Skip to Content Sun Java Solaris Communities My SDN Account Join SDN

Article

Troubleshooting OpenSSO with Firefox Add-Ons: Part 5, Identity Provider Initiated Fedlet Single Sign-On

Print-friendly Version

By Jim Faut, with contributions from Rick Palkovic, October 2009

[Part 1] [Part 2] [Part 3] [Part 4] [Part 5]

In this example, you explore an OpenSSO Fedlet deployment. Using the Live HTTP Headers and HackBar add-ons for the popular Mozilla Firefox web browser, you can gain insight into OpenSSO Fedlet interactions and better understand how the system works.

For an overview, software configuration details, and links to other examples, see Troubleshooting OpenSSO with Firefox Add-Ons: Part 1, Introduction.

Contents


-	Example: Identity Provider (IDP) Initiated Single Sign-On
-	Phase I – Before Login
	1. User Initiates IDP Initiated Single Sign-On
	2. OpenSSO Sends Redirect to Login Page
-	Phase II – After Login
	3. User Submits AuthN Credentials
	4. OpenSSO Redirects to idpssoinit Servlet
	5. Browser Follows Redirect
	6. OpenSSO Sends SAML Response
	7. Browser Submits SAML POST
	8. SP Renders Page
-	Summary
-	Exploring More Examples
-	References

This example explores the interaction between an Identity Provider (IDP) and a Service Provider (SP), configured on two separate hosts. You can find instructions for setting up this configuration in the Setting Up and Configuring the Fedlet chapter of Sun OpenSSO Enterprise 8.0 Deployment Planning Guide. Details of the configuration used to capture the messages between the IDP and SP are shown in the following table.

Application	Container	URL
IDP (OpenSSO)	Glassfish	http://host.idp.com:8080/opensso
SP (Fedlet)	Tomcat	http://host.sp.com:8081/fedlet

Example: Identity Provider (IDP) Initiated Single Sign-On

This example shows how an application can integrate with OpenSSO by means of a Fedlet and configured attribute mappings. The user can authenticate using Fedlet Identity Provider (IDP) Initiated Single Sign-On. The integration results in a SAML exchange whereby the user is authenticated and attribute mappings are passed to the Fedlet Service Provider application. The sequence diagram in Figure 1 summarizes the control flow for the integrated process.

Figure 1: Fedlet Identity Provider (IDP) Initiated Single Sign-On Sequence Diagram

As with the previous examples in this series, you can examine the HTTP traffic with the Live HTTP Headers and HackBar Firefox add-ons.

Phase I – Before Login

In your Firefox Browser, navigate to the Validate Fedlet Setup application at http://host.sp.com:8081/fedlet. The browser is redirected to the OpenSSO login page, and the corresponding HTTP traffic is captured in the Live HTTP Headers window. For the OpenSSO Identity Provider and Fedlet Service Provider, data will be captured as described in the following sections.

1. User Initiates IDP Initiated Single Sign-On

Click on the link Run Identity Provider initiated Single Sign-On, as shown in Figure 2.

Figure 2: Running Identity Provider Initiated Single Sign-On

Clicking the link initiates the single sign-on process by calling OpenSSO, acting as the identity provider. The request is made to the OpenSSO idpssoinit servlet.

http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

GET /opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST HTTP/1.1

Host: host.idp.com:8080

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://host.sp.com:8081/fedlet/

2. OpenSSO Sends Redirect to Login Page

OpenSSO does not receive an SSO Token with the original request, so the user is redirected to the OpenSSO login page. Note that the original request for the idpssoinit servlet is referenced in the goto parameter.

HTTP/1.x 302 Moved Temporarily

X-Powered-By: JSP/2.1

Server: Sun GlassFish Enterprise Server v2.1

Set-Cookie: JSESSIONID=6ba85db1b6d8853a485e39eb4603; Path=/opensso

Location: http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2Fidpssoinit%3FNameIDFormat%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient%26metaAlias%3D%2Fidp%26spEntityID%3Dhttp%3A%2F%2Fhost.sp.com%3A8081%2Ffedlet%26binding%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST

Content-Type: text/html;charset=ISO-8859-1

Content-Length: 0

Date: Fri, 09 Oct 2009 00:37:24 GMT

Phase II – After Login

3. User Submits AuthN Credentials

The user enters his authentication credentials on the OpenSSO login form. In this case, the user enters a user name and password. These values appear as IDToken1 and IDToken2 in the HTTP POST data.

http://host.idp.com:8080/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8%3D%40AAJTSQACMDE%3D%23

POST /opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8%3D%40AAJTSQACMDE%3D%23 HTTP/1.1

Host: host.idp.com:8080

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2Fidpssoinit%3FNameIDFormat%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient%26metaAlias%3D%2Fidp%26spEntityID%3Dhttp%3A%2F%2Fhost.sp.com%3A8081%2Ffedlet%26binding%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST

Cookie: JSESSIONID=70760cf1191ff0c31701f300a0e3; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcwebmGsnulfUCXoLRctwznZqS62vnxpw4U=@AAJTSQACMDE=#; AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#

Content-Type: application/x-www-form-urlencoded

Content-Length: 397

IDToken0=&IDToken1=idpuser1&IDToken2=password&IDButton=Log+In&goto=aHR0cDovL2hvc3QuaWRwLmNvbTo4MDgwL29wZW5zc28vaWRwc3NvaW5pdD9OYW1lSURGb3JtYXQ9dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Jm1ldGFBbGlhcz0vaWRwJnNwRW50aXR5SUQ9aHR0cDovL2hvc3Quc3AuY29tOjgwODEvZmVkbGV0JmJpbmRpbmc9dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVA%3D%3D&encoded=true&gx_charset=UTF-8

4. OpenSSO Redirects to idpssoinit Servlet

The user is authenticated and an OpenSSO session is created. OpenSSO sets a cookie called iPlanetDirectoryPro, also known as the SSO Token. OpenSSO also uses the goto parameter from the login sequence and redirects the user to that location.

HTTP/1.x 302 Moved Temporarily

X-Powered-By: Servlet/2.5

Server: Sun GlassFish Enterprise Server v2.1

Cache-Control: private

Pragma: no-cache

Expires: 0

X-DSAMEVersion: Enterprise 8.0 Build 6(2008-October-31 09:07)

AM_CLIENT_TYPE: genericHTML

X-AuthErrorCode: 0

Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#; Domain=.idp.com; Path=/

Set-Cookie: AMAuthCookie=LOGOUT; Domain=.idp.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Location: http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0

Date: Fri, 09 Oct 2009 02:02:07 GMT

5. Browser Follows Redirect

The browser follows the redirect to the idpssoinit servlet. This time, the browser sends along the SSO Token as part of the request.

Host: host.idp.com:8080

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Cookie: JSESSIONID=70760cf1191ff0c31701f300a0e3; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#

6. OpenSSO Sends SAML Response

The idpssoinit servlet recognizes the SSO Token cookie and determines that the user has established an OpenSSO session. At this point, the servlet parses the information contained in the URL. This information is a SAML request.

Note the values for metaAlias and spEntity.

OpenSSO sends an HTTP Form to the browser. This form contains an the SAML POST data.

HTTP/1.x 200 OK

X-Powered-By: JSP/2.1

Server: Sun GlassFish Enterprise Server v2.1

Pragma: no-cache

Cache-Control: no-cache,no-store

Content-Type: text/html;charset=ISO-8859-1

Content-Length: 5678

Date: Fri, 09 Oct 2009 02:02:07 GMT

7. Browser Submits SAML POST

The next request shows the browser submitting the form that contains the SAML response from OpenSSO. The SAML assertion is encoded in a form element named SAMLResponse. It is not human-readable, but you can use the HackBar add-on to decode it.

http://host.sp.com:8081/fedlet/fedletapplication

POST /fedlet/fedletapplication HTTP/1.1

Host: host.sp.com:8081

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Cookie: JSESSIONID=E15DD01F155C60FD35716E94B35B1360

Content-Type: application/x-www-form-urlencoded

Content-Length: 5833

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6%0D%0AcHJvdG9jb2wiIElEPSJzMjczNmE1YWYzNzc0YzU3N2I2MjJhYjNmMWI3M2U4YzA0MDY2NDQzZjYi%0D%0AIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDA5LTEwLTA5VDAyOjAyOjA3WiIgRGVzdGlu%0D%0AYXRpb249Imh0dHA6Ly9ob3N0LnNwLmNvbTo4MDgxL2ZlZGxldC9mZWRsZXRhcHBsaWNhdGlvbiI%2B%0D%0APHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3Nl

… Lines omitted for brevity …

%0AaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5j%0D%0AZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BMTIzNDU8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1s%0D%0AOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24%2BPC9z%0D%0AYW1scDpSZXNwb25zZT4%3D%0D%0A

Use the HackBar add-on to decode the value of the SAMLResponse form field. The following steps are similar to the examples in Part 2 and Part 3 of this series. Refer to those articles to see detailed instructions, including screen captures of the HackBar add-on.

To decode the value of the SAMLResponse form field with the HackBar add-on:

Copy the text from the Live HTTP Headers window
Paste the text into the HackBar window, and delete the SamlResponse= characters at the beginning of the data.
Highlight all the remaining characters and choose URL Decode from the HackBar Encoding menu.
Manually remove the line feeds so that the entire SAML response is one single line of text.
Decode the data again, this time with the Base64 Decode from the HackBar encoding menu.

The data below shows the SAML response as plain text. Key elements are emphasized in bold near the end of the listing.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2736a5af3774c577b622ab3f1b73e8c04066443f6" Version="2.0" IssueInstant="2009-10-09T02:02:07Z" Destination="http://host.sp.com:8081/fedlet/fedletapplication"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.idp.com:8080/opensso</saml:Issuer><samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

Value="urn:oasis:names:tc:SAML:2.0:status:Success">

</samlp:StatusCode>

</samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2d156c6b3c169e3137fc602dc606680413d809eb8" IssueInstant="2009-10-09T02:02:07Z" Version="2.0">

<saml:Issuer>http://host.idp.com:8080/opensso</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<Reference URI="#s2d156c6b3c169e3137fc602dc606680413d809eb8">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<DigestValue>QwnpGfWt+zg1UpTiDnfblb0trPw=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>

V5KPrn37C/uqQZ+KUA51UK0WcHdNi0CnFg2NlgEZuTSKj0grXB9yZXTQh5aRCerX+RgQ+NIsLilE fjiTyAlultumD5f9uVfP37ynk3S9FOKWnA3XTKHKkfqtZKyWzU0vMSwVLMS6SwJF1uesPNIET2c/ pT9iniI2tdftoBnQBLE=

</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q==

</X509Certificate>

</X509Data>

</KeyInfo>

</Signature><saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://host.idp.com:8080/opensso" SPNameQualifier="http://host.sp.com:8081/fedlet">9pa050shGjZAGF6KBxonoUzQpiEC</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml:SubjectConfirmationData NotOnOrAfter="2009-10-09T02:12:07Z" Recipient="http://host.sp.com:8081/fedlet/fedletapplication"/></saml:SubjectConfirmation>

</saml:Subject><saml:Conditions NotBefore="2009-10-09T01:52:07Z" NotOnOrAfter="2009-10-09T02:12:07Z">

<saml:AudienceRestriction>

<saml:Audience>http://host.sp.com:8081/fedlet</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2009-10-09T02:02:07Z" SessionIndex="s240cc1047332ad9d4283bc6eff196cb9878bf0a01"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="Email"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">idpuser1@idp.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=" Employee Number"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">12345</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

8. SP Renders Page

The Fedlet receives the SAML Response from the browser.

The SAML Response is verified and then parsed to extract the Email and Employee Number attributes. Finally, the page is rendered, as shown in Figure 3.

HTTP/1.x 200 OK

Server: Apache-Coyote/1.1

Content-Type: text/html;charset=ISO-8859-1

Transfer-Encoding: chunked

Date: Fri, 09 Oct 2009 02:02:09 GMT

Figure 3: SP Renders Validation Page

Summary

Firefox, combined with the Live HTTP Headers and HackBar Add-ons, is a powerful troubleshooting tool. Inspecting the traffic flowing through a browser can provide valuable insight into the transactions that comprise an OpenSSO solution. This example shows how the Fedlet can be deployed to easily integrate Identity Provider Initiated Single Sign-On. The article shows the detailed interaction between the user's browser, the Fedlet, and OpenSSO.

Exploring More Examples

More examples will be added as they become available:

References

Troubleshooting OpenSSO with Firefox Add-Ons: Part 1, Introduction – first in this series of articles
Setting Up and Configuring the Fedlet – chapter in Sun OpenSSO Enterprise 8.0 Deployment Planning Guide, in HTML format
Sun OpenSSO Enterprise 8.0 Deployment Planning Guide – PDF document
OpenSSO Project
OASIS SAML v2.0 standards page
Sun OpenSSO Enterprise

Sun Java System Access Manager

Sun developer services

Rate This Article

Comments

Do you have comments about this article? We welcome your participation in our community. Please keep your comments civil and on point. You may optionally provide your email address to be notified of replies - your information is not used for any other purpose. By submitting a comment, you agree to these Terms of Use.