how to build an AuthnRequest with pac4j-saml ?
982 views
Skip to first unread message
kim young ill
Jul 6, 2016, 4:23:42 AM7/6/16
to pac4j-users
hello,
i want to use replace a currently saml implematation OIOSAML ( https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/webapp/ with pac4j for sso ), the saml request needs to include the username to authenticate, i dont find a place in the samle2client where i can put it
with OIOSAML it would look like this:
dk.itst.oiosaml.sp.service.RequestContext context;
OIOAuthnRequest authnRequest = OIOAuthnRequest.buildAuthnRequest(uname,signonLocation.getLocation(), context.getSpMetadata().getEntityID(),
context.getSpMetadata().getAssertionConsumerServiceLocationBinding(0), context.getSessionHandler(), relayState, context.getSpMetadata().getAssertionConsumerServiceLocation(0));
authnRequest.setNameIDPolicy(conf.getString(Constants.PROP_NAMEID_POLICY, null), conf.getBoolean(Constants.PROP_NAMEID_POLICY_ALLOW_CREATE, false));
authnRequest.setForceAuthn(isForceAuthnEnabled(request, conf));
....
one more point which is not clear for me is that what is the callbackUrl for Saml2Client ? is it the redirect url for remote Samle-service (which from my understanding (or my usecase) is extracted from service-provider-metatdata.AssertionConsumerService.Location) or the url for the webapp to redirect internally ?
thanx
i want to use replace a currently saml implematation OIOSAML ( https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/webapp/ with pac4j for sso ), the saml request needs to include the username to authenticate, i dont find a place in the samle2client where i can put it
with OIOSAML it would look like this:
dk.itst.oiosaml.sp.service.RequestContext context;
OIOAuthnRequest authnRequest = OIOAuthnRequest.buildAuthnRequest(uname,signonLocation.getLocation(), context.getSpMetadata().getEntityID(),
context.getSpMetadata().getAssertionConsumerServiceLocationBinding(0), context.getSessionHandler(), relayState, context.getSpMetadata().getAssertionConsumerServiceLocation(0));
authnRequest.setNameIDPolicy(conf.getString(Constants.PROP_NAMEID_POLICY, null), conf.getBoolean(Constants.PROP_NAMEID_POLICY_ALLOW_CREATE, false));
authnRequest.setForceAuthn(isForceAuthnEnabled(request, conf));
....
one more point which is not clear for me is that what is the callbackUrl for Saml2Client ? is it the redirect url for remote Samle-service (which from my understanding (or my usecase) is extracted from service-provider-metatdata.AssertionConsumerService.Location) or the url for the webapp to redirect internally ?
thanx
Jérôme LELEU
Jul 6, 2016, 8:31:18 AM7/6/16
to kim young ill, pac4j-users
Hi,
With pac4j, things are meant to be easy, so you don't need to build your authentication request on your own. Your configuration goes into the Saml2Configuration, you build a Saml2Client based on it and protect your urls with this Saml2Client. Thus, accessing these urls will trigger a SAML authentication process.
The callback url is the url in the application where you'll be redirected by the SAML IdP after a successful authentication.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
kim young ill
Jul 6, 2016, 10:38:19 AM7/6/16
to pac4j-users, khi...@googlemail.com
Hi, thanx for the clarification,
but for my case, the IdP requires that the request include the username, it can then validate and doing a second factor (over sms) before redirect back to the configured redirectUrl.
i tried to put the username into the WebContext but i dont see that param in the saml request.
related to the callback-url, is it not the purpose of "service-provider-metatdata.AssertionConsumerService.Location" ?
regards
but for my case, the IdP requires that the request include the username, it can then validate and doing a second factor (over sms) before redirect back to the configured redirectUrl.
i tried to put the username into the WebContext but i dont see that param in the saml request.
related to the callback-url, is it not the purpose of "service-provider-metatdata.AssertionConsumerService.Location" ?
regards
Jérôme LELEU
Jul 7, 2016, 5:40:41 AM7/7/16
to kim young ill, pac4j-users
Hi,
It might be me, but I'm not sure what is this username you want to pass in the SAML auth request: do you have an example?
It should be certainly feasible as the auth request is built in the SAML2AuthnRequestBuilder.
The callback url is a more general concept in pac4j as it works for CAS, OAuth, OpenID Connect, basic auth, local form and not only for SAML. But, indeed, it's the service-provider-metatdata.AssertionConsumerService.Location. Notice that the client_name=SAML2Client parameter is added to the callback to be able to take one client from another one.
Thanks.
Best regards,
Jérôme
kim young ill
Jul 14, 2016, 4:16:45 AM7/14/16
to pac4j-users, khi...@googlemail.com
Hi, sorry for the delay,
my request looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="${service_callback_url}"
Destination="${idp_url}"
ForceAuthn="false"
ID="_37dd9a09-b459-428f-ac28-38a9c95532ac"
IsPassive="false"
IssueInstant="2016-07-14T08:09:09.868Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">${my_service_url}</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">${uname_tobe_verified}</saml2:NameID>
</saml2:Subject>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</saml2p:AuthnRequest>
${uname_tobe_verified} is the name/credential-id we're interested in and must match.
by reading the (signed)-answer from idp we can verify that's the correct information
my request looks like this:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="${service_callback_url}"
Destination="${idp_url}"
ForceAuthn="false"
ID="_37dd9a09-b459-428f-ac28-38a9c95532ac"
IsPassive="false"
IssueInstant="2016-07-14T08:09:09.868Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">${my_service_url}</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">${uname_tobe_verified}</saml2:NameID>
</saml2:Subject>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</saml2p:AuthnRequest>
${uname_tobe_verified} is the name/credential-id we're interested in and must match.
by reading the (signed)-answer from idp we can verify that's the correct information
Misagh
Jul 14, 2016, 2:47:09 PM7/14/16
to pac4j-users
A saml authn request has no place for a subject in it, AFAIK.
- Misagh
kim young ill
Jul 15, 2016, 3:57:43 PM7/15/16
to pac4j-users
hi there,
i'm not saml-expert but it worked as stated in my first email. (iDP requires subject to be verified)
and i found this on SO:
http://stackoverflow.com/questions/32381733/how-is-the-principal-identified-in-the-authnrequest-for-saml-2-0-web-browser-sso
so it's not popular but apparently ok.
thanx
i'm not saml-expert but it worked as stated in my first email. (iDP requires subject to be verified)
and i found this on SO:
http://stackoverflow.com/questions/32381733/how-is-the-principal-identified-in-the-authnrequest-for-saml-2-0-web-browser-sso
so it's not popular but apparently ok.
thanx
Misagh
Jul 16, 2016, 2:51:29 AM7/16/16
to pac4j-users
Gotcha. So given that it's very uncommon, I doubt pac4j allows you to stuff a subject in there. You are welcome to file a PR for this.
Reply all
Reply to author
Forward
0 new messages