I’m new to SAML 2 and I’m working on a tool that requires SSO, but I’m clueless on how to go about it. Here’s the flow:
1) User accesses main website and chooses to log in. 2) User enters login information and submits 3) System validates credentials, generates a SAML response and redirects user to the new tool along with the SAML response as a POST variable. 4) The new tool parses the response, stores/updates information in the database and creates an active session for the user.
1,2 and 3 are already created on the main website. What I’m working on is 4. The main developers provided us with a sample SAML response and a certificate. I have 2 issues/questions:
1) Using the SSO form on the test server, I entered the return URL to a php file on my server and submitted the form. It logged me in and redirected me to the page on my server. The code of the page is below and the output is further below:
<?php var_dump($_POST); ?>
Output:
array(0) { }
Am I doing is right? I checked using Firebug on Firefox and I could find the samlresponse in there somewhere, but I’m not sure how exactly to bring it into the page. Any help?
2) Using the sample SAML response, we were able to code a small script that parses the sample and prints the 2-3 attributes within. Is this the right way to do it, or is there a better open source solutions available out there?
I tried reading up on SimpleSAMLPHP, OneLogin and a couple other such bundles, but they seem too complicated whereas I feel what I have to achieve here can be done with methods/solutions alot more simpler. Also, the bundles appear to have all features of offering SAML, whereas I’m just to receive and parse a response.
Thank you for your help in advanced! Cheers
Advertisement
Answer
If you want to do manual parsing and handling of SAML messages OpenSAML may be the way to go. It is a very low level library and there is a lot of manual labour involved.
Here is the OpenSAML webpage
You will need to look into the SAML spec
My book, A Guide to OpenSAML, gives a good introduction and step by step on SAML and the OpenSAML library.
Also my blog has a couple of examples on this. https://blog.samlsecurity.com/categories/opensaml/ https://blog.samlsecurity.com/categories/saml/