|
By Jim Faut, with contributions from Rick Palkovic, October 2009
|
|
|
[Part
1] [Part
2] [Part 3] [Part 4] [Part 5]
In this example, you explore an OpenSSO Fedlet deployment. Using the Live
HTTP Headers and HackBar add-ons for the popular Mozilla Firefox web
browser, you can gain insight into OpenSSO Fedlet interactions and better
understand how the system works.
For an overview, software configuration details, and
links to other examples, see Troubleshooting OpenSSO with Firefox Add-Ons: Part 1, Introduction.
Contents
This example explores the interaction between an Identity Provider (IDP) and a
Service Provider (SP), configured on two separate hosts. You can find instructions for
setting up this configuration in the
Setting
Up and Configuring the Fedlet chapter of Sun OpenSSO Enterprise 8.0 Deployment Planning Guide.
Details of the configuration used to capture the messages between the IDP and SP are shown in the following table.
Application |
Container |
URL |
IDP (OpenSSO) |
Glassfish |
http://host.idp.com:8080/opensso |
SP (Fedlet) |
Tomcat |
http://host.sp.com:8081/fedlet |
This example shows how an application can integrate with OpenSSO by
means of a Fedlet and configured attribute mappings. The user can
authenticate using Fedlet Identity Provider (IDP) Initiated Single
Sign-On. The integration results in a SAML exchange whereby the user
is authenticated and attribute mappings are passed to the Fedlet Service Provider
application. The sequence diagram in Figure 1 summarizes the control
flow for the integrated process.
Figure 1: Fedlet Identity Provider (IDP) Initiated Single Sign-On Sequence Diagram
|
As with the previous examples in this series, you can examine the
HTTP traffic with the Live HTTP Headers and HackBar Firefox
add-ons.
In your Firefox Browser, navigate to the Validate Fedlet Setup
application at http://host.sp.com:8081/fedlet.
The browser is redirected to the OpenSSO login page, and the
corresponding HTTP traffic is captured in the Live HTTP Headers window. For
the OpenSSO Identity Provider and Fedlet Service Provider, data will be
captured as described in the following sections.
1. User Initiates IDP Initiated Single Sign-On
Click on the link Run Identity Provider initiated Single Sign-On, as shown in Figure 2.
Figure 2: Running Identity Provider Initiated Single Sign-On
|
Clicking the link initiates the single sign-on process by calling OpenSSO,
acting as the identity provider. The request is made to the
OpenSSO idpssoinit servlet.
|
http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
GET
/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824
Firefox/3.5.3
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-us,en;q=0.5
Accept-Encoding:
gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.sp.com:8081/fedlet/
|
2. OpenSSO Sends Redirect to Login Page
OpenSSO does not receive an SSO Token with the original request, so
the user is redirected to the OpenSSO login page. Note that the
original request for the idpssoinit servlet is referenced in the
goto parameter.
|
HTTP/1.x 302 Moved
Temporarily
X-Powered-By: JSP/2.1
Server: Sun GlassFish
Enterprise Server v2.1
Set-Cookie:
JSESSIONID=6ba85db1b6d8853a485e39eb4603; Path=/opensso
Location:
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2Fidpssoinit%3FNameIDFormat%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient%26metaAlias%3D%2Fidp%26spEntityID%3Dhttp%3A%2F%2Fhost.sp.com%3A8081%2Ffedlet%26binding%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST
Content-Type:
text/html;charset=ISO-8859-1
Content-Length: 0
Date: Fri, 09 Oct 2009
00:37:24 GMT
|
3. User Submits AuthN Credentials
The user enters his authentication credentials on the OpenSSO login
form. In this case, the user enters a user name and password.
These values appear as IDToken1 and
IDToken2 in the HTTP POST data.
|
http://host.idp.com:8080/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8%3D%40AAJTSQACMDE%3D%23
POST
/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8%3D%40AAJTSQACMDE%3D%23
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824
Firefox/3.5.3
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-us,en;q=0.5
Accept-Encoding:
gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2Fidpssoinit%3FNameIDFormat%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient%26metaAlias%3D%2Fidp%26spEntityID%3Dhttp%3A%2F%2Fhost.sp.com%3A8081%2Ffedlet%26binding%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST
Cookie:
JSESSIONID=70760cf1191ff0c31701f300a0e3; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4SfcwebmGsnulfUCXoLRctwznZqS62vnxpw4U=@AAJTSQACMDE=#;
AMAuthCookie=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#
Content-Type:
application/x-www-form-urlencoded
Content-Length: 397
IDToken0=&IDToken1=idpuser1&IDToken2=password&IDButton=Log+In&goto=aHR0cDovL2hvc3QuaWRwLmNvbTo4MDgwL29wZW5zc28vaWRwc3NvaW5pdD9OYW1lSURGb3JtYXQ9dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Jm1ldGFBbGlhcz0vaWRwJnNwRW50aXR5SUQ9aHR0cDovL2hvc3Quc3AuY29tOjgwODEvZmVkbGV0JmJpbmRpbmc9dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVA%3D%3D&encoded=true&gx_charset=UTF-8
|
4. OpenSSO Redirects to idpssoinit Servlet
The user is authenticated and an OpenSSO session is created.
OpenSSO sets a cookie called iPlanetDirectoryPro, also known as
the SSO Token. OpenSSO also uses the goto parameter from the
login sequence and redirects the user to that location.
|
HTTP/1.x 302 Moved
Temporarily
X-Powered-By: Servlet/2.5
Server: Sun GlassFish
Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: Enterprise
8.0 Build 6(2008-October-31 09:07)
AM_CLIENT_TYPE: genericHTML
X-AuthErrorCode: 0
Set-Cookie:
iPlanetDirectoryPro=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#;
Domain=.idp.com; Path=/
Set-Cookie:
AMAuthCookie=LOGOUT; Domain=.idp.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/
Location:
http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Content-Type: text/html;
charset=iso-8859-1
Content-Length: 0
Date: Fri, 09 Oct 2009
02:02:07 GMT
|
5. Browser Follows Redirect
The browser follows the redirect to the idpssoinit
servlet. This time, the browser sends along the SSO Token as part
of the request.
|
http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
GET
/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
HTTP/1.1
Host: host.idp.com:8080
User-Agent: Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824
Firefox/3.5.3
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-us,en;q=0.5
Accept-Encoding:
gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/UI/Login?realm=/&goto=http%3A%2F%2Fhost.idp.com%3A8080%2Fopensso%2Fidpssoinit%3FNameIDFormat%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Atransient%26metaAlias%3D%2Fidp%26spEntityID%3Dhttp%3A%2F%2Fhost.sp.com%3A8081%2Ffedlet%26binding%3Durn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST
Cookie:
JSESSIONID=70760cf1191ff0c31701f300a0e3; amlbcookie=01;
iPlanetDirectoryPro=AQIC5wM2LY4SfcyzBzIbUueVvqpP6pZ0D1wiP96CJUOTqy8=@AAJTSQACMDE=#
|
6. OpenSSO Sends SAML Response
The idpssoinit servlet recognizes the SSO Token cookie
and determines that the user has established an OpenSSO session.
At this point, the servlet parses the information contained in the
URL. This information is a SAML request.
Note the values for metaAlias and spEntity.
|
http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
|
OpenSSO sends an HTTP Form to the browser. This form contains an the SAML POST data.
|
HTTP/1.x 200 OK
X-Powered-By: JSP/2.1
Server: Sun GlassFish
Enterprise Server v2.1
Pragma: no-cache
Cache-Control:
no-cache,no-store
Content-Type:
text/html;charset=ISO-8859-1
Content-Length: 5678
Date: Fri, 09 Oct 2009
02:02:07 GMT
|
7. Browser Submits SAML POST
The next request shows the browser submitting the form that contains
the SAML response from OpenSSO. The SAML assertion is encoded in
a form element named SAMLResponse. It is not
human-readable, but you can use the HackBar add-on to decode
it.
|
http://host.sp.com:8081/fedlet/fedletapplication
POST
/fedlet/fedletapplication HTTP/1.1
Host: host.sp.com:8081
User-Agent: Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824
Firefox/3.5.3
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-us,en;q=0.5
Accept-Encoding:
gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://host.idp.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=http://host.sp.com:8081/fedlet&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Cookie:
JSESSIONID=E15DD01F155C60FD35716E94B35B1360
Content-Type:
application/x-www-form-urlencoded
Content-Length: 5833
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6%0D%0AcHJvdG9jb2wiIElEPSJzMjczNmE1YWYzNzc0YzU3N2I2MjJhYjNmMWI3M2U4YzA0MDY2NDQzZjYi%0D%0AIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDA5LTEwLTA5VDAyOjAyOjA3WiIgRGVzdGlu%0D%0AYXRpb249Imh0dHA6Ly9ob3N0LnNwLmNvbTo4MDgxL2ZlZGxldC9mZWRsZXRhcHBsaWNhdGlvbiI%2B%0D%0APHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3Nl
… Lines omitted for brevity …
%0AaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5j%0D%0AZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BMTIzNDU8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BPC9zYW1s%0D%0AOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24%2BPC9z%0D%0AYW1scDpSZXNwb25zZT4%3D%0D%0A
|
Use the HackBar add-on to decode the value of the SAMLResponse form field.
The following steps are similar to the examples in
Part 2 and
Part 3 of this
series. Refer to those articles to see detailed instructions, including
screen captures of the HackBar add-on.
To decode the value of the SAMLResponse form field
with the HackBar add-on:
-
Copy the text from the Live HTTP Headers window
-
Paste the text into the HackBar window, and delete
the
SamlResponse=
characters at the beginning of the data.
-
Highlight all the remaining characters and choose URL Decode from the
HackBar Encoding menu.
-
Manually remove the line feeds so that the entire SAML response is
one single line of text.
-
Decode the data again, this time with the Base64 Decode from the
HackBar encoding menu.
The data below shows the SAML response as plain text. Key elements
are emphasized in bold near the end of the listing.
|
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2736a5af3774c577b622ab3f1b73e8c04066443f6"
Version="2.0" IssueInstant="2009-10-09T02:02:07Z"
Destination="http://host.sp.com:8081/fedlet/fedletapplication"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.idp.com:8080/opensso</saml:Issuer><samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2d156c6b3c169e3137fc602dc606680413d809eb8"
IssueInstant="2009-10-09T02:02:07Z" Version="2.0">
<saml:Issuer>http://host.idp.com:8080/opensso</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference
URI="#s2d156c6b3c169e3137fc602dc606680413d809eb8">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>QwnpGfWt+zg1UpTiDnfblb0trPw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
V5KPrn37C/uqQZ+KUA51UK0WcHdNi0CnFg2NlgEZuTSKj0grXB9yZXTQh5aRCerX+RgQ+NIsLilE
fjiTyAlultumD5f9uVfP37ynk3S9FOKWnA3XTKHKkfqtZKyWzU0vMSwVLMS6SwJF1uesPNIET2c/
pT9iniI2tdftoBnQBLE=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http://host.idp.com:8080/opensso"
SPNameQualifier="http://host.sp.com:8081/fedlet">9pa050shGjZAGF6KBxonoUzQpiEC</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2009-10-09T02:12:07Z"
Recipient="http://host.sp.com:8081/fedlet/fedletapplication"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions
NotBefore="2009-10-09T01:52:07Z"
NotOnOrAfter="2009-10-09T02:12:07Z">
<saml:AudienceRestriction>
<saml:Audience>http://host.sp.com:8081/fedlet</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2009-10-09T02:02:07Z"
SessionIndex="s240cc1047332ad9d4283bc6eff196cb9878bf0a01"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute
Name="Email"><saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">idpuser1@idp.com</saml:AttributeValue></saml:Attribute><saml:Attribute
Name="
Employee Number"><saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">12345</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
8. SP Renders Page
The Fedlet receives the SAML Response from the browser.
The SAML Response is verified and then parsed to extract
the Email and Employee Number
attributes. Finally, the page is rendered, as shown in Figure 3.
|
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Content-Type:
text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Fri, 09 Oct 2009
02:02:09 GMT
|
Figure 3: SP Renders Validation Page
|
Firefox, combined with the Live HTTP Headers and HackBar Add-ons, is a
powerful troubleshooting tool. Inspecting the traffic flowing through a
browser can provide valuable insight into the transactions that comprise an
OpenSSO solution. This example shows how the Fedlet can be deployed to
easily integrate Identity Provider Initiated Single Sign-On. The article
shows the detailed interaction between the user's browser, the Fedlet, and
OpenSSO.
More examples will be added as they become available:
Do you have comments about this article? We welcome your participation in our community. Please keep your comments civil and on point. You may optionally provide your email address to be notified of replies - your information is not used for any other purpose. By submitting a comment, you agree to these Terms of Use.
|
 Jim Faut, a Technical Manager in Sun Federal's Professional Services group, specializes in OpenSSO, GlassFish, Identity Manager, and Portal deployments. He has been deploying solutions with Java technology since 1999. Jim's blog focuses on Sun software products and related technologies. |
 Rick Palkovic is a staff writer for Sun Developer Network. He has written about the Solaris OS and Java technologies for longer than he likes to admit, composing everything from man pages to technical white papers.
|
|
Print-friendly Version
