...

<?xml version="1.0" encoding="iso-8859-1"?><web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4">
     <filter>
        <filter-name>ServiceProviderFilter</filter-name>
        <filter-class>com.ubisecure.saml2.sp.servlet.ServiceProviderFilter</filter-class>
    </filter>
     <filter-mapping>
        <filter-name>ServiceProviderFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
     <servlet>
        <servlet-name>ServiceProviderServlet</servlet-name>
        <servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class>
        <load-on-startup>0</load-on-startup>
    </servlet>
     <servlet-mapping>
        <servlet-name>ServiceProviderServlet</servlet-name>
        <url-pattern>/spsso/*</url-pattern>
    </servlet-mapping>
 </web-app>

ServiceProviderServlet

This servlet manages the SAML protocol messaging with the Ubisecure IDP. The name of the servlet is ServiceProviderServlet and the servlet is bound to the path /spsso/*.

...

ServiceProviderFilter

This filter controls access to the resources of the application and requires authenticated access to the controlled resources. The default mapping of the filter is /{*}.

<filter>
	<filter-name>ServiceProviderFilter</filter-name>
	<filter-class>com.ubisecure.saml2.sp.servlet.ServiceProviderFilter</filter-class>
</filter> 
<filter-mapping>
	<filter-name>ServiceProviderFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

UbiloginSAMLPrincipal

The application may query information about the authenticated user using the standard Java Servlet API of HttpServletRequest.getUserPrincipal. This method returns an object of type UbiloginSAMLPrincipal for authenticated requests that passed ServiceProviderFilter.

...

Please refer to the API documentation for details on the UbiloginSAMLPrincipal object.

Request Flow of the Service Provider

1. A user requests a resource in the web application.
2. ServiceProviderFilter intercepts the request and attempts to validate the user's authentication session.
3. ServiceProviderFilter redirects the user to ServiceProviderServlet, which in turn generates an authentication request to the IDP by forwarding the user to the IDP.
4. The IDP authenticates the user and redirects the user back to ServiceProviderServlet.
5. ServiceProviderServlet creates an authentication session for the user and redirects the user to the original resource from step 1.
6. ServiceProviderFilter again intercepts the request and now successfully validates the user's authentication session.
7. ServiceProviderFilter passes the request through to the resource.

Logout

Logout procedure will start if user is redirected to the Service Providers single logout end point. The single logout end point URL is always /spsso/saml2/SingleLogoutService under the application context path.

...

Logout from the application will initiate single logout at the IDP. The IDP will execute the logout process for other active sessions at other SPs.

Disabling Single Logout

To disable single logout from the SP to IDP, remove the SingleLogoutService endpoint(s) from the IDP metadata using a text editor and restart the application.

...

Alternatively, it is possible to disable the single logout service of an existing SP integration from the IDP without access to the application. This is done by removing the SingleLogoutService endpoint(s) from the SP metadata registered on the IDP using a text editor and then reactivating the application at the IDP by uploading the modified SP metadata again.

SOAP Backchannel Logout

Logout using SOAP binding is supported by default if available at the IDP. This enables a faster logout experience without browser redirects. 

...