on 10-27-2014 11:28 AM
Hi,
We are configuring SSO with an external service provider and plan to use SAML 2.0 for this purpose.
We installed IDMFEDERATION on a NW Java 7.4 machine and configured IdP there. Installed the certificate from the service provider into the keystore and created the URL iView and maintained the parameters.
Service Provider is requesting a SAML 2.0 sample response file to configure the extraction part at his end. How do I create a SAML sample response file. Please let me know.
Thanks!!
BR,
Sanjeev
Hi,
Does the service provider really require a sample SAML 2.0 response in order to configure the trust? Normally this is done using a metadata file, not a sample SAML 2.0 response.
You can generate a SAML 2.0 response by triggering IDP-initiated SSO, e.g. accessing URL on the IDP: https://host:port/saml2/idp/sso?saml2sp=<sp_name>. A prerequisite is that you have already created a trusted SP entry in the IDP configuration. Use an HTTPWatch, Fidler or similar tool to extract the SAML response from the HTTP response.
Regards,
Dimitar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitar,
Thanks for the prompt response. I tried the same initially, but was trying to use basic browser debugging tools to capture and was unsuccessful. After reading your message i tried with HTTPWATCH basic and could not decrypt the certificate. Using FIDDLER helped and I was able to decrypt the HTTPS response.
Thanks again!!!
Regards,
Sanjeev
Hi,
Forgot to mention in my previous post that if you are using Firefox you might try also the SAML Tracer add-on - SAML tracer :: Add-ons for Firefox. It will even base64 decode the SAML response and you can see it in plain text.
Regards,
Dimitar
Hi,
How to generate the response, is described by Dimitar (except that the response needs to be decoded (e.g. using https://idp.ssocircle.com/sso/toolbox/samlDecode.jsp), and, if encrypted, needs to be decrypted, which can only be done by the key stored at service provider.
if you enable SAML relevant Log Locations to the level "All" you will get the full response (SAML Assertion) in plain text in the logs.
as to the reason: I can imagine that the service provider needs to see which user attributes are being included in the response and which IDs they have... Although, this is usually done the other way around: the Service Provider tells which attributes they need and which IDs they have, and this is then configured in the federation settings of the service provider at IdP
Cheers, Sergei
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.