PingGateway 2024.11

Unsigned/unencrypted assertions

This example sets up federation using AM as the identity provider with unsigned/unencrypted assertions.

  1. Set up the network:

    Add sp.example.com to your /etc/hosts file:

    127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com

    Traffic to the application is proxied through PingGateway, using the host name sp.example.com.

  2. Configure a Java Fedlet:

    The SAML library component validates the SP’s AssertionConsumerService Location against the incoming IDP SAML Assertion, based on the request information, including the port. In sp.xml, always specify the port in the Location value of AssertionConsumerService, even when using defaults of 443 or 80, as follows:

    <AssertionConsumerService isDefault="true"
                              index="0"
                              Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                              Location="https://sp.example.com:443/fedletapplication" />

    For more information about Java Fedlets, refer to Creating and configuring the Fedlet in AM’s SAML v2.0 guide.

    1. Copy and unzip the fedlet zip file, Fedlet-7.5.0.zip, delivered with the AM installation, into a local directory.

      $ unzip $HOME/openam/Fedlet-7.5.0.zip
      
      Archive:  Fedlet-7.5.0.zip
      creating: conf/
      inflating: README
      inflating: conf/FederationConfig.properties
      inflating: conf/fedlet.cot-template
      inflating: conf/idp-extended.xml-template
      inflating: conf/sp-extended.xml-template
      inflating: conf/sp.xml-template
      inflating: fedlet.war
    2. In each file, search and replace the following properties:

      Replace this With this

      IDP_ENTITY_ID

      openam

      FEDLET_ENTITY_ID

      sp

      FEDLET_PROTOCOL://FEDLET_HOST:FEDLET_PORT/FEDLET_DEPLOY_URI

      https://sp.example.com:8443/home/saml

      fedletcot and FEDLET_COT

      Circle of Trust

      sp.example.com:8443/home/saml/fedletapplication

      sp.example.com:8443/home/saml/fedletapplication/metaAlias/sp

    3. Save the files as .xml, without the -template extension, so that the directory looks like this:

      conf
      ├── FederationConfig.properties
      ├── fedlet.cot
      ├── idp-extended.xml
      ├── sp-extended.xml
      └── sp.xml

      By default, AM as an IDP uses the NameID format urn:oasis:names:tc:SAML:2.0:nameid-format:transient to communicate about a user. For information about using a different NameID format, refer to Non-transient NameID format.

  3. Set up AM:

    1. In the AM admin UI, select Identities, select the user demo, and change the last name to Ch4ng31t. Note that, for this example, the last name must be the same as the password.

    2. Select Applications > Federation > Circles of Trust, and add a circle of trust called Circle of Trust, with the default settings.

    3. Set up a remote service provider:

      1. Select Applications > Federation > Entity Providers, and add a remote entity provider.

      2. Drag in or import sp.xml created in the previous step.

      3. Select Circles of Trust: Circle of Trust.

    4. Set up a hosted identity provider:

      1. Select Applications > Federation > Entity Providers, and add a hosted entity provider with the following values:

        • Entity ID: openam

        • Entity Provider Base URL: http://am.example.com:8088/openam

        • Identity Provider Meta Alias: idp

        • Circles of Trust: Circle of Trust

      2. Select Assertion Processing > Attribute Mapper, map the following SAML attribute keys and values, and then save your changes:

        • SAML Attribute: cn, Local Attribute: cn

        • SAML Attribute: sn, Local Attribute: sn

      3. In a terminal, export the XML-based metadata for the IDP:

        $ curl -v \
        --output idp.xml \
        "http://am.example.com:8088/openam/saml2/jsp/exportmetadata.jsp?entityid=openam"

        The idp.xml file is created locally.

  4. Set up PingGateway:

    1. Set up PingGateway for HTTPS, as described in Configure PingGateway for TLS (server-side).

    2. Copy the edited fedlet files, and the exported idp.xml file into the PingGateway configuration, at $HOME/.openig/SAML.

      $ ls -l $HOME/.openig/SAML
      
      FederationConfig.properties
      fedlet.cot
      idp-extended.xml
      idp.xml
      sp-extended.xml
      sp.xml
    3. Add the following route to PingGateway to serve the sample application .css and other static resources:

      • Linux

      • Windows

      $HOME/.openig/config/routes/00-static-resources.json
      %appdata%\OpenIG\config\routes\00-static-resources.json
      {
        "name" : "00-static-resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}",
        "handler": "ReverseProxyHandler"
      }
    4. Add the following route to PingGateway:

      • Linux

      • Windows

      $HOME/.openig/config/routes/saml-filter.json
      %appdata%\OpenIG\config\routes\saml-filter.json
      {
        "name": "saml-filter",
        "baseURI": "http://app.example.com:8081",
        "condition": "${find(request.uri.path, '^/home')}",
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
              {
                "name": "SamlFilter",
                "type": "SamlFederationFilter",
                "config": {
                  "assertionMapping": {
                    "name": "cn",
                    "surname": "sn"
                  },
                  "subjectMapping": "sp-subject-name",
                  "redirectURI": "/home/saml-filter"
                }
              },
              {
                "name": "SetSamlHeaders",
                "type": "HeaderFilter",
                "config": {
                  "messageType": "REQUEST",
                  "add": {
                    "x-saml-cn": [ "${toString(session.name)}" ],
                    "x-saml-sn": [ "${toString(session.surname)}" ]
                  }
                }
              }
            ],
            "handler": "ReverseProxyHandler"
          }
        }
      }

      Notice the following features of the route:

      • The route matches requests to /home.

      • The SamlFederationFilter extracts cn and sn from the SAML assertion, and maps them to the SessionContext, at session.name[0] and session.surname[0].

      • The HeaderFilter adds the session name and surname as headers to the request so that they are displayed by the sample application.

    5. Restart PingGateway.

  5. Test the setup:

    1. In your browser’s privacy or incognito mode, go to https://sp.example.com:8443/home.

    2. Log in to AM as user demo, password Ch4ng31t. The request is redirected to the sample application.

If a request returns an HTTP 414 URI Too Long error, consider the information in URI Too Long error.