IdP Initiated SSO with SAML Response (Unsolicited Response)

913 views
Skip to first unread message

Jeffrey Wang

unread,
Mar 12, 2018, 6:38:27 PM3/12/18
to Pac4j users mailing list
I am trying to set up my app to be compliant with a client's SSO process, in which they are the IdP and will POST to us their SAMLResponse that we will have to validate. 

I've read in another post that just by setting the defaultUrl, we can achieve an IdP initiated SSO process.

Does anyone have an example of what this might look like? 

I'm fairly new to SAML and SSOs.

Tim Cederquist

unread,
May 11, 2018, 3:32:28 PM5/11/18
to Pac4j users mailing list
I have a similar issue with an IdP initiated auth that links into my application with a default POST style url at the IdP. Trying to find a way to use pac4j-saml to review the IdP response for nameId and roles/groups. I have this working with another limited tool like this:

    @POST
    @Path("/login")
    @Produces(MediaType.TEXT_HTML)
    public Response authenticate(@FormParam("SAMLResponse") String encodedResponse) throws SamlException, IOException {
log.trace("Starting saml receipt");
SamlClient client = SamlClient.fromMetadata("https://localhost:8183/rest/saml2/login", "http://fp.mycompany.com/adfs/services/trust", new InputStreamReader( new FileInputStream("c:/temp/FederationMetadata.xml")), SamlClient.SamlIdpBinding.POST);
        SamlResponse response = client.decodeAndValidateSamlResponse(encodedResponse);
        String authenticatedUser = response.getNameID();
log.info("name id: {}", authenticatedUser);
   }

But not sure how to do this from Pac4J-saml yet. Ideas anyone?

Jérôme LELEU

unread,
May 14, 2018, 1:08:02 AM5/14/18
to Tim Cederquist, Pac4j users mailing list
Hi,

SAML responses should be received on the callback endpoint. Or you can reuse the callback logic anywhere you want (although I don't recommend this approach).
Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tim Cederquist

unread,
May 15, 2018, 2:46:08 PM5/15/18
to Pac4j users mailing list
Do you have sample code for how to do that in pac4j-saml? I have not been able to locate an api or samples to read and decode an idp response. Looking to pull the username as a NameId claim and other claim details for example.

Thanks

Jeffrey Wang

unread,
May 15, 2018, 3:01:57 PM5/15/18
to Tim Cederquist, Pac4j users mailing list
Seconding this

-- 
Jeffrey Wang
University of California, Davis
Computer Science '17

On Tue, May 15, 2018 at 11:46 AM, Tim Cederquist <tcede...@ermas.com> wrote:
Do you have sample code for how to do that in pac4j-saml? I have not been able to locate an api or samples to read and decode an idp response. Looking to pull the username as a NameId claim and other claim details for example.

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pac4j-users/WarwgzprRzw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pac4j-users+unsubscribe@googlegroups.com.

Jérôme LELEU

unread,
May 16, 2018, 6:34:57 AM5/16/18
to Jeffrey Wang, Tim Cederquist, Pac4j users mailing list
Hi,

On the callback URL, the SAML response is received to extract credentials and built a SAML2Profile. Here is the entry point: https://github.com/pac4j/pac4j/blob/master/pac4j-saml/src/main/java/org/pac4j/saml/client/SAML2Client.java#L109
Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages