Page Comparison

The Service Provider software package contains a template web.xml deployment descriptor. Use this file as a reference when integrating the SAML Service Provider with your web application.

<?xml version="1.0" encoding="iso-8859-1"?><web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4">
     <filter>
        <filter-name>ServiceProviderFilter</filter-name>
        <filter-class>com.ubisecure.saml2.sp.servlet.ServiceProviderFilter</filter-class>
    </filter>
     <filter-mapping>
        <filter-name>ServiceProviderFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
     <servlet>
        <servlet-name>ServiceProviderServlet</servlet-name>
        <servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class>
        <load-on-startup>0</load-on-startup>
    </servlet>
     <servlet-mapping>
        <servlet-name>ServiceProviderServlet</servlet-name>
        <url-pattern>/spsso/*</url-pattern>
    </servlet-mapping>
 </web-app>

...

This servlet manages the SAML protocol messaging with the Ubisecure IDP. The name of the servlet is ServiceProviderServlet and the servlet is bound to the path /spsso/*.

<servlet>
	<servlet-name>ServiceProviderServlet</servlet-name>
	<servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class>
	<load-on-startup>0</load-on-startup>
</servlet> 
<servlet-mapping>
	<servlet-name>ServiceProviderServlet</servlet-name>
	<url-pattern>/spsso/*</url-pattern>
</servlet-mapping>

...

This filter controls access to the resources of the application and requires authenticated access to the controlled resources. The default mapping of the filter is /{*}.

<filter>
	<filter-name>ServiceProviderFilter</filter-name>
	<filter-class>com.ubisecure.saml2.sp.servlet.ServiceProviderFilter</filter-class>
</filter> 
<filter-mapping>
	<filter-name>ServiceProviderFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

...

The application may query information about the authenticated user using the standard Java Servlet API of HttpServletRequest.getUserPrincipal. This method returns an object of type UbiloginSAMLPrincipal for authenticated requests that passed ServiceProviderFilter.

HttpServletRequest request = ...;
if(!(request.getUserPrincipal() instanceof UbiloginSAMLPrincipal)) {
    throw new ServletException("Not authenticated");
}
UbiloginSAMLPrincipal principal = (UbiloginSAMLPrincipal) request.getUserPrincipal();

The UbiloginSAMLPrincipal is also available as a request attribute using the ServletRequest.getAttribute API. The name of the request attribute is "com.ubisecure.saml2.sp.principal.UbiloginSAMLPrincipal.UserPrincipal".
This may be useful for example when request wrapping has been disabled (see Request wrapper ).

HttpServletRequest request = ...;
UbiloginSAMLPrincipal principal = 
  (UbiloginSAMLPrincipal) request.getAttribute(
	"com.ubisecure.saml2.sp.principal.UbiloginSAMLPrincipal.UserPrincipalcom.ubisecure.saml2.sp.servlet.ServiceProviderFilter.UserPrincipal#ServiceProviderServlet"
  );

...

Logout procedure will start if user is redirected to the Service Providers single logout end point. The single logout end point URL is always /spsso/saml2/SingleLogoutService under the application context path.

...

A logout link can be constructed as a static html link if the context path of the application is fixed and known.

http://www.example.com/app1/spsso/saml2/SingleLogoutService?returnurl=/app1/logoutcompleted.jsp

Listing 7 below shows a sample JSTL code for a logout link.

<a href="<c:url value='/spsso/saml2/SingleLogoutService'>
<c:param name='returnurl' value='${pageContext.request.contextPath}'/>
</c:url>">Logout</a>

...

To disable backchannel logout from the SP to the IDP, use the following –disable SingleLogoutService flag when generating the SP identity using the ubisaml2.jar command.

-disable SingleLogoutService

...

Some SAML deployment profiles do not support backchannel logout. To disable all backchannel logout functionality from the Ubisecure SSO IDP to the SP, the setting LiteNoBackChannel  [PS1] must be added to the uas.properties file of the IDP. After modification, the application must be redeployed using tomcat/update.cmd or tomcat/update.sh

# ubilogin-sso\ubilogin\webapps\uas\WEB-INF\uas.properties
# saml interoperability features
com.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel

To disable SOAP backchannel logout for an individual SAML SP, set the LiteNoBackChannel compatibility flag in the SP’s identity.properties file. Note that in order to fully disable backchannel messages for the individual agent, it is also necessary to configure the SAML SP on the IDP end accordingly. This can be done by generating new SAML SP metadata and uploading it to the SAML SP’s IDP configuration. It is also possible to separately specify compatibility flags in the management application.

com.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel

...