Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Understanding SP-IDP Integration

DZone's Guide to

Understanding SP-IDP Integration

How to solve common problems that come when trying to integrate service provider with an identity provider in Spring SAML.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Please refer to the Spring docs for details about Spring SAML. In this article, I am not trying to capture what Spring SAML does. Instead, the intent of this article is to help SP IDP integrators know the possible areas of concerns.

Service Provider:

A service provider is an application where a developer writes code using Spring SAML to connect with an Identity Provider. It’s here that the Spring SAML version based code is written. I used 1.0.2.RELEASE for my development.

Identity Provider:

An identity provider is the one which provides the identity of the user who is trying to access the system. There are multiple identity providers in the market. I have specifically used SSO Circle and Shibboleth.

Process:

The way the system works is as follows:

Step 1: The application which wants to use SAML calls http://applicationcontext/saml/login. 

Step 2: The control falls into the hands of the service provider application.

Step 3: The service provider application looks for the configured identity provider.

Step 4: The service provider checks the child metadata provider for an entity descriptor with an entity ID as provided to it.

Step 5: The service provider builds the credentials from a keystore entry for the entity ID.

Step 6: Private Key entry from the keystore is processed.

Step 7: Using user specified IDP is picked in the service provider.

Step 8: Now the plain text request is encrypted using the private keystore.

Step 9: The SP writes a cookie in the browser of the client. It’s very important to understand this.

Step 10: SAML Authentication request is created as below

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://XXXXXXXXXXXX/XXXXX/XXXX/saml/SSO" Destination="https:// XXXXXXXXXXXX /hss/profile/SAML2/POST/SSO" ForceAuthn="false" ID=" XXXXXXXXXXXX " IsPassive="false" IssueInstant="2017-12-12T02:03:28.252Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">entityId as read in step 5</saml2:Issuer>
    <saml2p:Extensions>
        <Req:AppId xmlns:Req="http://XXXXXXX/sp/appid">application specific</Req:AppId>
        <Req:SubsysId xmlns:Req="http://XXXXX/sp/subsysid"> application specific </Req:SubsysId>
    </saml2p:Extensions>
</saml2p:AuthnRequest>

Step 11: Now the SP signs the request for the IDP to be sure that the request is coming from a valid source.

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
    <ds:Reference URI="#a1cf9fecb2j5a0553egj1716che5e96">
        <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
        <ds:DigestValue>signature value</ds:DigestValue>
    </ds:Reference>
</ds:SignedInfo>

Step 12: First the action URL is encoded. This will make sure that query parameters are all encoded.

Step 13: Now the marshaling is being done. Thereafter the entire encrypted text is encoded using base 64.

Step 14: This encoded message is now stored in the session storage.

  • Storing message: 

    • a1cf9fecb2j5a0553egj1716che5e96 to session NxMHKvEaeGkbhuGJfbTV-nl  

Step 15: The SAML request is created.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://XXXXXXXXXXXX/XXXXXXX/XXXXX/saml/SSO" Destination="https:// XXXXXXXXXXXX /hss/profile/SAML2/POST/SSO" ForceAuthn="false" ID="a1cf9fecb2j5a0553egj1716che5e96" IsPassive="false" IssueInstant="2017-12-12T02:03:28.252Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">entity id as configured in the IDP </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#a1cf9fecb2j5a0553egj1716che5e96">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>asdkaljsdlajsdl</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>aljdljasdlkjasldjasljdlajkdslkjasnckjnkjnfkjkjkj</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>jkajsldjajsdlajksdljkljasdn,anmsd,n
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Extensions>
        <Req:AppId xmlns:Req="http://XXXXXXX/sp/appid">application specific</Req:AppId>
        <Req:SubsysId xmlns:Req="http://XXXXXX/sp/subsysid">application specific </Req:SubsysId>
    </saml2p:Extensions>
</saml2p:AuthnRequest>

Step 16: Given the fact that the protocol information is properly configured in the SP metadata and IDP, then the response will be given by the IDP.

Step 17: At first, the response which has been received from the IDP is decoded.

Step 18: Thereafter it is unmarshalled to verify the signature.

Step 19: Once the signature is verified, thereafter the IDP metadata information is used to get the certificate which then decides which response has to be decrypted.

Step 20:  The response is as below.

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://XXXXXXXX/XXXXXX/XXXXXX/saml/SSO" ID="_62026cbfb6e75ec19e00a6cbafb0b70b" InResponseTo="a1cf9fecb2j5a0553egj1716che5e96" IssueInstant="2017-12-12T02:03:28.421Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXXXXXXXXX/hss/idp/shibboleth</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_acccbf9743c5679df3ceed19b9767463" Type="http://www.w3.org/2001/04/xmlenc#Element">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></xenc:EncryptionMethod>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey Id="_56c92fa1cf96b395cc1d4906d3e9a23b" Recipient="entity id">
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
  </ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>AbmOBCPK7O3fM2WXd2swHU7Ygg0k28NiBX+Qg7Ntj0x/3WHyVMQwGcq4RhyCBNWF3gQgIamVCotra4aP4KMRZTsZdLUq3yBIZXfiX9S2rXyfQHd8fHVGhVv8kjsBRfOWParIsIZifOR/4c8fz09wvd+CzmeIXgejBZSsKon9UcUpaQNE8cVB60QsAYaPPkv7cc48s0AfCVDro3/1bA9hCX1rlZZ+Sh4HOTqwNkf1HUlZWXWEUEhMGsrbEHHs647ZBARus64QjUM7SmBxap5LYBEk8VOtnwlUNHvthOZ/Q1/VrdDKLNRa2nlqbeIwXXqCAhtLGINtLFNBmH6CKHTQpQ==</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>GCPrqjVJOnLTSs5UYhKyC0xRW1zfb7Rl+Fhmq9ccUPh1tcsTWcFR+pEawDeiYJeYYUtVRzvKSFToXdbiEFxyCGwmykYPpeBCpNJIeCKYlmEeJqDPtAkZ6dVmyi840rqRUUAjeN8wbQFoRNs80y8cbJyzDtTIWCfwtg+CTsiPuluIodWKusHltqQS7BRevAoxg16NKlAYxANOAcpUczf0TVcrwGtAzFiMcmvajyU3LnKx4Uk0NEiK0tt1E0bJtl3fb5vZB5VZks2n14ZuDwNcrRIeBgCchYIWNkT4vz+QeK21SZ9o8bLBqQXtfsEYMktnF0FYddsbmSFCnvr+AFGPXdIQ8GfRuVDwMUj5wM0L4s/zrX+F5v3iWUr49xW/vts5fbnSdyq/0rz1Ak+pDr9ZJznLP49LCQa0gKMPMoCQzLnkaE1aK5q4B4NcAjo90kpSEsn5Zwc54NXSAobgQH/fiDt9LHsHKMt7Xq5rvQ86Ws+atQVQPIYYAnUg/TklJ6yrtTswzp3YeY8iHiRnB8sQ5Hc/bbZehneS8lnb3UZp/7+qtb3a1tlVPfEGvotIkKjx3sEeTHCpxRJpJ+uViz55BTMPaOPL/j9PDRC8xva34eAcPXL4hqOGP3SrWTOxYjCfjcgH3jSNsQTXS1G3DBj0qDoP2taORuro037T3GS4rMEzy/pTnkW73WfcQHCAibJwIw8xh2TgjtQ5sub8nG9JORumtY7J3BtmJwKCPvkUpQ5IOhCsx55Hggp9mm5AZu4Bv9FU7Z6jr5B3ZuTnXl5ocODsY4GKZIUy4lsMRgYbBxnbonTEwLpXsRvJTmEzwV262IPcYK/FCQbaOwmVj3PInVlphmFNiMts2ZOIt3grpbQaG7nucIw09I1+xphXdDws6JPgvp4C5MzbMZcWq5q8w6cUZAr7SRsTK8MrurROmCWnR3GTxCkMNzJE5P4Tn56nzcwkLbrQDwowRUj2WMTa8nLBpB0hMcDWJvgFy9o5tcFH9sTaVazNCo5aYobjJyusPBZvIcnxl6yZiRAEroad2dAVD3ZCFTlUVm22klJfcNhid0hnNRanebOtDjRIabEOhYp1PVXPKC++gCZRAWdH88SHb01QjxDnnsmC5k9YsAoxsy5EnUpCzGxxkHboJrQVaykdWan/DNtknNFHjlpNmujeG2eFL3Zeh3lz1p7L583cmmNt1MYTZYMv8GyRilT0P/Oqhu5wKgcJhdab6OPLWfip9cg9X538HvEaISIrzVuI4NyzyOOd+byPW2BgRoUl5ALUo69tBFjrIFGh8AqCc63u77t/GLkZYynt2XVXDQGaBFRs/q14ccqPWtSHy6O2UBV8vZzF7ZI9MAZCF2+YN7pSNpRA2yC+XqvIwPtznMuDt1FFXUfUWuzmDSazqevffWomvMRh64y5FkXtiZZF5a3PyLfTCtlFGUgb4w0yPmhf0+1vn7/XTYBBbXB8gCzeGX9yInC0S1FxXryFr2FHgaG/4haRXYeJFrYc1+eYneJGKaUgUTOBmrXkoj6d3JV7kF+dkb0wG5aMKocPxZYJtJV/8YV11Ivtp5toUtLtSK+yNDtRh8pAJ6P/J5ip34c5okTe5oGr/c7vx1iOUeLL0QfYxT0lS17tYJobeR8FcRZ+qAgeZruYfhbWFoKt2gZXCu0royxT89/G/abePAncIEEj2qH7byDLUbonyCbZLUM+7E4QW91ZPJoKykd6i1IEQzUt2nOAhzuKNSI0RYEwxX/CyMow6ikHosTbYe2lZHw0WXUeWOmIuj9ER6mhwCupl2xdiT4B5ROePr8je32P3nt62sYoYTi7x5j7/XP+QiCenrQSHZCt8nOgI/0eHHEvlLotIhYBtrTs7RuotR8LZGRp2m1W7g+YOcb29uEdhVstAXgszzqOngb16kxKi37vlWRFZvsXBjZRZZPtWDaSJOpcPw1PGC2/RE9V929LUk01CtkK05rP/lfqZeahkOg2B+8M67y55F9L05P3sC2e9MJ90gVyS8ABAftmZAw4NaXFIP9Lh9m3HeAWZxcoVjRHWGBvqzNLN7sbNKjypjJDHYDGB0qCUdQzuq3sVbbAM0fhFp1d89iYqLgStwDv2+5H54yrgOdDfb+D9bWfTXQQafkU2H+4O5nup6Yk6rOkzNUXnhB7BI+VNqZwrYlCmQpBuFvDk19XoxLq7Z4Sem2teCTqBQ/WuwSNHK+AQQxS8iyXi7sl4MA9zhw2Y11xILbEVf4PmdyVRRYDdXT1+1KcQO77X1DjA4D56pvUOyQPL0gS4rv0X/6AjZ8+VaiCiGAFAYUbV2s9hEgQWRmY4MLFQUvNHh+X3esBsZBNBHvJCfRn0blXPaSK7aUslgFMR3k6eTY9dk+CRiKcAaM0QcwCy8ztjvLFw5zaImqXBqoqTFoABiEP0xl1DKOx4UGzlBH79+P6uKj02eNzVCintswD95IENjS1eeO/nOlNhnHCHj8ZIW4ZOUSeDXuXLv9uOjrqd3N6P+BJnSz9YHc9sd64R0U1jXchKg8vuW1IL3ozyQX3lkiVcgOKsnyXsaUG1O1vxXZdyltpYxbsL6Bj6V5CJqa1i1IDho/IlhGLJR9tKxukxDxrV5Q6DXSa+kpyuJAPvIM26mUnWrWfqDPfj2GpFWyevcDWyOE80zGKFSGB7qr32QzvHi0Swg+95MYP3gft8abaL9qEqRjcm2RPjzNfbQC8vTBpCUJFP+BflxhAv+Rm/5Xg2lRpe23qDeEZlYE/uKStMEfGvOIPt3fIA+49D7H6YU2iZ0ggXyf7W4CrDLzA4RMxfw6eLkaSxOIe+HffNpCD1Wix9YZOGnrgabV+qHvwiwtOhRV2Nvro9T3aV8j9GoRLsORaQWnrGK1vm+Nz2o6a430OW7VrkbC94LBFpseR3qv/lsnvZmiJrpKKtfZU1ocJ+kqWBz9fKzfIw2+fwkmIS81beaNKZUg1P1M46vqx6Pni2iEay/CJ8EiZyvmS+hYfiRSyRPLDoQ7TMqzTdVVJlfovDjYoX0ijye7+JPRozO1QogBiHfny97DL5wYqCTC9FtlE9Ah7xpdjs7XyxOAgubi+xRFd7vKsFa17bauTST/QQmf7yb5pz/Wy6XInE8CrjJF4wEPzBeGqFvFTaw+3XUImEAVZGTTCY1ZvQ+uls/8XmAGb934XBPUx5WdQ3y7NPFKiyL66HJxjY39arBI5QtrY4t+9osLCEb2G6RpgxIAMovSy++KmRDzF5vWOddH/5dvGOia7CEYBvYu6a6pLK3nqUyZ2wRFs+Qk1fpukmYnba+GGFN1l4c9oI0UYAg2yBbeA0XK5VoPnpIF3oEi0KgGZRX/AVMtOshqRZVvHiY5DaWlBVcJO8m6NkRxg9S0ZwCrsM8lEWlZwZ9l1zZrl2qWR8E+Sj/l/z6+IrdOsladt9xwd9vLaBawhHQ334o2premfW0WC263KJcdJKwf0wgWh2uiNgLMJMkr7f0/iJrIMOIUa3WWxGIwt0OZtP02hRrD5PfY/XFw/21I5/mIX92n6y1qC2GNskYkkqNL3dkkGFl3l7bqcopJ/FLK9Dt0MNgKMLdc7gYJrh7c59vUQxVRjm4v1Lw8Oh0zsUHIpWmKq4Ue7zx5ME2Bh3TUfPg1mhv0xCCsljAQRR782NsHQSKb6lisMliOWGe1PgHFzxUISLnHBAseCvoewQrgJKPYtZAA8dUH+A65TIPGFV/2V+L+sXzuUuJe9xHkrV4JlZiXT0NcEBdRrt0ey9Byj2XIBVYk+gFQLpitF1ewK3qxLiJ5zmnEar80lDpfrt5hZ8TBg9K8OrIRQez65Y7vGpOGNsTTqKiWOFKtXnno/Eo00HIEhWMP4xwxx/zPs7bor6RKsRiAiFc8YxkVJ92nVc9fGs48yUid8Zh6//g9dmpDD1MWF5pkbZDFE+Yqwfs3M0JBWxnB4/8ujGhxY4Y5KeYrkhaiUvaj8ih60VWjTDmaLGa9qq5JthIcNMM3ey178oMvcQMy/KBDI7p800w4vLCFyCL0bh1BPbAMxWSfPKjCKIWjhFHYqpes91h56x3Es2S/3iwb4VSyAyxun4fvbnFIGMv5jBWT4Vm82qAiQo/rNfmMFeynmypDGrPTnU9znyoafqbHd0241X4e8qAya8aHFB3BDZAnqDhWbRjzDsfkdswgmiz926uI7IO45Kh/iNfLsXbTJlVZ7172XUs5TZ4ir6U4Av8Dyj8QIlF1u+4eC/9vlN00BU4nsaRA8fCNlNxL48VHfFZt4lKZzYa4yLfyZmyGgsR9GkeJ627vVSNADZqLCQdRlfqaT7xWpXgBZzNEH2YLk/S0RQ3wtDQcco8ge9xKMv1gQg7lT48SHzVLYDXdKkMk0wO42cwfgbaFOTeTD6wzjanMD3slIyksOoFWFiAZSbB8qUABZyoIJcPHg9LyKpEt98W0n29bmfD+qA7+m85xrTEit6vfBmuJQzRiRYyR1K7QzgZ7XEuTPU7vr0TeHsGz/N06yXJOT0VOVIMFHOYzijOLiPnpm5hIfGtCCAapMwk6rFgEzP8h7TvjUMG28dwiWtBNwIYhpAva3tZCjksGZmUdMc7AIExaH7bFeihaospMa2msdGaP+YlSo+v4sQNKaL+U4bwE7yRFwRMENXgNDWeik2ZB8PubCo/xSazEHHrmMeQ7o25E0vqID7v4+E3ofxYSgp9FcYpViEH8eCB9M+gAK9LaiHyuS1ZeKyOmViIp15DEHzUcA9oWBoJKLw1i+6j2/RfFZQvf9joqYtGnhUz35nm0TdXI/PH9214fj1+Ejc5oJNzN3hT3v2YfhfIuVaoABFlKPTwLzKPJ03azZp7/lhqfsCA1aWDeQtxd4Ip/OX6uVbXm7WpzLpkMahSpaYXkzH9bgq8Tf9jxSqEJoeAPeTHzd4PuYndjqv6TxGn962em2tf9gaCpxzWmgzeNthDALmBZ/GLMt4jR/BJwHQGe1rnMjjgfXO5hdlBEUKypp/Q+OCgsgrVK5gh3qQyGEtLQJeGGjn3Wy9z6I6MwBdulvO3EC+VK7AchdxK0quP2AqG3e728k9cGHJhfa1FkgIjpWkU8RI27+8jk9c72XgeKQd3slps0hxTwoHs8id+YaOiaRb3z7cHwI3kDBe5nxjr6UQuobXG8Ecd5N4ruOb7KnpoqNapYXGzeLMrMGIEz5ouSHDlRNmy9x2RSR9iSzCYaPn1VQQ5XYKiUrASXnOXNVtsNmV6elnqRHjGbRDNckQuvnMG7WZgwhwI1ysOYtnM8C0C7wIbkHScJaVFPSDythV4nqKtiuolnhbfGtecMwvQUUwFRxl3A79JhVkXP5/vexlXhW58x5C9ip35zN2+Yqjomyxdgh+Q22xsQRzOxm7xEU839d3mRdtnHbPrRB6c5ZswRtvTGAfrt6DOgVRhe6uXdhoZhB9SL/lezko9JJJq5iINp0rt047YGrrihmViia4B9nZF4qfiO8IjXHI2mlq4HtviVwLcu4Ek4b5bmEH2OVLueNC3wn725S4EIMVYqDzpK/GN+l0P5DOQ/AExob7gw5oS+BHdV0p9ZB8+A58WjDyUMSf7CxXocSZrFVPQhV4AkpLfvcPST08BVW0Qw3Og+3zHbC49APhTdvungXCqb1zUAdfrG+ee9y25MBF22cm4xhTqPN14RlmuMb+DPArje1CSxDtDc/2SGddE+SR30HExa5b3j5J94admkAl2X5jFk+96U6nqXDjedKddL77VQgXXS4nyv36IOyY+dhCfl2s2O/uApZHNcsQd+in0so8LjZvUvzLqSbXswcKfYJ0xrIP711yPxXjaJD5oa/yKcxK7L2xwitWyFPNyM7zL4GYJDe9L+pHb3o+dUZwRVCka3+ih44GN+WaLFElptgLw2n7IJXXHcrnsiurevLanvU954QTlGE+PEspF9IPrKbRey+qTXihUghP3WsPUoIf+TpaAApahOKOcA2fv3Eow/5l467MpRdrvGtUsE5x+HQIz0uC8YsjQugAmMI4hmzsvT/8Rtkf2iAN7XQ9W1QJUMlFjeo/+tnKr3YdWXYyLCrY/S6Hv4fii3/ZHpzHez+vYafEHftPLXLEOdOqE4U0KTkubEGvXpFmq987/At+EKHt+Rmlf4rxKuIOBG7IJDVk33OYgEQqSPemmwo4+ZRoEnpbbsltnkOMxDMAB0ev1yQuBX/Rm9CzqE9j8kCGlKUrGHpVrCIY6X44pdOP5qpydFRd3fw/82Uwi+rtPB0MASlPsc8Y6zwrAOJvtZr6M2D/0NQEtdKjp/HGb/9TPUiKFYZ8RhmzylAMrXB1i2uw+XCw0CJgs8=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

Step 21:  Once the SAML message's intended destination endpoint matches the recipient endpoint, thereafter the session value is looked for by the session store.

Step 22: Thereafter the entire decryption is in process.

Step 24: It’s now that the cookie is forwarded to the application context. In case the cookie cannot be forwarded, the “InResponseTo” error comes up. Make sure that the cookie is getting propagated properly to the application server.

Step 25: From the decrypted text, the user specific details are fetched.

This completes the SP-IDP integration.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
saml ,spring ,security ,saml2 sso ,authentication

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}