1

I'm building a org.opensaml.saml.saml2.core.Response with openSAML v3.2.0. I've the signed the response and would like to submit it.

I tried following openSAML book (A Guide to OpenSAML v3) but it doesn't seem to be of help with my scenario. I have a c# demo project with basically submits the response by HTTPPost. I'm writing the same in java with opensaml. Do I have to build an artifact as the book suggest? The book example suggests that I send the ArtifactResolve using SOAP even though I'm building a Response.

With the response object above, I'd like to post the response object to an idp.

What is the best way to achieve this? - Is it a good idea to create an Envelope object? With the response object from the saml2 package, how can I create a org.opensaml.soap.soap11.Envelope?

Any help is much appreciated! Thanks!

veggirice
  • 246
  • 1
  • 2
  • 15
  • The SAML api does have a WSDL. It should be documented on what the SAML reuqest look like and where to POST it. – Minh Kieu Sep 11 '17 at 16:26
  • I guess my question is more on how to construct the SOAP client. Can you please elaborate on the "_The SAML api does have a WSDL_" ? – veggirice Sep 11 '17 at 16:30
  • You need to POST the SAML request to the SAML server right? The SAML server Webservice have a WSDL which define what the XML message look like and where are the server endpoints. I would recommend you read up on how SAML work. Then obtain a sample SAML request and response. You will need the public SSL key to be able to communicate with the SAML server. If you don't know what I am talking about then ask the person who maintain the server. – Minh Kieu Sep 11 '17 at 16:40
  • I have built out the saml response and signed it with a private key. the service provider already has my public key. I guess I need to clarify my question. my question is more along the lines of using the correct APIs to build my solution. using the org.opensaml.saml.saml2.core.Response api to build out my response, i'm not able to figure out which api to use for creating the message context before even the submission of the repsonse/message context comes into play. – veggirice Sep 14 '17 at 15:22
  • How I remember was that you send your security provider a SAMLrequest XML contains the subject credetials, public key, signed etc...what you get back from your IDP is SamlResponse. Again is XML has been signed and cannot be modified. For further operations, the response XML is use to verify the authenticity and that should be it. I am confused when you said you need to build a SAML response? – Minh Kieu Sep 15 '17 at 14:50

1 Answers1

2

You don't have to build artifact as the book suggests. Using Artifacts has some security, privacy, and other benefits. Look Scott T. answer to understand the benefits of using Artifact binding - https://stackoverflow.com/a/13618537/1163424

Per your question, You can also pass the Response to the SP using POST binding. The way to do that is to encode your Response XML (With the signned Assertion) into Base64 string and make the client web-app POST it to the SP ACS (Assertion Consumer Service).

You pass SAMLResponse parameter with base64 string as value and a RelayState parameter which will be used to set the state in the SP web-app, As written in the SAML 2 Bindings specification page 21.

Also, I suggest using the SAML tool to validate your Response message.

Tomer Sela
  • 481
  • 9
  • 16
  • 1
    Ended up using HTTPPostEncoder from org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder. Thanks. – veggirice Oct 02 '17 at 22:07