Steffo's Echolot


Only technical stuff here.
« Identity Manager IDE... | Main | Vaau, Roles and... »
Monday Mar 17, 2008

Single Sign On to Google using OpenSSO

Google has a SAML 2 capable single-sign-on service by which you can use Google as a service provider (SP). Google also provides a sample demo application. Rather than using Liberty Alliance's circle-of-trust model, Google uses a peered structure: if Google's SSO service (SP) receives a SAML response, it checks the signature of that request. If the signature is valid, the SAML assertion will be accepted.

Trying to use Google's demo code with OpenSSO as an identity provider (IDP) requires some tweaks.

Step 1: Making OpenSSO to accept Google's SAML request
  1. The SAML request sent out by Google's demo code cannot be understood by OpenSSO due to a compression (deflate) problem (from what I saw in the code, it seems that Google inflates according to RFC 1950 but SAML specification dictates RFC 1951 and that's also what OpenSSO implements). All you need to do to replace Google's RequestUtil.encodeMessage(String) code with OpenSSO's SAML2Utils.encodeForRedirect(String).
  2. Google's code uses a simple template for constructing the SAML request. In fact too simple for OpenSSO. Add a few XML elements to the AuthnRequestTemplate.xml
    3. <?xml version="1.0" encoding="UTF-8"?>
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol file:/Documentation/Federation-SAML-Liberty/SAML%202.0/XSD/saml-2.0-os-xsd/saml-schema-protocol-2.0.xsd" 
    ID="<AUTHN_ID>" 
	Version="2.0"
	IssueInstant="<ISSUE_INSTANT>"
	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	ProviderName="<PROVIDER_NAME>"
            ForceAuthn="true"
	AssertionConsumerServiceURL="<ACS_URL>">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
google
</Issuer>
 <Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <NameID>google</NameID>
 </Subject>
</AuthnRequest>
  3. Point ssoURL in CreateRequestServlet.doPost(HttpServletRequest, HttpServletResponse) to you OpenSSO instance (e.g. http://localhost:8080/opensso/idpSSOFederate/metaAlias/idp where 'idp' is your IDP entity.
Step 2: Making Google applications to accept OpenSSO's SAML response
  1. Import Google's sample private key to Java keystore. Since keytool cannot import arbitrary private keys, I convert Google's keys to PKCS#12 and then use one of the PKCS12Import classes (source can be found on the net) to import the key to JKS.
  2. Since Google's keys are DSA keys and are only good for signing, but not for encrypting you need to tell OpenSSO via browser GUI (Service Configuration > Global > Common Federation Configuration) to sign, but not to encrypt the SAML response.
  3. You also need an account mapper that generates the SAML response message. Pat Patterson posted a sample on the OpenSSO mailing list (check the OpenSSO archives). Google wants the email address as an identity ('demouser@psosamldemo.com' is the default one in case you don't own a Google apps premier account). You can use Pat's version out of the box if your OpenSSO user has ID='demouser@psosamldemo.com' or you can extend Pat's code returning the user's email adress (e.g. via OpenSSO's DataStoreProvider.getAttribute(String, String)).

Posted at 01:16PM Mar 17, 2008 by steffo in Identity Systems  |  Comments[11]

Comments:

Hi,
I am trying to accomplish a single sign-on for my standad account created in google. I have the sample sso application downloaded. I would like to know what needs to be done to accomplish this single sign-on for my account. I am just exploring it to see how it works. Please send me a detailed reply.

Thanks in advance,
Jinesh T

Posted by Jinesh on July 21, 2008 at 01:33 PM CEST #

Thank you super text

Posted by Komik Videolar on March 26, 2009 at 01:13 AM CET #

I'll take advantage of information thank you

Posted by youtube on April 04, 2009 at 04:33 PM CEST #

I thank you very likely

Posted by video izle on April 04, 2009 at 04:34 PM CEST #

thanks

Posted by futbol on April 04, 2009 at 04:35 PM CEST #

thanks

Posted by korku on April 04, 2009 at 04:36 PM CEST #

great text thanks you

Posted by oyunlar on April 04, 2009 at 04:36 PM CEST #

thank you corc, versene borc.

Posted by lig tv izle on May 13, 2009 at 03:06 PM CEST #

thaanks

Posted by شات مصر on May 14, 2009 at 12:45 PM CEST #

good expression amazing tips thanks for all information!

Posted by video on July 25, 2009 at 11:03 PM CEST #

I had been practicing Judo for quite sometime now. It has helped me a lot to develop my self esteem and move forward. If you want a career or learn mixed martial arts then you should look for a good <a href="http://film-izle-film-indir.blogspot.com">divx film indir</a> <a href="http://www.youtube-izlesene.org">youtube</a> <a href="http://www.diziburda.net">dizi izle</a> <a href="http://saglikli-yasam-onerileri.blogspot.com">sağlıklı yaşamak</a> <a href="http://explore-health-service.blogspot.com/">Health Service</a> <a href="http://www.1lig.net/">Health Advisor</a>

Posted by youtube on October 24, 2009 at 09:22 PM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
Archives
« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today


Links



Referrers

Today's Page Hits: 30