0

I'm working on an Android project which has to strongly interact with a SSO Shibboleth authentication protected website. I have, therefore, to create a Java class in order to make a valid SAML assertion and to login into the website.

I googled a lot, and I find this piece of code: http://blog.keksrolle.de/2010/07/27/how-to-create-a-valid-saml-2-0-assertion-with-opensaml-for-java.html In fact I discovered that it was not needed, since that I was able to get the SAML response through some HttpConnection requests.

The code I wrote was able to perform steps 1-5 of this list: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#The_SAML_Use_Case The last thing it does is getting the value of the SAMLResponse parameter, which is the base64 encoding of a element. Then it issues a POST request to the assertion consumer service. Here the pseudo-code:

/* discover the IdP */
connect to the link (/idp/login/) which redirects to the form page (/Authn/UserPassword)
get cookies from the link in order to gain access to the form page
/* end */
/* get SAML response climbing the redirects */
set goTo var to the link of the form page
do {
    send POST data (+ cookies) to the goTo page
    get cookies of the new page and saves them with the others
    set goTo to connection.getHeaderField("Location");
} while (!(responseCode==200));
read the source of the last redirect 
get the specific SAMLResponse
/* end */
send it to website.com/Shibboleth.sso/SAML2/POST
get cookies, session data

But afterward the response of the server is a 500 error code, or an on page error code ("Something went wrong. Retry."). In fact, I'm not able to gain the access to the session, even if I have a valid SAML assertion which I send (encoded) to the server. Is it a problem of session? Once I issued the POST request, I supposed that the server reconized me via cookies (JSESSIONID) and via querystring (/home.do;jsessionid=XXXFAEC60AXXX7A7B9XXXAA9EXXXE71X.jvm2c), but I think that maybe something went totally wrong.

How can I login into a SAML authenticated website via Java?

Another (marginal) problem: I performed all the request without encryption (https). Can this be a problem from the point of view of security (packets sniffing etc)?

Gian Segato
  • 2,359
  • 3
  • 29
  • 37
  • Have you since resolved your issue? How did you do it, if I may ask? – David Perlaza May 13 '13 at 01:56
  • 1
    See here: http://stackoverflow.com/a/15731858/1557941 – Gian Segato May 13 '13 at 18:13
  • Thank you for the response, I'm glad it worked for you. I'd just like to ask, did you happen to use any external Java libs, did the solution involve a different approach than the one you describe above, and did you manually create your own assertions? – David Perlaza May 17 '13 at 16:29
  • Unfortunaltely 600 characters are not enough to sufficiently explain what I did. Maybe you would like to open a new question, to which I can answer more proficiently. Anyway, quick response: no, I didn't used any external Java lib, but the approach was slight different. I analysed all the HTTP request and replicated them in a single class. – Gian Segato May 18 '13 at 06:14
  • Your help is appreciated, Gianluca. Please see http://stackoverflow.com/questions/16512965/logging-into-saml-shibboleth-authenticated-server-using-python – David Perlaza May 19 '13 at 22:11
  • If you're encounter too much difficulties, feel free to contact me. Check my bio - use my website. – Gian Segato May 20 '13 at 09:30
  • @Gianluca any reference for the android saml implementation – Aniruddha K.M Jun 16 '16 at 13:00
  • @Gianluca unable to see your bio in SO, i could use your advice on how you implemented it – Aniruddha K.M Jun 16 '16 at 13:18

1 Answers1

0

Unfortunately I can't picture what is your exact problem. I can only redirect you to Shibboleth Web page, which can enlighten you in terms of shibboleth workflow. There is also documentation of SAML profiles (page 14 WB-SSO). I found it helpfull during extending my application with Single Logout Profile

As for lack of https... it's a major security leak. The purpose of using Shibbolethh or WBSSO at all is to grant maximum protection to both resources and confident user information. First of all you need secure login credential exchange with IdP. Secondly, if someone sniff signed (and maybe even encrypted) assertion, which idp sends back to your application, he may not be able to obtain user information from it (due to encryption) but he can access your secured service for as long as assertion is valid (5 min, 15 min or even sevral hours - depends on IdP configuration)

Edit 1: As for sample codes, check out Guanxi (Shibboleth implementation in Java), maybe you it will help you

Erwin
  • 522
  • 4
  • 20