See saml Menu

Code Your Java App to Provide SSO via OneLogin

Get the toolkit: 

Using the Toolkit

The com folder contains the files you’ll copy into your Java application.

index.jsp and consume.jsp are the files that actually handle the SAML conversation. Use them as a template for making your application a SAML relying party/service provider.

index.jsp acts as an initiator for the SAML conversation, if it should be initiated by the application. This is called service-provider-initiated SAML. The service provider creates a SAML authentication request and sends it to the identity provider (IdP):

<%@page import="java.net.URLEncoder,org.apache.log4j.Logger"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="com.onelogin.saml.*,com.onelogin.*" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/
loose.dtd">
<html>    
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>Auth Request</title>
<%
   // the appSettings object contain application specific settings used by the SAML 
   // library
   AppSettings appSettings = new AppSettings(); 

   // set the URL of the consume.jsp (or similar) file for this app. The SAML Response 
   // will be posted to this URL
   appSettings.setAssertionConsumerServiceUrl("http://x.y.z.z/consume.jsp"); 

   // set the issuer of the authentication request. This would usually be the URL of the 
   // issuing web application
   appSettings.setIssuer("https://www.mywebapp.com");   

   // the accSettings object contains settings specific to the users account.    

   // At this point, your application must have identified the users origin
   AccountSettings accSettings = new AccountSettings(); 

   // The URL at the Identity Provider where to the authentication request should be sent
   accSettings.setIdpSsoTargetUrl("https://app.onelogin.com/saml/signon/12345");   

   // Generate an AuthRequest and send it to the identity provider
   AuthRequest authReq = new AuthRequest(appSettings, accSettings);
   String reqString = accSettings.getIdp_sso_target_url()+"?SAMLRequest=" + 
   AuthRequest.getRidOfCRLF(URLEncoder.encode(authReq.getRequest(AuthRequest.base64),
   "UTF-8"));
   response.sendRedirect(reqString); 
%>
   </head>
   <body>
   </body>
</html>

To know where to redirect the user with the authentication request, we need to establish the user’s identity provider affinity. This depends on your application. Perhaps accounts have dedicated subdomain name (e.g. mycompany.accountingapp.com) or SAML-authentication for accounts is limited to certain IP-ranges. In those situations, you need to look up account information based on whatever information you already have about the user. In this example, those settings are provided by consume.jsp, which is meant as a stub for you customization:

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> 
<%@ page import="com.onelogin.*,com.onelogin.saml.*,org.apache.log4j.Logger" %> 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" http://www.w3.org/TR/html4/
loose.dtd"> 
<html> 
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>SAML Assertion Page</title>
</head> 
<body> 
<%   
   String certificateS ="MIIBrTCCAaGgAwIBAgIBATADBgE......";
    
   // user account specific settings. Import the certificate here   
   AccountSettings accountSettings = new AccountSettings();   
   accountSettings.setCertificate(certificateS);    

   Response samlResponse = new Response(accountSettings);   
   samlResponse.loadXmlFromBase64(request.getParameter("SAMLResponse"));    

   if (samlResponse.isValid()) {      
    
      // the signature of the SAML Response is valid. The source is trusted     
      java.io.PrintWriter writer = response.getWriter();     
      writer.write("OK!");     
      String nameId = samlResponse.getNameId();     
      writer.write(nameId);     
      writer.flush();      

   } else {      

      // the signature of the SAML Response is not valid     
      java.io.PrintWriter writer = response.getWriter();     
      writer.write("Failed");     
      writer.flush();    
   } 
%> 
</body> 
</html>

The consume script receives the SAML assertion. Again, you need to know the identity provider to which the user belongs, but now you get a clue, since the username or email address in the SAML assertion - use samlResponse.getNameId() to retrieve it. Next you’ll use this information to retrieve the identity provider information, and after that, you can verify that the SAML assertion is actually from the identity provider configured on the account, as above.

What Needs to be Configured

In the example above, SAML settings are divided into two parts, the application specific (const_assertion_consumer_service_url, const_issuer, const_name_identifier_format) and the user/account specific (idp_sso_target_url, x509certificate). You’ll need to add your own code here to identify the user or user origin (e.g. by subdomain, ip_address etc.).

The following information needs to be available on the account:

  • appSettings.setAssertionConsumerServiceUrl

    The URL at which the SAML assertion should be received. In this example, http://localhost:3000/saml/consume would be correct.

  • appSettings.setIssuer

    The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.

  • accSettings.setIdpSsoTargetUrl

    The URL to which the authentication request should be sent. This would be on the identity provider.

  • accountSettings.setCertificate

    The x509 certificate fingerprint. This is provided from the identity provider when setting up the relationship.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml java"

  • 4
    Votes

    A: OneLogin for Java - Beginner Issues

    Answered Mar 29 2017

    version of the java-saml. On the github repository of java-saml https://github.com/onelogin/java-saml You will find the right documentation. 3) That code initiates the login process (send … 1) As described here: https://mvnrepository.com/artifact/com.onelogin/java-saml/2.0.1 You need to add: com.onelogin java-saml 2.0.1 2) That documentation is old and belong the 1.X …

  • 3
    Votes
    1
    Answers

    Q: Create SAML Assertion and Sign the response

    Asked Oct 21 2014

    I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working … properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing …

  • 3
    Votes

    A: Creating Java EE application with SAML & ADFS for Single Sign On

    Answered Feb 13 2017

    If you really don't want to use Spring Security SAML extension (which really only takes a few minutes to integrate it into your app) then you may need to look at https://github.com/onelogin/java … -saml or the Fedlet from OpenAM, however this requires much more additional coding than Spring Security SAML extension. …

  • 2
    Votes

    A: Error in response while using SAML oneLogin code to connect to ADFS as iDP

    Answered Oct 06 2016

    I have resolved this exception. It required to add email address in the properties of Active Directory Users and Computers on ADFS server. Also, the NameID format property should be set as "urn:oasis: …

  • 2
    Votes

    A: SSO and OAuth Confusion

    Answered Apr 21 2017

    Your customer is actually asking you to provide a federated authentication method leveraging an industry standard like SAML 2.0 or OpenID Connect*. I think this is reasonable because; They won't … . This being said, there are many alternatives to setting up PingFederate or ADFS, which can be roughly viewed in three groups: IDaaS: Azure AD, PingOne, Okta, OneLogin etc. They take over the federation …

Loading...