Composing a SAML2 AuthnRequest for OpenAM

StackOverflow https://stackoverflow.com/questions/7820585

Question

I am trying to compose a SAML2 AuthnRequest for OpenAM. I have a URL that I can perform a get against that works, but am having problems composing this into the XHTML post form.

The working URL with query string is

http://internal.authhost.com:8080/opensso/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=%2FMYRealm%2Fidp&spEntityID=https%3A%2F%2Fsaml.salesforce.com&binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST&RelayState=webj_captureCustomerDetails

My html form looks like:

<form action="http://internal.authhost.com:8080/opensso/idpssoinit" method="post" target="new">
  <input type="text" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmV..."></input>
  <input type="text" name="RelayState" value="webj_captureCustomerDetails"></input>
  <input type="submit"/>
</form>

with the value of SAMLRequest being the Base 64 encoded representation of

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_d7607d551380ac97853a6ff4907c4ef01219be97dd" Version="2.0"
    IssueInstant="2008-05-27T07:46:06Z" ForceAuthn="true" IsPassive="false"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="https://cs4.salesforce.com/?saml=lkjhkljhkljhkjhlkjh"
    ProviderName="https://saml.salesforce.com">
    <saml:Issuer>https://saml.salesforce.com</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        AllowCreate="true"/>
</samlp:AuthnRequest>

Issuing this form results in an error message from OpenAM stating "Service Provider ID is null"

I can immediately see that the XML does not contain the metaAlias=/MYRealm/idp argument, but the message suggests that it cannot find the spEntityID=https://saml.salesforce.com argument either.

Please advise on where these two properties (metaAlias and spEntityID) need to be specified in the XML.

A link to somewhere specifying how OpenAM COT / IdP configuration maps against SAML AuthnRequest message would also be appreciated.

Was it helpful?

Solution

Problem was that I was accessing the wrong URL, should have been hitting the spssoinit as it was Service Provider intitated SSO

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top