See saml Menu

Code Your Java App to Provide SSO via OneLogin

Get the toolkit: 

Using the Toolkit

The com folder contains the files you’ll copy into your Java application.

index.jsp and consume.jsp are the files that actually handle the SAML conversation. Use them as a template for making your application a SAML relying party/service provider.

index.jsp acts as an initiator for the SAML conversation, if it should be initiated by the application. This is called service-provider-initiated SAML. The service provider creates a SAML authentication request and sends it to the identity provider (IdP):

<%@page import=",org.apache.log4j.Logger"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="com.onelogin.saml.*,com.onelogin.*" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>Auth Request</title>
   // the appSettings object contain application specific settings used by the SAML 
   // library
   AppSettings appSettings = new AppSettings(); 

   // set the URL of the consume.jsp (or similar) file for this app. The SAML Response 
   // will be posted to this URL

   // set the issuer of the authentication request. This would usually be the URL of the 
   // issuing web application

   // the accSettings object contains settings specific to the users account.    

   // At this point, your application must have identified the users origin
   AccountSettings accSettings = new AccountSettings(); 

   // The URL at the Identity Provider where to the authentication request should be sent

   // Generate an AuthRequest and send it to the identity provider
   AuthRequest authReq = new AuthRequest(appSettings, accSettings);
   String reqString = accSettings.getIdp_sso_target_url()+"?SAMLRequest=" + 

To know where to redirect the user with the authentication request, we need to establish the user’s identity provider affinity. This depends on your application. Perhaps accounts have dedicated subdomain name (e.g. or SAML-authentication for accounts is limited to certain IP-ranges. In those situations, you need to look up account information based on whatever information you already have about the user. In this example, those settings are provided by consume.jsp, which is meant as a stub for you customization:

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> 
<%@ page import="com.onelogin.*,com.onelogin.saml.*,org.apache.log4j.Logger" %> 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>SAML Assertion Page</title>
   String certificateS ="MIIBrTCCAaGgAwIBAgIBATADBgE......";
   // user account specific settings. Import the certificate here   
   AccountSettings accountSettings = new AccountSettings();   

   Response samlResponse = new Response(accountSettings);   

   if (samlResponse.isValid()) {      
      // the signature of the SAML Response is valid. The source is trusted   writer = response.getWriter();     
      String nameId = samlResponse.getNameId();     

   } else {      

      // the signature of the SAML Response is not valid   writer = response.getWriter();     

The consume script receives the SAML assertion. Again, you need to know the identity provider to which the user belongs, but now you get a clue, since the username or email address in the SAML assertion - use samlResponse.getNameId() to retrieve it. Next you’ll use this information to retrieve the identity provider information, and after that, you can verify that the SAML assertion is actually from the identity provider configured on the account, as above.

What Needs to be Configured

In the example above, SAML settings are divided into two parts, the application specific (const_assertion_consumer_service_url, const_issuer, const_name_identifier_format) and the user/account specific (idp_sso_target_url, x509certificate). You’ll need to add your own code here to identify the user or user origin (e.g. by subdomain, ip_address etc.).

The following information needs to be available on the account:

  • appSettings.setAssertionConsumerServiceUrl

    The URL at which the SAML assertion should be received. In this example, http://localhost:3000/saml/consume would be correct.

  • appSettings.setIssuer

    The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.

  • accSettings.setIdpSsoTargetUrl

    The URL to which the authentication request should be sent. This would be on the identity provider.

  • accountSettings.setCertificate

    The x509 certificate fingerprint. This is provided from the identity provider when setting up the relationship.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml java"

  • 3

    Q: Create SAML Assertion and Sign the response

    Asked Oct 21 2014

    I have a Java web application. I want to implement SAML Single-Sign-On login for my application. I have got this GitHub onelogin program to send request and get response. But it was not working … properly. I created one account there. But I don't have an enterprise account. When I run the application, it is going to onelogin login page. I tried to login, but it is not returning anyuthing …

  • 2

    A: Error in response while using SAML oneLogin code to connect to ADFS as iDP

    Answered Oct 06 2016

    I have resolved this exception. It required to add email address in the properties of Active Directory Users and Computers on ADFS server. Also, the NameID format property should be set as "urn:oasis: …

  • 2

    A: OneLogin for Java - Beginner Issues

    Answered Mar 29 2017

    version of the java-saml. On the github repository of java-saml You will find the right documentation. 3) That code initiates the login process (send … 1) As described here: You need to add: com.onelogin java-saml 2.0.1 2) That documentation is old and belong the 1.X …

  • 2

    A: Python SSO: pysaml2 and python3-saml

    Answered Nov 16 2016

    of Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings). Differences Crypto: pysaml2 … Both projects are compatible with Shibboleth. pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented. python3-saml follows the structure …

  • 2

    A: Creating Java EE application with SAML & ADFS for Single Sign On

    Answered Feb 13 2017

    If you really don't want to use Spring Security SAML extension (which really only takes a few minutes to integrate it into your app) then you may need to look at … -saml or the Fedlet from OpenAM, however this requires much more additional coding than Spring Security SAML extension. …