Prepare SAML Authentication request using OpenSaml3.1.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Prepare SAML Authentication request using OpenSaml3.1.1

Msnaidu

We are able to do  idp upgrade (2.4 to 3.1.1) , and also we are able to check status of IdP 3.1.1.(http://localhost:8080/idp/profile/status)


As we know 'IdP 2.4' was using OpenSaml2.6  and IdP 3.1.1 is using Opensaml 3.1.1, 


We have following queries with respect to OpenSAML 3.1.1


 

A) An alternative API to be used in OpenSAML 3.1.1 for "SecureRandomIdentifierGenerator" 

 

   A.1)Using Open SAML 2.6 Sample SessionID generation at SP(non shibboleth SP Component) is given below ::

               

   SecureRandomIdentifierGenerator generator = new SecureRandomIdentifierGenerator();

    sessionId=generator.generateIdentifier();


   A.2)Using Open SAML 3.1.1 ???

 

B) How to send SAML Request using Open SAML 3.1.1

   B.1)Using Open SAML 2.6 Sample SAML Request from SP(non shibboleth SP Component) to Idp 2.4(Shibboleth component) is given below::

                                we call "getAuthnRequest()" method to generate SAML Request (we are using SAML 2.6 )

 

                private AuthnRequest getAuthnRequest(DateTime issueInstant, Issuer issuer,

                                                String consumerUrl, String spUrl) {

 

                                AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();

                                AuthnRequest authRequest = authRequestBuilder

                                                                .buildObject("urn:oasis:names:tc:SAML:2.0:protocol",

                                                                                                "AuthnRequest", "samlp");

                                authRequest.setForceAuthn(new Boolean(false));

                                authRequest.setIsPassive(new Boolean(false));

                                authRequest.setIssueInstant(issueInstant);

                                authRequest

                                                                .setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");

                                authRequest.setAssertionConsumerServiceURL(consumerUrl);

                                authRequest.setIssuer(issuer);

                                authRequest.setAttributeConsumingServiceIndex(1);

 

                                return authRequest;

 

                }

 

   B.2)Using Open SAML 3.1.1 ??? 


 

Please suggest


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Brent Putman


On 6/9/15 3:27 AM, Surinaidu Majji wrote:

 

A) An alternative API to be used in OpenSAML 3.1.1 for "SecureRandomIdentifierGenerator" 

 

   A.1)Using Open SAML 2.6 Sample SessionID generation at SP(non shibboleth SP Component) is given below ::

               

   SecureRandomIdentifierGenerator generator = new SecureRandomIdentifierGenerator();

    sessionId=generator.generateIdentifier();




   A.2)Using Open SAML 3.1.1 ???




The v3 version is net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy, located in java-support. 



 

B) How to send SAML Request using Open SAML 3.1.1


                private AuthnRequest getAuthnRequest(DateTime issueInstant, Issuer issuer,

                                                String consumerUrl, String spUrl) {

 

                                AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();

                                

   B.2)Using Open SAML 3.1.1 ??? 



The package names have changed, it's now in org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder.   But otherwise I believe should be exactly the same.  Are you not using Eclipse, or another IDE?  It can help out with simple package import changes.

Btw, in both v2 and v3 we discourage direct use of the -Builder classes like that.  We recommend you obtain XMLObject builders, marshallers and unmarshallers via the registered providers.  In v2, builder usage:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaCreateFromScratch

In v3, no wiki docs yet, but either use the global XMLObjectProviderRegistry via org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport, or the higher level methods on org.opensaml.core.xml.util.XMLObjectSupport.





--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Brent Putman


On 6/9/15 1:15 PM, Brent Putman wrote:



The v3 version is net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy, located in java-support. 

Sorry, bad copy/paste.  That is the interface.  The SecureRandom impl of that is:

net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Msnaidu

Thank you Brent, We were able to find the respective API's to prepare saml request .However ,

In "OpenSaml2.6" we do use xmlToolingConfigs initializations before we even create SAML Request via DefaultBootstrap.bootstrap() API call, which triggers below calls 

  •     initializeXMLSecurity();
  •     initializeXMLTooling();
  •     initializeArtifactBuilderFactories();
  •     initializeGlobalSecurityConfiguration();
  •     initializeParserPool();
  •     initializeESAPI();
how to initiate the same in OpenSAML 3.1.1?


On Tue, Jun 9, 2015 at 10:47 PM, Brent Putman <[hidden email]> wrote:


On 6/9/15 1:15 PM, Brent Putman wrote:



The v3 version is net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy, located in java-support. 

Sorry, bad copy/paste.  That is the interface.  The SecureRandom impl of that is:

net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy


--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Brent Putman


On 6/10/15 6:04 AM, Surinaidu Majji wrote:


In "OpenSaml2.6" we do use xmlToolingConfigs initializations before we even create SAML Request via DefaultBootstrap.bootstrap() API call, which triggers below calls 

how to initiate the same in OpenSAML 3.1.1?



We actually do have some wiki docs[1] on that, but the short answer is: replace your call to DefaultBootstrap.bootstrap() with InitializationService initialize().


[1] https://wiki.shibboleth.net/confluence/display/OS30/Initialization+and+Configuration

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Msnaidu
Hi Brent,
Ok let me check this OpenSAML initializations. Mean while, can you please also quote us  OpenSAML Packages in 3.1.1  for ,

A) base64 encoding/decoding packages in OpenSAML 3.1.1 (as highlighted below in red)
B) XML helpers to convert DOM to Strings (as highlighted below in red)

authDOM = marshaller.marshall(authnRequest); // converting to a DOM
StringWriter requestWriter = new StringWriter();
XMLHelper.writeNode(authDOM, requestWriter); 
requestMessage = requestWriter.toString(); // DOM to string
encodedRequestMessage =Base64.encodeBytes(requestMessage.getBytes(),Base64.DONT_BREAK_LINES);


On Wed, Jun 10, 2015 at 11:46 PM, Brent Putman <[hidden email]> wrote:


On 6/10/15 6:04 AM, Surinaidu Majji wrote:


In "OpenSaml2.6" we do use xmlToolingConfigs initializations before we even create SAML Request via DefaultBootstrap.bootstrap() API call, which triggers below calls 

how to initiate the same in OpenSAML 3.1.1?



We actually do have some wiki docs[1] on that, but the short answer is: replace your call to DefaultBootstrap.bootstrap() with InitializationService initialize().


[1] https://wiki.shibboleth.net/confluence/display/OS30/Initialization+and+Configuration

--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Brent Putman


On 6/11/15 1:23 AM, Surinaidu Majji wrote:

A) base64 encoding/decoding packages in OpenSAML 3.1.1 (as highlighted below in red)
B) XML helpers to convert DOM to Strings (as highlighted below in red)

authDOM = marshaller.marshall(authnRequest); // converting to a DOM
StringWriter requestWriter = new StringWriter();
XMLHelper.writeNode(authDOM, requestWriter);

See java-support, net.shibboleth.utilities.java.support.xml.SerializeSupport.  One of the nodeToString(...) or writeNode(...) methods.





encodedRequestMessage =Base64.encodeBytes(requestMessage.getBytes(),Base64.DONT_BREAK_LINES);




Again java-support, net.shibboleth.utilities.java.support.codec.Base64Support.


Although: I don't necessarily want to open a can of worms, but if what you're actually doing is trying to do is serialize and encode the data in order to implement SAML binding(s), we have higher level components in both v2 and v3 that do all that for you.  In v3 for SAML 2, look at the MessageEncoder impls in the saml-impl module, package org.opensaml.saml.saml2.binding.encoding.impl.  For usage examples, take a look at the unit tests for those.  It's not difficult.




--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Msnaidu
Thanks for the reply Brent,
We are able to prepare AuthnRequest from AuhtenticationRequestBuilder as per your suggestion but not able to Marshel it properly.

Please look into the following code:

OutputStream requestWriternew OutputStream() {

                     @Override

                     public void write(int b) throws IOException {

                           // TODO Auto-generated method stub

                     }

              };


org.opensaml.core.xml.io.MarshallerFactory marfact = new  org.opensaml.core.xml.io.MarshallerFactory();

Marshaller mar = marfact.getMarshaller(authnRequest);

org.w3c.dom.Element authDOM = mar.marshall(authnRequest);

SerializeSupport.writeNode(authDOM, requestWriter);

requestMessage = requestWriter.toString();


In the above code, we are getting "mar" as null.


Could you please help us to resolve it.


On Thu, Jun 11, 2015 at 11:18 PM, Brent Putman <[hidden email]> wrote:


On 6/11/15 1:23 AM, Surinaidu Majji wrote:

A) base64 encoding/decoding packages in OpenSAML 3.1.1 (as highlighted below in red)
B) XML helpers to convert DOM to Strings (as highlighted below in red)

authDOM = marshaller.marshall(authnRequest); // converting to a DOM
StringWriter requestWriter = new StringWriter();
XMLHelper.writeNode(authDOM, requestWriter);

See java-support, net.shibboleth.utilities.java.support.xml.SerializeSupport.  One of the nodeToString(...) or writeNode(...) methods.





encodedRequestMessage =Base64.encodeBytes(requestMessage.getBytes(),Base64.DONT_BREAK_LINES);




Again java-support, net.shibboleth.utilities.java.support.codec.Base64Support.


Although: I don't necessarily want to open a can of worms, but if what you're actually doing is trying to do is serialize and encode the data in order to implement SAML binding(s), we have higher level components in both v2 and v3 that do all that for you.  In v3 for SAML 2, look at the MessageEncoder impls in the saml-impl module, package org.opensaml.saml.saml2.binding.encoding.impl.  For usage examples, take a look at the unit tests for those.  It's not difficult.




--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prepare SAML Authentication request using OpenSaml3.1.1

Brent Putman


On 6/12/15 10:44 AM, Surinaidu Majji wrote:
Thanks for the reply Brent,
We are able to prepare AuthnRequest from AuhtenticationRequestBuilder as per your suggestion but not able to Marshel it properly.


org.opensaml.core.xml.io.MarshallerFactory marfact = new  org.opensaml.core.xml.io.MarshallerFactory();



You can't just new() a MarshallerFactory like that.  It's empty.  You need to directly or indirectly use the one that's been loaded with the Marshaller impls via the bootstrap (v2) or init (v3) process.



Marshaller mar = marfact.getMarshaller(authnRequest);


In the above code, we are getting "mar" as null.





The answer is the similar as for the builders.  You obtain them from the configured XMLObject providers.  I said earlier:


... We recommend you obtain XMLObject builders, marshallers and unmarshallers via the registered providers.  In v2, builder usage:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaCreateFromScratch

In v3, no wiki docs yet, but either use the global XMLObjectProviderRegistry via org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport, or the higher level methods on org.opensaml.core.xml.util.XMLObjectSupport.

The Marshaller wiki docs link for v2 is: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUsrManJavaWriteToXML

Same for Unmarshallers.

Most of the concepts (if not the specifics, package names, etc) from v2 are the same, so if you haven't read the entire v2 user's manual, you really should:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManual

--
To unsubscribe from this list send an email to [hidden email]