Main Page
SAML Client Samples
This Sample serves as a basis for using SAMLClient API. There
are two machines which installed Identity Server 2004Q2. One is called machine
#1. The other is called machine #2. The AssertionArtifactSample servlet
running on machine #1 generates an AssertionArtifact and sends it to SAMLClientSample
servlet on machine #2. SAMLClientSample will retrieve the Assertion by
passing the Artifact to machine #1.
On Solaris
Instructions to set up the sample servlets
On machine #1 which installed
Identity Server 2004Q2. Do the following steps:
- cd to
<install-dir>/SUNWam/samples/saml/client
- Edit the
Makefile . Modify the environment
variables. These environment variables will be used to run the
make command.
BASE - Set this Variable to install directory
CLASSPATH - Get this from the web container the IS
instance is running in.
For example, in Sun Web Server, use the value of
classpathsuffix in
<ws-install-dir>/https-<servername>/config/server.xml .
JAVA_HOME - Set this variable to your
installation of JDK. It should be newer than JDK 1.3.1
BASE_CLASS_DIR - Directory where all the
Sample compiled classes will be kept.
JAR_DIR - Directory where the jar of the
sample classes will be created.
- Run
gmake
- Deploy this example to web container. For example, in Sun Web Server:
- Add
<install-dir>/SUNWam/lib/SAMLSample.jar
to web server's server.xml file classpathsuffix
- Add
<servlet> and
<servlet-mapping> to file
<ws-install-dir>/https-<servername>/is-web-apps/services/WEB-INF/web.xml
<servlet>
<servlet-name>AssertionArtifactSample</servlet-name>
<description>AssertionArtifactSample</description>
<servlet-class>AssertionArtifactSample</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AssertionArtifactSample</servlet-name>
<url-pattern>/AssertionArtifactSample</url-pattern>
</servlet-mapping>
- Restart the Identity Server 2004Q2
- Login in to the Administration Console,
http://<machine#1 host>:<machine #1 port>/amserver/UI/Login
- Click on "Service Configuration" tab
- Click on "SAML" under "Service Name"
- Goto "SiteID and Site Issuer Name" attribute, and
Copy the
siteid from this
attribute. The attribute format is like:
instanceID=<machine #1 host>:<machine #1 port>|siteid=<machine #1 siteid>|issuerName=<machine #1 host>:<machine #1 port>
for example,
instanceID=dsame.xyz.com:58080|siteid=5SwAdEHiwXYg+Oho40ppcB+NLnM=|issuerName=dsame.xyz.com:58080
where 5SwAdEHiwXYg+Oho40ppcB+NLnM= is the
siteid of machine #1.
- Goto "Trusted Partner Sites" attribute; click "Add" which brings up an
"Add Trusted Partner Sites" window. In this window, add each attribute
by placing the attribute's name (e.g. target) in the "Key" field and
the attribute's value (e.g.<machine #2 host>) in the "Value" field.
Then click "Add". This should be done for each attribute (SourceID,
target, SAMLUrl, and hostlist).
After all the attributes are added, click on "OK" which will close
this window and bring you back to the "SAML" service window. An entry
should be added to the "Trusted Partner Sites" attribute like the
following:
SourceId=<siteid of machine #2>|target=<machine #2 host>:<machine #2 port>|SAMLUrl= <machine #2 protocol>://<machine #2 host>:<machine #2 port>/amserver/SAMLAwareServlet|hostlist=<machine #2 host IP>
For an example,
SourceId=5SwAdEHiwXYg+Oho40ppcB+NLnM=|target=machine#2.abc.com:80|SAMLrl=
http://machine#2.abc.com:80/amserver/SAMLAwareServlet|hostlist=192.12.148.102
- Click on "Save"
On machine #2 which installed Identity Server 2004Q2.
Do the following steps
- cp the
SAMLSample.jar from
<install-dir>SUNWam/lib/
on the machine #1 machine to
<install-dir>/SUNWam/lib/
on the machine #2 machine
- Deploy this sample to the web container where IS is running in. For
example, on Sun Web Server:
- Add
<install-dir>/SUNWam/lib/SAMLSample.jar
to web server's server.xml file classpathsuffix
- Add
<servlet> and <servlet-mapping>
to file
<ws-install-dir>/https-<servername>/is-web-apps/services/WEB-INF/web.xml
<servlet>
<servlet-name>SAMLClientSample</servlet-name>
<description>SAMLClientSample</description>
<servlet-class>SAMLClientSample</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SAMLClientSample</servlet-name>
<url-pattern>/SAMLClientSample</url-pattern>
</servlet-mapping>
- Restart the Identity Server 2004Q2
- Login in to the Administration Console
<machine #2 protocol>://<machine #2 host>:<machine #2 port>/amserver/UI/Login
- Click on "Service Management" tab
- Click on "SAML" under "Service Name"
- Copy the
siteid from "SiteID" attribute
<machine #1 host>:<machine #1 port>|siteid
- Goto "Trusted Partner Sites" attribute; click "Add" which brings up an
"Add Trusted Partner Sites" window. In this window, add each attribute
by placing the attribute's name (e.g. sourceid) in the "Key" field and
the attribute's value (e.g.<machine #1 siteid>) in the "Value" field.
Then click "Add". This should be done for each attribute (SourceID
and SOAPUrl).
After all the attributes are added, click on "OK" which will close
this window and bring you back to the "SAML" service window. An entry
should be added to the "Trusted Partner Sites" attribute like the
following:
SourceId=<machine #1 siteid>|SOAPUrl=<machine #1 protocol>://<machine #1 host>:<machine #1 port>/amserver/SAMLSOAPReceiver
For an example,
SourceId=6zLPS96EshDhTrDJddH5ZAa8yeQ=|SOAPUrl=http://machine#1.xyz.com:58080/amserver/SAMLSOAPReceiver
- Click on "Save"
- Bring up a browser.
- Login into the Administration Console on machine #1 if
has not logged in
- Invoke the servlet
<machine #1 protocol>://<machine #1 host>:<machine #1 port>/
<service_deploy_URI>/AssertionArtifactSample?
target=<machine #2 protocol>://<machine #2 host>:<machine #2 port>/
<service_deploy_URI>/SAMLClientSample&sourceid=<URLEncoded site id of machine #2>
Note: machine #2 source id can be obtained from Administration Console.
It should be URL Encoded before entering in the above URL. To
URL encode the sourceid one can use the SAMLURLEncoder
provided along with this sample as follows:
java SAMLURLEncoder <sourceid>
Also the query parameters target and
sourceid are case sensitive, so TARGET
or SOURCEID will not work. For instance:
http://neuhome.red.iplanet.com:58080/amserver/AssertionArtifactSample?
target=http://dsame.sun.com:58080/amserver/SAMLClientSample&sourceid=6zLPS96EshDhTrDJddH5ZAa8yeQ%3D
On Windows2000
Instructions to set up the sample servlets
On machine #1 which installed Identity Server 2004Q2.
Do the following steps:
- cd to
<install-dir>\samples\saml\client
- Edit the
Makefile . Modify the environment
variables. These environment variables will be used to run the
make command.
BASE - Set this Variable to install directory
<install-dir>
CLASSPATH - Get this from the web container the IS
instance is running in.
For example, in Sun Web Server, use the value of
classpathsuffix in
<ws-install-dir>\https-<servername>\config\server.xml .
JAVA_HOME - Set this variable to your installation
of JDK. It should be newer than JDK 1.3.1.
BASE_CLASS_DIR - Directory where all the Sample
compiled classes will be kept.
JAR_DIR - Directory where the jar of the sample
classes will be created.
- Run
make
- Deploy this sample to the web contain where IS is running in. For
example, on Sun Web Server:
- Add
<install-dir>\lib\SAMLSample.jar to
web server's server.xml file classpathsuffix
- Add
<servlet> and <servlet-mapping>
to file <ws-install-dir>\https-<servername>\is-web-apps\services\WEB-INF\web.xml
For example,
<servlet>
<servlet-name>AssertionArtifactSample</servlet-name>
<description>AssertionArtifactSample</description>
<servlet-class>AssertionartifactSample</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AssertionArtifactSample</servlet-name>
<url-pattern>/AssertionArtifactSample</url-pattern>
</servlet-mapping>
- Restart the Identity Server 2004Q2
- Login in to the Administrator Console
http://<machine #1 host>:<machine #1 port>/amserver/UI/Login
- Click on "Service Configuration" tab
- Click on "SAML" under "Service Name"
- Goto "SiteID and Site Issuer Name" attribute,
and copy the
siteid from this attribute. The attribute format is like:
instanceID=<machine #1 host>:<machine #1 port>|
siteid=<machine #1 siteid>|
issuerName=<machine #1 host>:<machine #1 port>
for example,
instanceID=dsame.xyz.com:58080|
siteid=5SwAdEHiwXYg+Oho40ppcB+NLnM=|issuerName=dsame.xyz.com:58080
where 5SwAdEHiwXYg+Oho40ppcB+NLnM=
is the siteid of machine #1.
- Goto "Trusted Partner Sites" attribute; click "Add" which brings up an
"Add Trusted Partner Sites" window. In this window, add each attribute
by placing the attribute's name (e.g. target) in the "Key" field and
the attribute's value (e.g.<machine #2 host>) in the "Value" field.
Then click "Add". This should be done for each attribute (SourceID,
target, SAMLUrl, and hostlist).
After all the attributes are added, click on "OK" which will close
this window and bring you back to the "SAML" service window. An entry
should be added to the "Trusted Partner Sites" attribute like the
following:
SourceId=<siteid of machine #2>|
target=<machine #2 host>:<machine #2 port>|
SAMLUrl=<machine #2 protocol>://<machine #2 host>:<machine #2 port>/amserver/SAMLAwareServlet|
hostlist=<machine #2 host IP>
For example,
SourceId=5SwAdEHiwXYg+Oho40ppcB+NLnM=|
target=machine#2.abc.com:80|
SAMLrl=http://machine#2.abc.com:80/amserver/SAMLAwareServlet|
hostlist=192.12.148.102
- Click on "Add"
- Click on "Save"
On machine #2 which installed Identity Server 2004Q2.
Do the following steps
- cp the
SAMLSample.jar from
<install-dir>\lib
on the machine #1 machine to
<install-dir>\lib on the machine #2 machine
- Deploy this sample to web container. For example, on Sun Web Server:
- Add
<install-dir>\lib\SAMLSample.jar to
web server's server.xml file classpathsuffix
- Add
<servlet> and <servlet-mapping>
to file
<ws-install-dir>\https-<servername>\is-web-apps\services\WEB-INF\web.xml .
For example,
<servlet>
<servlet-name>SAMLClientSample</servlet-name>
<description>SAMLClientSample</description>
<servlet-class>SAMLClientSample</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SAMLClientSample</servlet-name>
<url-pattern>/SAMLClientSample</url-pattern>
</servlet-mapping>
- Restart the Identity Server 2004Q2
- Login in to the Administration Console
<machine #2 protocol>://<machine #2 host>:<machine #2 port>/amserver/UI/Login
- Click on "Service Management" tab
- Click on "SAML" under "Service Name"
- Copy the
siteid from "SiteID" attribute
<machine #1 host>:<machine #1 port>|siteid
- Goto "Trusted Partner Sites" attribute; click "Add" which brings up an
"Add Trusted Partner Sites" window. In this window, add each attribute
by placing the attribute's name (e.g. sourceid) in the "Key" field and
the attribute's value (e.g.<machine #1 siteid>) in the "Value" field.
Then click "Add". This should be done for each attribute (SourceID
and SOAPUrl).
After all the attributes are added, click on "OK" which will close
this window and brings you back to the "SAML" service window. An entry
should be added to the "Trusted Partner Sites" attribute like the
following:
SourceId=<machine #1 siteid>|
SOAPUrl=<machine #1 protocol>://<machine #1 host>:<machine #1 port>/amserver/SAMLSOAPReceiver
For example,
SourceId=6zLPS96EshDhTrDJddH5ZAa8yeQ=|
SOAPUrl=http://machine#1.xyz.com:58080/amserver/SAMLSOAPReceiver
- Click on "Save"
- Bring up a browser.
- Login into the Administration Console on machine #1 if
has not logged in
- Get the machine #2
sourceid .
Run command: java SAMLURLEncoder <machine#2 sourceid>
The output is the URL Encoded sourceid of machine #2.
- Invoke the servlet
<machine #1 protocol>://<machine #1 host>:<machine #1 port>/<service_deploy_URI>/AssertionArtifactSample?target=<machine
#2 protocol>://<machine #2 host>:<machine #2 port>/<service_deploy_URI>/SAMLClientSample&sourceid=<URLEncoded
site id of machine #2>
Note: machine #2 source id can be obtained from Administration Console.
It is in base64 encoded format. It should be URL encoded before
entering in the above URL.
To URL encode the sourceid , one can use the SAMLURLEncoder
provided along with this sample as follows:
java SAMLURLEncoder <sourceid>
Also the query parameters target and
sourceid are case sensitive, so TARGET
or SOURCEID will not work.
For instance:
http://neuhome.red.iplanet.com:58080/amserver/AssertionArtifactSample?
target=http://dsame.sun.com:58080/amserver/SAMLClientSample&sourceid=6zLPS96EshDhTrDJddH5ZAa8yeQ%3D
You should see servlet response output like:
The Assertion related to AssertionArtifact
AAE1U3dBZEVIaXdYWWcrT2hvNDBwcE5zTzYyUEgwUmt6WlNsOUFLL2gr:
<saml:Assertion MajorVersion="1" MinorVersion="0"
AssertionID="udue+oAHA8MPK3W3A4sHGpre6iM=" Issuer="wsun-unix.red.iplanet.com:58080"
IssueInstant="2002-08-07T02:11:26Z" >
<saml:Conditions NotBefore="2002-08-07T02:06:26Z" NotOnOrAfter="2002-08-07T02:13:26Z" >
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:sun.com:sunone:ims:LDAP"
AuthenticationInstant="2002-08-07T01:42:01Z">
<saml:Subject >
<saml:NameIdentifier NameQualifier="dc=example,dc=com"
>uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation >
<saml:ConfirmationMethod
>urn:oasis:names:tc:SAML:1.0:cm:artifact-01</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality IPAddress="192.18.120.114" /></saml:AuthenticationStatement>
<saml:AttributeStatement >
<saml:Subject >
<saml:NameIdentifier NameQualifier="dc=example,dc=com"
>uid=amAdmin,ou=People,dc=example,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation >
<saml:ConfirmationMethod
>urn:oasis:names:tc:SAML:1.0:cm:artifact-01</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="attName1" AttributeNamespace="attNamespace1">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">first
example of
AttributeValue</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="attName2" AttributeNamespace="attNamespace2">
<saml:AttributeValue
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><Name>Oasis</Name></saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
|