJTSQACMDE%3D%23
GET
/opensso/SSORedirect/metaAlias/idp?ReqID=s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840&iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY%3D%40AAJTSQACMDE%3D%23
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2FSSORedirect%2FmetaAlias%2Fidp%3FReqID%3Ds275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840
Cookie: JSESSIONID=a4baf1c1020ab58ac8edfac9fb45; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY=@AAJTSQACMDE=#
|
10. OpenSSO Renders Form with SAML POST
The browser follows the redirect to OpenSSO. This time, OpenSSO
recognizes the user's SSO Token, which is contained in the
iPlanetDirectoryPro cookie. The session is validated
and the SAML Response is created. The SAML Response is sent as a
form element in HTML body.
|
HTTP/1.x 200 OK
X-Powered-By: JSP/2.1
Server: Sun GlassFish Enterprise Server v2.1
Pragma: no-cache
Cache-Control: no-cache,no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5836
Date: Fri, 19 Jun 2009 21:01:51 GMT
|
11. Browser Submits SAML POST Data
This request shows the browser submitting the form that contains
the SAML response from OpenSSO. The SAML assertion is encoded in
a form element named SAMLResponse. It is not
human-readable, but you can use the HackBar add-on to decode
it.
|
http://host.sp.com:8081/fedlet/fedletapplication
POST /fedlet/fedletapplication HTTP/1.1
Host: host.sp.com:8081
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/SSORedirect/metaAlias/idp?ReqID=s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840&iPlanetDirectoryPro=AQIC5wM2LY4SfcyFe41fbay80Xj5RlThT80GA3uGStr9JMY%3D%40AAJTSQACMDE%3D%23
Cookie: JSESSIONID=CBE6B39626BD9AA147871F3BD031F9D8
Content-Type: application/x-www-form-urlencoded
Content-Length: 5999
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6%0D%0AcHJvdG9jb2wiIElEPSJzMjY4MjkwMTk2NWY4NGM3YTZkNWUxMzNlMTQ3MTBlYjg2YmU0ZTY0ZmMi%0D%0AIEluUmVzcG9uc2VUbz0iczI3NWEwYjVjMjQ3YWZlODhhN2E5N2NkYjdmZTAwYmYzZmE1Y2E1ODQw%0D
…Lines omitted for brevity…
%0D%0AbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xMjM0NTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3Nh%0D%0AbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48%0D%0AL3NhbWxwOlJlc3BvbnNlPg%3D%3D%0D%0A
|
Use the HackBar add-on to decode the value of the SAMLResponse form field.
The following steps are similar to the examples in
Part 2 and
Part 3 of this
series. Refer to those articles to see detailed instructions, including
screen captures of the HackBar add-on.
To decode the value of the SAMLResponse form field
with the HackBar add-on:
-
Copy the text from the Live HTTP Headers window
-
Paste the text into the HackBar window, and delete
the
SamlResponse=
characters at the beginning of the data.
-
Highlight all the remaining characters and choose URL Decode from the
HackBar Encoding menu.
-
Manually remove the line feeds so that the entire SAML response is
one single line of text.
-
Decode the data again, this time with the Base64 Decode from the
HackBar encoding menu.
The data below shows the SAML response as plain text. Key elements
are emphasized in bold near the end of the listing.
|
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2682901965f84c7a6d5e133e14710eb86be4e64fc"
InResponseTo="s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840" Version="2.0"
IssueInstant="2009-06-19T21:01:51Z"
Destination="http://host.sp.com:8081/fedlet/fedletapplication"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.idp.com:8080/opensso</saml:Issuer><samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s29bc9881ec725b471a776518c16f982988a15899b"
IssueInstant="2009-06-19T21:01:51Z" Version="2.0">
<saml:Issuer>http://host.idp.com:8080/opensso</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#s29bc9881ec725b471a776518c16f982988a15899b">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>7y3dn6P4jfaDPBvA30OV9c595Dg=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
EfQKySiURLx+059bUX1ixc2aNsql0rwjDxJA/wDXliqaU0vXwiuNIY2Op051dIrxGJlk+z2dNdzp
2Txkpjq0xIGD3PZRyyw5zNWqvCBtkJLu8n5rqQONUbH038d0+9ioH2PNAB1VNefracJmrbH+W10F
wJssM5iNshw72evl7yA=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http://host.idp.com:8080/opensso"
SPNameQualifier="http://host.sp.com:8081/fedlet">klgZ+zTmPC88SDFly6jElOgPVIbb</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="s275a0b5c247afe88a7a97cdb7fe00bf3fa5ca5840"
NotOnOrAfter="2009-06-19T21:11:51Z"
Recipient="http://host.sp.com:8081/fedlet/fedletapplication"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2009-06-19T20:51:51Z"
NotOnOrAfter="2009-06-19T21:11:51Z">
<saml:AudienceRestriction>
<saml:Audience>http://host.sp.com:8081/fedlet</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2009-06-19T21:01:51Z"
SessionIndex="s23168beb32c9a784c55d6e3b875b9f0e3a210a701"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>
<saml:AttributeStatement><saml:Attribute Name="Email"><saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">idpuser1@idp.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="Employee Number"><saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">12345</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
12. SP Renders Validation Page
The Fedlet receives the SAML Response from the browser.
The SAML Response is verified and then parsed to extract
the Email and Employee Number
attributes. Finally, the page is rendered, as shown in Figure 3.
|
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Fri, 19 Jun 2009 21:01:51 GMT
|
Figure 3: SP Renders Validation Page
|
Summary
Firefox, combined with the Live HTTP Headers and HackBar Add-ons, is a
powerful troubleshooting tool. Inspecting the traffic flowing through a
browser can provide valuable insight into the transactions that comprise an
OpenSSO solution. This example shows how the Fedlet can be deployed to
easily integrate Service Provider Initiated Single Sign-On. The article
shows the detailed interaction between the user's browser, the Fedlet, and
OpenSSO.
More examples will be added as they become available:
Do you have comments about this article? We welcome your participation in our community. Please keep your comments civil and on point. You may optionally provide your email address to be notified of replies - your information is not used for any other purpose. By submitting a comment, you agree to these Terms of Use.
|
 Jim Faut, a Technical Manager in Sun Federal's Professional Services group, specializes in OpenSSO, GlassFish, Identity Manager, and Portal deployments. He has been deploying solutions with Java technology since 1999. Jim's blog focuses on Sun software products and related technologies. |
 Rick Palkovic is a staff writer for Sun Developer Network. He has written about the Solaris OS and Java technologies for longer than he likes to admit, composing everything from man pages to technical white papers.
|
|
Print-friendly Version
