This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes Open SAML -newie question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Open SAML -newie question" Watch "Open SAML -newie question" New topic
Author

Open SAML -newie question

vijaya bacina
Ranch Hand

Joined: Aug 23, 2005
Posts: 155
Hi,
I had a link on my JSP to another partner website. When click on the link control comes to a servlet and the servlet has user credentials and our application dig signature(which is some plain text for now). I downloaded the openSAMl and placed the jars in my class path. what is the next step. do i need to send my app digital signature to the partner webservice. any sample code or how to do this.
Santhosh Kumar
Ranch Hand

Joined: Nov 07, 2000
Posts: 242
SAML is the specification which defines the protocol to represent the security assertions. However it doesn't define the transport mechanism so you can use anything which works for you.

OpenSAML is the library used to create/validate such SAML Assertions (aka Tokens).

So in your scenario, the flow would be like this.

1. User clicks on a link in your web page, which comes to a Servlet.

2. Servlet takes the user id, creates a SAML Token and signs the token using private key.

3. You reply back to the user with SAMLResponse (possible with form submit page), which user can use to connect to the target server.

If you looking for an working SAML Example, let me know at brsanthu at yahoo dot com. I would be happy to send you one.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Open SAML -newie question
 
Similar Threads
Servlet virtual path
HttpSession object status, when Server shuts down
Securing a servlet based on request params
init() called for the first HTTP request, why not earlier?
Servelt url should not be displayed.