Single Sign On to Google using OpenSSO

Google has a SAML 2 capable single-sign-on service by which you can use Google as a service provider (SP). Google also provides a sample demo application. Rather than using Liberty Alliance's circle-of-trust model, Google uses a peered structure: if Google's SSO service (SP) receives a SAML response, it checks the signature of that request. If the signature is valid, the SAML assertion will be accepted.

Trying to use Google's demo code with OpenSSO as an identity provider (IDP) requires some tweaks.

Step 1: Making OpenSSO to accept Google's SAML request
  1. The SAML request sent out by Google's demo code cannot be understood by OpenSSO due to a compression (deflate) problem (from what I saw in the code, it seems that Google inflates according to RFC 1950 but SAML specification dictates RFC 1951 and that's also what OpenSSO implements). All you need to do to replace Google's RequestUtil.encodeMessage(String) code with OpenSSO's SAML2Utils.encodeForRedirect(String).
  2. Google's code uses a simple template for constructing the SAML request. In fact too simple for OpenSSO. Add a few XML elements to the AuthnRequestTemplate.xml
  3. <?xml version="1.0" encoding="UTF-8"?>
    <AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol file:/Documentation/Federation-SAML-Liberty/SAML%202.0/XSD/saml-2.0-os-xsd/saml-schema-protocol-2.0.xsd" 
        ID="<AUTHN_ID>" 
    	Version="2.0"
    	IssueInstant="<ISSUE_INSTANT>"
    	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    	ProviderName="<PROVIDER_NAME>"
                ForceAuthn="true"
    	AssertionConsumerServiceURL="<ACS_URL>">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
    google
    </Issuer>
     <Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
            <NameID>google</NameID>
     </Subject>
    </AuthnRequest>
    
  4. Point ssoURL in CreateRequestServlet.doPost(HttpServletRequest, HttpServletResponse) to you OpenSSO instance (e.g. http://localhost:8080/opensso/idpSSOFederate/metaAlias/idp where 'idp' is your IDP entity.
Step 2: Making Google applications to accept OpenSSO's SAML response
  1. Import Google's sample private key to Java keystore. Since keytool cannot import arbitrary private keys, I convert Google's keys to PKCS#12 and then use one of the PKCS12Import classes (source can be found on the net) to import the key to JKS.
  2. Since Google's keys are DSA keys and are only good for signing, but not for encrypting you need to tell OpenSSO via browser GUI (Service Configuration > Global > Common Federation Configuration) to sign, but not to encrypt the SAML response.
  3. You also need an account mapper that generates the SAML response message. Pat Patterson posted a sample on the OpenSSO mailing list (check the OpenSSO archives). Google wants the email address as an identity ('demouser@psosamldemo.com' is the default one in case you don't own a Google apps premier account). You can use Pat's version out of the box if your OpenSSO user has ID='demouser@psosamldemo.com' or you can extend Pat's code returning the user's email adress (e.g. via OpenSSO's DataStoreProvider.getAttribute(String, String)).
Comments:

Hi,
I am trying to accomplish a single sign-on for my standad account created in google. I have the sample sso application downloaded. I would like to know what needs to be done to accomplish this single sign-on for my account. I am just exploring it to see how it works. Please send me a detailed reply.

Thanks in advance,
Jinesh T

Posted by Jinesh on July 21, 2008 at 06:33 AM CEST #

Thank you super text

Posted by Komik Videolar on March 25, 2009 at 06:13 PM CET #

I'll take advantage of information thank you

Posted by youtube on April 04, 2009 at 09:33 AM CEST #

I thank you very likely

Posted by video izle on April 04, 2009 at 09:34 AM CEST #

thanks

Posted by futbol on April 04, 2009 at 09:35 AM CEST #

thanks

Posted by korku on April 04, 2009 at 09:36 AM CEST #

great text thanks you

Posted by oyunlar on April 04, 2009 at 09:36 AM CEST #

thank you corc, versene borc.

Posted by lig tv izle on May 13, 2009 at 08:06 AM CEST #

thaanks

Posted by شات مصر on May 14, 2009 at 05:45 AM CEST #

good expression amazing tips thanks for all information!

Posted by video on July 25, 2009 at 04:03 PM CEST #

I had been practicing Judo for quite sometime now. It has helped me a lot to develop my self esteem and move forward. If you want a career or learn mixed martial arts then you should look for a good <a href="http://film-izle-film-indir.blogspot.com">divx film indir</a> <a href="http://www.youtube-izlesene.org">youtube</a> <a href="http://www.diziburda.net">dizi izle</a> <a href="http://saglikli-yasam-onerileri.blogspot.com">sağlıklı yaşamak</a> <a href="http://explore-health-service.blogspot.com/">Health Service</a> <a href="http://www.1lig.net/">Health Advisor</a>

Posted by youtube on October 24, 2009 at 02:22 PM CEST #

good mike webblog man

Posted by youtube on December 05, 2009 at 01:38 PM CET #

thanks for info

Posted by kral oyun on December 15, 2009 at 04:58 AM CET #

How to convert the Google's keys to PKCS#12?

Thank you

Posted by Anand on June 29, 2010 at 04:54 PM CEST #

hI Pat

Looking for some inputs on agent profile for 3.0.Would be gratefull if you could poing me some documents.

As part of DR setup we need to move the agent config from one enviornment to another enviornment.
We are using opensso version 3 agent.
The agent profile is maintaned within the opensso server with all the enforced lsit and other parameter in opensso.

How can i

1) Move agent profiele from one environment to another using cmd line? ( cannot do manual setup of agent profile as it would be time consuming activity

2) Also what changes do i need to make in the agent profile so that the agent are recognized in the new enviornment.

I intend to use the pre-prod enviornment for DR so all the host name will change.
My approach is was to only move the production polices polcies in the realm.keeping all the realm setup as is using sssoadm list-policies.
But agent being version 3 I have to move them as well for all the backend application being protected by opensso to work.

And will change the vip dns so that hostname is resolved pre-prod dmz instead of production in case of DR.

Please advise.

Posted by Anuj sharma on March 11, 2011 at 05:28 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

steffo

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today