Quite some people think that all an IdP-initiated flow requires is the target application URL in the consumer side. This is actually nothing more than a SP-initiated flow. In this way, you’ll hit the Service Provider with no SAML Assertion, will be redirected back to the IdP for the SAML assertion and then sent back to the Service Provider.
An IdP-initiated flow actually first needs to get a hold of a SAML assertion for the authenticated user. The assertion is then submitted along with the request to the target application URL. If the Service Provider decides to accept the assertion, the user is granted access. There’s no need to come back to the IdP for the assertion.
This short post is about how to configure Weblogic SAML 2.0 for an IdP-initiated flow.
The URL to be given to the end user for an IdP initiated flow in Weblogic is:
- saml2/idp/sso/initiator is the IdP service responsible for processing IdP-initiated request flows.
- <SP-Partner-Name> is the Service Provider partner name you have configured for the Identity Provider.
- <target-application-url> is the application you want to access in SSO mode on the Service Provider side.
The SPName parameter value actually refers to a partner you’ve configured in Weblogic for your Identity Provider. A Weblogic Identity Provider for SAML 2 requires a SAML2CredentialMapper. And the partner we’re talking about is configured (usually given as a metadata file) in SAML2CredentialMapper’s Management tab, as shown:
Notice the Name “WebSSO-SP-Partner-0”. It’s the one you need to use as the SPName value in the URL.
Ok, once given the right params, saml2/idp/sso/initiator service will do some magic for us. But we still need to give it a hand. The SP Partner configuration has a parameter called “POST Binding POST Form”. It is the URL containing an HTML form that will post the SAML Response to the SAML Assertion Consumer Service on the Service Provider Side.
Here’s the post_form.jsp code. Build it into an application and deploy it to the Weblogic server running the Identity Provider.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <%@ page contentType="text/html;charset=windows-1252"%> <html> <head> </head> <% String samlResponse = (String) request.getAttribute("com.bea.security.saml2.samlContent"); String relayState = (String) request.getAttribute("com.bea.security.saml2.relayState"); %> <body onLoad="document.forms.submit();"> <FORM METHOD="POST" ACTION="http://sp.us.oracle.com:9704/saml2/sp/acs/post"> <INPUT TYPE="HIDDEN" NAME="RelayState" VALUE="<%=relayState%>"/> <INPUT TYPE="HIDDEN" NAME="SAMLResponse" VALUE="<%=samlResponse%>"> </FORM> </body> </html>
- the form action: refers to the Service Provider Assertion Consumer Service for POST binding.
- SAMLResponse: the SAML Response generated by the IdP containing the SAML assertion.
- RelayState: a reference to state information maintained at the Service Provider.
Summarizing, the user logs in to the Identity Provider, click on a link like http://<idp-server>:<port>/saml2/idp/sso/initiator?SPName=<SP-Partner-Name>&RequestURL=<target-application-url>. The saml2/idp/sso/initiator service looks into <SP-Partner-Name> for the “POST Binding POST Form” and executes it. The form retrieves SAMLResponse and RelayState from Weblogic and auto-submits itself to saml2/sp/acs/post on the Service Provider. If the SAML assertion is accepted, the user’s browser is redirected to the <target-application-url>.
Enjoy your IdP-initiated flows.