The Security Assertion Markup Language or SAML is an XML-based data format for exchanging authentication and authorization data between an identity provider and a service provider .

The single most important requirement that SAML addresses is web browser single sign-on or SSO. Single sign-on allows a user to login with a single ID and password to gain access to a connected system or several systems without using different usernames or passwords. (http://en.wikipedia.org/wiki/SAML)

• Edit <SERVERDATA>\easa\admin\config\Authentication.properties
  • Comment out: (ie. prepend a # to the line containing the property)
    • AuthenticationClass = backend.DefaultAuthenticator
  • Uncomment the block below: (ie. remove the initial # from the line containing the property)
    • AuthenticationClass = com.easa.custom.auth.sso.saml.SAMLSSOAuthenticator
  • Save the file

• Edit <SERVERDATA>\easa\admin\config\auth.properties
  • Change the default admin user:
    • Set the admin.user property to a valid user
  • Change create.user property to true
  • Change the default.group property to the desired user group in EASA
  • Save the file

• Edit <EASAROOT>\webapps\easa\WEB-INF\web.xml (below)
  • Uncomment the section relevant to SAML SSO section by removing the <!-- and --> tags (below)
  • Save the file

<!-- <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
    /WEB-INF/spring-security-context.xml
  </param-value>
</context-param>

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>
    org.springframework.web.filter.DelegatingFilterProxy
  </filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
  <listener-class>
    org.springframework.web.context.ContextLoaderListener
  </listener-class>
</listener> -->

• If the identity provider’s metadata comes from a file, then:
  • Upload that file to the EASA Server.

• Edit <EASAROOT>\webapps\easa\WEB-INF\spring-security-context.xml
  • In the SSO User Configuration section
    • Uncomment the following FilesystemMetadataProvider bean:

<!-- <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
  <constructor-arg>
    <value type="java.io.File">/usr/local/metadata/idp.xml</value>
  </constructor-arg>
  <property name="parserPool" ref="parserPool"/>
</bean> -->

• Replace /usr/local/metadata/idp.xml with:
  • The full path of the identity provider’s metadata file.

• Comment out the following HTTPMetadataProvider bean:
  • Enclose the block below in <!-- and --> tags:

<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
  <constructor-arg>
    <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
  </constructor-arg>
  <constructor-arg>
    <value type="int">5000</value>
  </constructor-arg>
  <property name="parserPool" ref="parserPool"/>
</bean>

• If the identity provider’s metadata comes from an URL, then:
• Edit <EASAROOT>\webapps\easa\WEB-INF\spring-security-context.xml
  • In the SSO User Configuration section
    • Uncomment (if commented out) the HTTPMetadataProvider bean, above. Then:
    • Replace http://idp.ssocircle.com/idp-meta.xml with:
    • A valid URL that contains the identity provider’s metadata.

• Comment out (if uncommented) the FilesystemMetadataProvider bean, below:
  • Enclose the block below in <!-- and --> tags:

<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
  <constructor-arg>
    <value type="java.io.File">/usr/local/metadata/idp.xml</value>
  </constructor-arg>
  <property name="parserPool" ref="parserPool"/>
</bean>

• In the following samlUserDetailsService bean:
  • Complete the following four properties with their correct SAML assertion attributes:
    • usernameAttribute
    • firstNameAttribute
    • lastNameAttribute
    • emailAttribute

<bean id="samlUserDetailsService" 
     class="com.easa.custom.auth.sso.saml.AttributeSAMLUserDetailsService">
    <!-- If below is empty the NameID will be used -->
  <property name="usernameAttribute" value=""/> 
    <!-- Below optional -->
    <!-- Firstname may be first or full name -->
  <property name="firstNameAttribute" value="FirstName"/> 
  <property name="lastNameAttribute" value="LastName"/>
  <property name="emailAttribute" value="EmailAddress"/>
</bean>

• If there is more than one EASA machine, then:
  • Each machine will need its own entityID in their metadata.
  • Change the entityID in the following MetadataGenerator bean to a unique name
    • For example:
      • value=com.easa.sso1

<bean id="metadataGeneratorFilter" 
    class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="entityId" value="c"/>
    </bean>
  </constructor-arg>
</bean>

• If an explicit domain name will be used in the URL used to access the EASA site:
  • The URL must be specified by adding a new property (below) to the above MetadataGenerator bean:
    • Substitute the appropriate domain name for myeasa
    • Save the file

<property name="entityBaseURL" value="http://myeasa/easa"/>

Now that SAML SSO has been configured, restart the EASA Server.

• In the browser enter the URL:
  • <protocol>://<hostname>:<port>/easa/saml/metadata
  • Download the file (this is EASA’s service provider metadata for this machine).

This metadata file needs to be added to the identity provider.

• In the case of:
  • javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null…
  • Modify the following MetadataGeneratorFilter bean to the one below it:
    • (ie. Add a new extendedMetadata property with the new element bean, ExtendedMetaData)
  • Save

Find:

<bean id="metadataGeneratorFilter" 
     class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="entityId" value="com.easa.sso"/>
    </bean>
  </constructor-arg>
</bean>

Replace with:

<bean id="metadataGeneratorFilter" 
    class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="entityId" value="com.easa.sso"/>
      <property name="extendedMetadata">
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
          <property name="sslHostnameVerification" value="allowAll"/>
        </bean>
      </property>
    </bean>
  </constructor-arg>
</bean>

Recreate the metadata file, remove the old one, and add the new file to the identity provider.

• In the case of:
  • org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future…
  • Modify the following WebSSOProfileConsumerImpl <bean/> to look like the lower one:
    • (ie. Add and set a number of seconds in the responseSkew property)
  • Save

Find:

<bean id="webSSOprofileConsumer" 
   class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>

Replace with:

<bean id="webSSOprofileConsumer" 
   class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
      <property name="responseSkew" value="180"/>
</bean>

• If the exception persists, then:
  • Increase the number of seconds in the responseSkew property
  • Check again, adjust the value until it works.