SAML 2.0 and multiple applications
The chapter extends the example in
SAML 2.0 single sign-on and federation
with the service provider sp
, to add a second service provider.
The new service provider has entity ID sp2
and runs on the host
sp2.example.com
. To prevent unwanted behavior, the service providers must
have different values.
-
Add
sp2.example.com
to your/etc/hosts
file:127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com sp2.example.com
-
In IG, configure the service provider files for
sp2
, using the files you created in Configure a Java Fedlet::-
In
fedlet.cot
, addsp2
to the list of sun-fm-trusted-providers:cot-name=Circle of Trust sun-fm-cot-status=Active sun-fm-trusted-providers=openam, sp, sp2 sun-fm-saml2-readerservice-url= sun-fm-saml2-writerservice-url=
-
Copy
sp.xml
tosp2.xml
, and copysp-extended.xml
tosp2-extended.xml
. -
In both files, search and replace the following strings:
-
entityID=sp
: replace withentityID=sp2
-
sp.example.com
: replace withsp2.example.com
-
metaAlias=/sp
: replace withmetaAlias=/sp2
-
/metaAlias/sp
: replace with/metaAlias/sp2
-
-
Restart IG.
-
-
In AM, set up a remote service provider for
sp2
, as described in Set up federation with unsigned/unencrypted assertions:-
Select Applications > Federation > Entity Providers.
-
Drag in or import
sp2.xml
created in the previous step. -
Select Circles of Trust:
Circle of Trust
.
-
-
Add the following routes to IG:
-
Linux
-
Windows
$HOME/.openig/config/routes/saml-sp2.json
%appdata%\OpenIG\config\routes\saml-sp2.json
{ "name": "saml-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and find(request.uri.path, '^/saml')}", "handler": { "type": "SamlFederationHandler", "config": { "comment": "Use unique session properties for this SP.", "useOriginalUri": true, "assertionMapping": { "sp2Username": "cn", "sp2Password": "sn" }, "authnContext": "sp2AuthnContext", "sessionIndexMapping": "sp2SessionIndex", "subjectMapping": "sp2SubjectName", "redirectURI": "/sp2" } } }
-
Linux
-
Windows
$HOME/.openig/config/routes/federate-sp2.json
%appdata%\OpenIG\config\routes\federate-sp2.json
{ "name": "federate-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and not find(request.uri.path, '^/saml')}", "baseURI": "http://app.example.com:8081", "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${empty session.sp2Username}", "handler": { "type": "StaticResponseHandler", "config": { "status": 302, "headers": { "Location": [ "http://sp2.example.com:8080/saml/SPInitiatedSSO?metaAlias=/sp2" ] } } } }, { "handler": { "type": "Chain", "config": { "filters": [ { "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "x-username": ["${session.sp2Username[0]}"], "x-password": ["${session.sp2Password[0]}"] } } } ], "handler": "ReverseProxyHandler" } } } ] } } }
-
-
Test the setup:
-
Log out of AM, and test the setup with the following links:
-
Log in to AM with username
demo
and passwordCh4ng31t
.IG returns the response page showing that the user has logged in.
-