java and simplesamlphp

[JFu]

Hi,

 

I am very new to php and simplesamlphp.

 

Our web application written in Java is deployed on Apache Tomcat6. Now we need to use simpleSAMLphp installed on the other machine to access the third party portal.

The flow is like this:

 

1. user login to our website

2  A link to access the third party portal will be displayed to them.

3.  By clicking  the link, without authentiction again, they are able to send to required fields and login to third party portal and see their data.

 

Since the third party portal is php environment, they have simpleSAMLphp installed and configured as SP, we also installed simpleSAMLphp and configured as Idp. I have several questions to ask and would like to your help.

 

1. The third party portal asks us to provide three informations ID1, ID2 and type. All these information will be got when user login to our website and stored in session. I am thinking of creating a php page to get these value from the link https://idaddress/testphp.php?id1=&id2=&type=, which is posted on the web page when user login. My question is how I maintain the session between Java app and simplesamlphp?

 

2. in the testphp.php page, we will redirect the page to IDP SSO initiated URL.

  

 We plan to use example-static module and told we could configure example-static like the code below, but I don't know where I should place three URL parameters so that they can be accessed in authsources.php.

'example-static' => array(
        'exampleauth:Static',
        'id1' => $_GET['id1'],
        'id2' => $_GET['id2'],
        'type' => $_GET['type'],
    ),

 

Thank you,

 

jfu

[Peter Schober]

* JFu <foreve...@gmail.com> [2013-11-07 08:28]:

> Our web application written in Java is deployed on Apache Tomcat6.

[...]

> 1. user login to our website
> 2 A link to access the third party portal will be displayed to them.
> 3. By clicking the link, without authentiction again, they are able to
> send to required fields and login to third party portal and see their data.
>
> Since the third party portal is php environment, they have simpleSAMLphp
> installed and configured as SP, we also installed simpleSAMLphp and
> configured as Idp. I have several questions to ask and would like to your
> help.

It won't work like that out of the box. Assuming your Java servlet is
where subjects log in, you would either need to turn that into a SAML
SP (and defer authentication to your SimpleSAMLphp IdP) or write your
own SimpleSAMLphp auth source that will bootstrap a SimpleSAMLphp
session based on the subject having previously authenticated at your
Java servlet. (Which usually means running SSP and the authenticating
app in the same webserver to share a HTTP Cookie. You could front
Tomcat with httpd and run SSP there.)
There are numerous discussions in the list archives about that.

> 1. The third party portal asks us to provide three informations ID1, ID2
> and type. All these information will be got when user login to our website
> and stored in session. I am thinking of creating a php page to get these
> value from the link https://idaddress/testphp.php?id1=&id2=&type=, which is
> posted on the web page when user login. My question is how I maintain the
> session between Java app and simplesamlphp?

SimpleSAMLphp has a few methods built-in to retrieve data about the
current principal, such as LDAP or SQL. I don't know about any
webservice-like things but if there is nothing and that's the only way
you can expose data from the Java servlet to your IdP you'd need to
write that yourself (including inventing a secure protocol for that
communication).
Assuming the Java servlet has to persist and load any data about the
subjects from disk or from a database or network daemon, well, this is
where your SimpleSAMLphp IdP would fetch it just the same -- get it
from the source, not from the Java servlet.

> We plan to use example-static module and told we could configure
> example-static like the code below, but I don't know where I should place
> three URL parameters so that they can be accessed in authsources.php.
> 'example-static' => array(
> 'exampleauth:Static',
> 'id1' => $_GET['id1'],
> 'id2' => $_GET['id2'],
> 'type' => $_GET['type'],
> ),

Have a look at authsources.php and the authsource documentation. If
that doesn't clear it up, be more specific about what is unclear.
-peter

[JFu]

So that means it is hard to integrate java and simpleSMALphp

In my case, is that good to use shibboleth 2.4 as IDP?

 I had shibboleth installed on the same linux server as Java web application and both are having Tomcat6 before but found it was hard to configure and implementation. so I tried to use simpleSAMLphp as IDP. Besides, our SP never tried shibboleth as IDP.  

As I said in my first post, The whole flow is that a link displayed on my java web application after user login to our website. By clicking the link, user will be able to access the third party portal and view their data without authentication again. Third party portal is configured as SimpleSAMLphp SP.

how to maintain the session between my Java web application  and shibboleth IDP? 

Thank you very much

[Peter Schober]

* JFu <foreve...@gmail.com> [2013-11-10 01:19]:

> So that means it is hard to integrate java and simpleSMALphp

That's not what I said and the language/API your website is written in
(Java) does not factor into this, really.

> In my case, is that good to use shibboleth 2.4 as IDP?

As long as you want to authenticate at a different web page other than
the SAML IdP you'll need to do extra work, either with SSP or with Shib.
I've pointed you to the methods I know would work for SSP (to which
you did not reply). The methods how to achieve that with Shibboleth
are different

> I had shibboleth installed on the same linux server as Java web
> application and both are having Tomcat6 before but found it was hard to
> configure and implementation. so I tried to use simpleSAMLphp as IDP.

This is not the list for discussing the Shibboleth IDP and things
being "hard" are not problem reports anyone can help you with. But
here are two ways to achive externalized authentication from
the Shibboleth IdP:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal
They assume knowledge about the servlet container (first link) or
require a bit of Java programming (second) to implement a simple
"protocol".

> Besides, our SP never tried shibboleth as IDP.

If an SP works with the SSP IdP it's guaranteed to also work with the
Shib IDP.

> As I said in my first post, The whole flow is that a link displayed on my
> java web application after user login to our website. By clicking the link,
> user will be able to access the third party portal and view their data
> without authentication again. Third party portal is configured as
> SimpleSAMLphp SP.
>
> how to maintain the session between my Java web application and shibboleth
> IDP?

"As I said in my first post", there are two ways to achieve that.
1. Turn your Java web app into a SAML SP, i.e., externalize
authentication from the application into the SAML IdP.
Then everyone "clicking the link" (which probably does
IdP-initiated SSO) would already be authenticated at the IdP.
2. If that's not possible look at
modules/exampleauth/lib/Auth/Source/External.php on how to
exernalize authentication from your SSP IdP to your custom web
application.

Just restating the question will only get you the same answers.
-peter

[JFu]

thank you very much.

Please bear my poor knowledge about SAML. I only understand about the concept of SAML but with no actual experience. This is the first time I touch SAML.

In your first reply, you mentioned two ways to make authentication part work.

For some reason, our server that is hosting Tomcat6 and our Java web application cannot have PHP installed. I don't know why but it is what I am told. So we have to install PHP and SimpleSAMLPhp on another server. So I am not sure if it is possible to make Java application to be SP if SSP cannot install on the server that Java web application is on.

for using external.php, how am I going to use it for authentication in Java part on one server and SSP on the other server?

Thanks

[Peter Schober]

* JFu <foreve...@gmail.com> [2013-11-11 20:54]:

> In your first reply, you mentioned two ways to make authentication part
> work.
>
> For some reason, our server that is hosting Tomcat6 and our Java web
> application cannot have PHP installed. I don't know why but it is what I am
> told. So we have to install PHP and SimpleSAMLPhp on another server. So I
> am not sure if it is possible to make Java application to be SP if SSP
> cannot install on the server that Java web application is on.

No, not easily & securely (though others may disagree).

For the "turn your app into a SAML SP" method:
You'd install Apache httpd and either mod_authmemcookie or Shibboleth
on the webserver and tunnel requests to the servlet container and Java
application. Then the application needs to be changed to not
authenticate subjects itself but instaed become a properly behaving
SAML SP. So that requires rather drastic changes to your current
architecture.

> for using external.php, how am I going to use it for authentication
> in Java part on one server and SSP on the other server?

That's completely up to you. SSP just gives you a point to hook into
your own system, and a way to return info to SSP after that.

Having both on the same host sharing HTTP cookies is the easiest way
to achieve that. Resorting to domain cookies might significantly
weaker that model, I can't know that.
-peter

[JFu]

Thank you very much.

I have talked to my manager about what my concerns about the project and also provided what i have learned from your reply. My manager decides that we need to stick to our Java Environment, so we went back to Shibboleth. I will switch to Shibboleth group and post my questions there. Thank you for your help.

[Peter Schober]

* JFu <foreve...@gmail.com> [2013-11-14 22:15]:

> I have talked to my manager about what my concerns about the project and
> also provided what i have learned from your reply. My manager decides that
> we need to stick to our Java Environment, so we went back to Shibboleth. I
> will switch to Shibboleth group and post my questions there. Thank you for
> your help.

Note that I've already pointed to you the relevant Shibboleth docs, so
unless you've read those asking the same thing on another list won't
get you different answers. Most likely you'll need to use
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal
Unless you're using (or can change to) container managed security:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser
-peter

[JFu]

Hi,

 

Thank you very much.

 

Sounds like the external Authentication is what we are looking for.

 

Sorry, I know here is for simpleSAMLphp. if I continue to post here, it is not proper, but  you are very  knowledgeable and before I move to Shibboleth user list , I would like to ask final question here.

 

We have shibboleth 2.4 installed on the same server as our web application using Tomcat6. By reading that document, it seems I can write JSP to trigger the external authentication system and then set the attributes, but how do that? do you have any examples?

 

i also found a nice article http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding. Should this be another option?

 

Thanks.

[Peter Schober]

* JFu <foreve...@gmail.com> [2013-11-15 22:14]:

> We have shibboleth 2.4 installed on the same server as our web application
> using Tomcat6. By reading that document, it seems I can write JSP to
> trigger the external authentication system and then set the attributes, but
> how do that? do you have any examples?

The official documentation is all I know, I'm not using that method
myself. If you don't understand the documentation or want more
examples you'll need to ask on the Shibboleth users list.

> i also found a nice article
> http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding. Should
> this be another option?

How you initiate a session is irrelevant and independent from how the
IdP authenticates subjects and maintains sessions for them.
-peter

[JFu]

thank you very much.

[Aleš Černivec]

Hi,

Maybe you would be interested into project Contrail, where we implemented authentication servlet filter in java running on tomcat using OpenSAML lib to authenticate towards SSP. The servlet creates SAML authn request and consumes the SAML authn response. Log-out is also supported.

The service is actually OAuth2 Authorization Server written in java supporting OAuth2
 * Client credentials grant and
 * authorization code grant.

In the latter we needed Java version of SP and we used OpenSAML for that. You can peek into the code (see bellow).

The project's docs (the servlet I am talking about) resides here:
http://contrail.projects.ow2.org/xwiki/bin/view/Documentation/common-oauth-as#HInstallation

Sources are here:
http://websvn.ow2.org/listing.php?repname=contrail&path=%2Ftrunk%2Fcommon%2Foauth%2Foauth-java-authz-server%2F

Cheers,
Ales

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[Peter Schober]

* Aleš Černivec <ales.c...@gmail.com> [2013-11-18 07:44]:

> Maybe you would be interested into project Contrail, where we implemented
> authentication servlet filter in java running on tomcat using OpenSAML lib
> to authenticate towards SSP.

This thread is about SSO into the SAML IdP based on authentication in
a custom web application, not about a SAML SP in Java.
-peter