Overview

In a real case, your customers will have to connect one or more external services such as a CMS, ordering portal, support tools etc, which are called Service Providers (SP) in SAML terminology.

In this lab, we will do two types of web application integration:

1. Use SAML 2.0 as the authentication framework and will connect to a Java sample application SmartPlan Application. This will represent the target service. Ubisecure SSO implements SAML Identity Provider (IdP) role.

2. A simplified OpenID Connect integration using utility called OpenID Connect Tester.

Part 1: SAML integration

SAML Refresher Course

SAML 2.0 Overview

As you see in the diagram:

1. User navigates to SP service with his web browser

2. User doesn’t have an SP session. SP sends an AuthnRequest to IDP

3. IDP authenticates the user either by using an existing session or by requesting user credentials

4. IDP forms a SAML Assertion and sends it to SP within Response message

5. SP receives the Response message and grants access to the service

Open

IDP: Identity Provider

SP: Service Provider

SAML 2.0 Metadata

SAML Metadata is an XML file describing how to communicate with a SAML SP or IDP

• Which SAML protocol features are used (profiles, bindings)

• Which HTTP addresses are used for messaging

• Which public key should be used for verifying message integrity and encryption

Ubisecure products build the metadata automatically

• Metadata is always available via a defined HTTP address

• SSO metadata is always in well-known address https://login.smartplan.com:8443/uas/saml2/metadata.xml

Example SSO Endpoint definition:

Open

Integration of SAML SP application for Java with Ubisecure SSO

In summary, the main phases of integrating a SAML SP application for Java with Ubisecure SSO are:

1. Generation of Service Provider metadata

2. Application creation

3. IdP metadata copied to application server

4. Configure authentication and authorisation

5. Sign in to the service

At the end of this lab, you will have successfully logged in to the web application SmartPlan Application by using password authentication. You will use this application later in Lab 2.5: Authorisation Policy and Lab 3.1: Federation Configuration.

The instructions are in the following section.

Instructions

1. Install a separate Tomcat 9.0 on your system (in order to avoid potential conflicts with SSO's Tomcat installation). Use the 32-bit/64-bit Windows Service Installer file located on the "IAM Academy Software" folder accessible from your desktop.

   During the installation, select port 8090 for HTTP/1.1 Connector Port.
   
   

   
   
   The path to install Java is: C:\Program Files\AdoptOpenJDK\jdk-8.0.275.1-hotspot\jre

   
   
   The system is running when the address http://localhost:8090/ answers as follows:
   
   

   
   
   
   
   

    

2. Install SmartPlan Application

   The package is available at \\ubidemo.com\Ubidemo\Software\IAM Academy\ubisp-sample-2.7-smartplan.zip.

   Unzip the package and extract all files into directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps:
   

   
   
   

3. Create private and public keys:

   cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF" "C:\Program Files\AdoptOpenJDK\jdk-8.0.275.1-hotspot\jre\bin\java.exe" -jar lib/ubisaml2.jar Generate http://localhost:8090/smartplanapplication/spsso -o saml2/sp -y

4. Create service provider metadata:

   cd /d "C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF" "C:\Program Files\AdoptOpenJDK\jdk-8.0.275.1-hotspot\jre\bin\java.exe" -jar lib/ubisaml2.jar Metadata saml2/sp -f sp-metadata.xml -y

5. Open Ubisecure SSO management console https://login.smartplan.com:8443/ubilogin. Right click [SAML 2.0] to save the identity provider's SAML 2.0 metadata file (metadata.xml) to directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF\saml2\sp\metadata\
   
   

   
   
   
   
   
   

6. Restart Apache Tomcat using Services. The application will re-read the configuration during startup.
   
   

   Open

   

   
   
   

7. Create an application in Ubisecure SSO management console.
   First, create a site ("SmartPlan" on the screenshot below).
   
   

   Open

   
   Open

   

   
   
   Select the site "SmartPlan", Site Methods, and select Add Methods... and choose the authentication methods that will need to be used on this site. For now, add "CustomerID Password."

   Open

   
   Open

   

   
   
   

8. Go back to "Site" tab and then click "New Application." When the popup window appears, write the name of your application (SmartPlan Application), select "SAML Service Provider" and click on "Enabled" box. Finally, accept with the "OK" button.
   
   

   Open

   
   Open

   

9. At "ID and Activation" press "Activate" and select the metadata from C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\smartplanapplication\WEB-INF\sp-metadata.xml
   
   

   
   
   Press "Update" button
   
   

10.  Then go to "Allowed Methods" and add "CustomerID Password." Click "Update"
    
    

    
    
    

11. Go to "Allowed to" and add "eIDMUser" group:
    
    

    Open

    
    Open

    

    
    
    

12. Now open your browser:http://localhost:8090/smartplanapplication/  (Ignore security warning if you haven't installed HTTPS:)
    
    
    

    Open

    

    
    
    
    
    
    
    
    

13. Now log in with username scott.long@smartplan.com (imported as part of lab 1.1) using the configured authentication method:
    
    

    Open

    

    
    
    
    
    

14. Finally, you will see a page like this which displays the user's id and the authentication methods. In Lab 2.4 (Authorisation Policy) you will learn how to send user attributes and display them in this page.
    
    
    

    Open

    

    
    
    

15. You're done.