I hope you are doing well,
I wanna ask about is there a way to make my authnrequest to support POST Binding or its impossible.
thank you
You don't provide many details but yes onelogin seems to support urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST for SingleSignOnService
The question is whether your SAML2 libary supports it for you Service Provider.
Related
Does ADFS 2.0 with WS-Federation support IdP-initiated SSO? and if yes, how? I could not find the answer on the internet yet and if yes, could you please help me with a sample?
I configured a trust relation between the ADFS 2.0 (IdP) and my RP using a metadata configuration. Everything works fine in SP initiated SSO but I don't know how to configure the IdP initiated one.
I'm opening this link https://[SOEMTHING]/adfs/ls/idpinitiatedsignon.aspx but it is showing an empty list with Signout button only.
What did I miss?
is it configured through the RP-metadata file only?
There's no such thing as IDP-initiated-SSO in the WS-Federation standard, but ADFS 2.0 allows for so-called "smart links" that achieve relatively similar behavior as described in: http://community.office365.com/en-us/w/sso/358-using-smart-links-or-idp-initiated-authentication-with-office-365.aspx. Your RP (e.g. O365) needs to support that too.
I am going to implement ServiceProvider part using SAML 2.0 WebSSO profile. According to the SAML specification, the two supported flows are SP initiated and IDP initiated. I want to implement only IDP initiated flow because of time constraints. Will it work? or is it required to implement both the flows?
I dont want to generate any metadata for my SP. Can I still register my SP at IDP without providing any metadata by giving only default Assertion Consumer Service URL?
Short answer is yes it will work but... and yes if it is supported.
About implementing the IDP init SSO. It will work with only IDP init SSO if the IDP supports it. But your implementation will not be conformant with the SAML standard.
SAML does not require one to use metadata, this is just a good way to transport configuration data. If this will work depends if your IDP can be configured without using metadata. I have seen many that can do this.
Agree with #Stefan - no, you don't have to implement both flows.
SAML has many options - generally there is not enough information in the Assertion Consumer Service to fully configure e.g. certificates, public keys, supported endpoints etc.
But if the IDP allows this, you can do it manually - you just have to provide all the bits and pieces. And you'll have to do this again when the certificate expires etc. Metadata makes this all easier.
Java or .NET? If .NET, there are classes available to generate the metadata. Not sure for Java but would be surprised if there aren't.
Im a newbie to the SSO concept and SAML.My requirement is in detail below :
having a common login page. End user will be logged in using credentials;
once the user is logged in, he will be redirected to my application. From there, we will have links to other application.
Here, my application is working as Service Provider.
My question is : as SP, how could I generate SAML 2.0 request to other applications from mine?
How to check whether my application supports SAML 2.0?(its java based).
To conclude, how to generate and send/receive digital signatures through SAML 2.0?
Can anyone please explain me the flow first then direct me to some link?
Does your application support SSO? If not, it probably doesn't support SAML.
You need a client side SAML stack. - examples here.
The commercial implementations in particular have lots of example code.
For Java, look at the Spring SAML extension.
Also, get as much information as you can re. the IDP because that will determine what SAML protocols and bindings you need to implement.
I am new to SAML. Could you please explain in plain English what is SAML profile and binding and provide a couple of examples.
As nrathus points out in his comment, Wikipedia's entry on SAML is a pretty good place to start.
The SAML 2.0 entry, though, delves further into the version you're most likely to use.
Having said that, my answer is this:
Bindings - these are essentially the technical method of a connection. Are we expecting the browser to POST the assertion (HTTP POST Binding)? Or should service provider be retrieving an artifact from the identity provider over SOAP (HTTP Artifact Binding)?
Profiles on the other hand, basically define a set of things that you want to do. Browser SSO? SLO? IdP Discovery?
In a nutshell, Profiles are what you do, and bindings are how you do it.
I am working on handling LogOutRequest from a replying party on the STS side.
I can parse LogoutRequest, delete the cookie and generate a LogoutResponse.
The problem is where to send the LogoutResponse, I did not find the information about reply url.
Any ideas?
SingleLogoutService information is defined as part of the SAML 2.0 metadata that partners would exchange during setup. That would tell you where the Single Logout handlers are, and for which binding. I don't believe this information is typically populated in the logout request messages themselves.
Usually you get that info in the Issuer element of the request.
Hope it helps,
Luis