SAML 2.0 and Multiple Applications

The chapter extends the example in Acting As a SAML 2.0 Service Provider with the service provider sp, to add a second service provider.

The new service provider has entity ID sp2 and runs on the host sp2.example.com. To prevent unwanted behavior, the service providers must have different values.

  1. Add sp2.example.com to your /etc/hosts file:

    127.0.0.1 localhost openam.example.com openig.example.com app.example.com sp.example.com sp2.example.com
  2. In IG, configure the service provider files for sp2, using the files you created in Step 2:

    1. In fedlet.cot, add sp2 to the list of sun-fm-trusted-providers:

      cot-name=Circle of Trust
      sun-fm-cot-status=Active
      sun-fm-trusted-providers=openam, sp, sp2
      sun-fm-saml2-readerservice-url=
      sun-fm-saml2-writerservice-url=
    2. Copy sp.xml to sp2.xml, and copy sp-extended.xml to sp2-extended.xml.

    3. In both files, search and replace the following strings:

      • entityID="sp": replace with entityID="sp2"

      • sp.example.com: replace with sp2.example.com

      • metaAlias="/sp": replace with metaAlias="/sp2"

      • /metaAlias/sp: replace with /metaAlias/sp2

    4. Restart IG.

  3. In AM, set up a remote service provider for sp2, as in Step 3:

    1. Select Applications > Federation > Entity Providers.

    2. Drag in or import sp2.xml created in the previous step.

    3. Select Circles of Trust: Circle of Trust

  4. Add the following routes to IG:

    $HOME/.openig/config/routes/saml-sp2.json
    %appdata%\OpenIG\config\routes\saml-sp2.json
    {
      "name": "saml-sp2",
      "condition": "${matches(request.uri.host, 'sp2.example.com') and matches(request.uri.path, '^/saml')}",
      "handler": {
        "type": "SamlFederationHandler",
        "config": {
          "comment": "Use unique session properties for this SP.",
          "assertionMapping": {
            "sp2Username": "cn",
            "sp2Password": "sn"
          },
          "authnContext": "sp2AuthnContext",
          "sessionIndexMapping": "sp2SessionIndex",
          "subjectMapping": "sp2SubjectName",
          "redirectURI": "/sp2"
        }
      }
    }
    
    $HOME/.openig/config/routes/federate-sp2.json
    %appdata%\OpenIG\config\routes\federate-sp2.json
    {
      "name": "federate-sp2",
      "condition": "${matches(request.uri.host, 'sp2.example.com') and not matches(request.uri.path, '^/saml')}",
      "baseURI": "http://app.example.com:8081",
      "handler": {
        "type": "DispatchHandler",
        "config": {
          "bindings": [
            {
              "condition": "${empty session.sp2Username}",
              "handler": {
                "type": "StaticResponseHandler",
                "config": {
                  "status": 302,
                  "reason": "Found",
                  "headers": {
                    "Location": [
                      "http://sp2.example.com:8080/saml/SPInitiatedSSO?metaAlias=/sp2"
                    ]
                  }
                }
              }
            },
            {
              "handler": {
                "type": "Chain",
                "config": {
                  "filters": [
                    {
                      "type": "HeaderFilter",
                      "config": {
                        "messageType": "REQUEST",
                        "add": {
                          "x-username": ["${session.sp2Username[0]}"],
                          "x-password": ["${session.sp2Password[0]}"]
                        }
                      }
                    }
                  ],
                  "handler": "ReverseProxyHandler"
                }
              }
            }
          ]
        }
      }
    }
  5. Test the setup:

    1. Log out of AM, and test the setup with the following links:

    2. Log in to AM with username george and password C0stanza.

      IG returns the response page showing that the George has logged in.

Read a different version of :