Automatic IDP Selection

[ianlong]

Hi All,

Right now I have the sample app up and running with CloudSeal, and am integrating it with my own application. One of the things the sample app does is discovery, where you go to the page that lists your configured IDPs in the metadata bean, and gives you the ability to select one.

I know which IDP to use as I store it, and would like to skip that step and select it automatically.

What is the best approach to doing that? That part of the manual isn't complete yet. I have set discovery to off in the metadata as a first step.

I am using the latest trunk code.

Any help is appreciated!

[vsch]

Hi,

You can bypass IDP Discovery in multiple ways:

1) Pass parameter "idp" with value of entityId of the IDP you want to connect to when starting the SSO process (e.g. http://server/context/saml/login?idp...ver.com%2Fsaml)
2) Set property "idpSelectionPath" to <null/> in the samlIDPDiscovery bean. This will make the discovery service return your default IDP (first IDP found in your metadata by default, or property defaultIDP on bean metadata)
3) Set property "includeDiscovery" to false on the MetadataGenerator class within metadataGeneratorFilter. System will then use the default IDP without consulting the discover service.

Hope this helps,
Vladi

[gzhu]

Hi,

You can bypass IDP Discovery in multiple ways:

1) Pass parameter "idp" with value of entityId of the IDP you want to connect to when starting the SSO process (e.g. http://server/context/saml/login?idp...ver.com%2Fsaml)
......

Hope this helps,
Vladi

I have been trying to use slightly cleaner version of above approach, i.e., allowing users to have url like http://server/context/idp1/; and use org.tuckey...UrlRewriteFilter, but could not get it work.

See below config, I tried to put filter-mapping in front or behind springSecurityFilterChain, neither works. Any help would be appreciated.

Code:

in web.xml:

    <filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
        <init-param>
	    <param-name>logLevel</param-name>
	    <param-value>DEBUG</param-value>
	    </init-param>
    </filter>
    <filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

in urlrewrite.xml:

<rule>
	<note>
		This rule would take incoming URL /sso/ssocircle and process it as if
		/sso?idp=http://idp.ssocircle.com/; users still have clean urls
	</note>
	<from>/ssocircle**</from>
	<to last="true" type="redirect">/?idp=http://idp.ssocircle.com</to>
</rule>

I also copied urlrewritefilter-4.0.3.jar under <sso>/WEB-INF/lib/, of course.

[vsch]

Hi,

There are these problems with your config:

- the rule "from" has invalid syntax - two asterisks are not allowed
- the rule "to" has invalid path, it should be /context/saml/login?idp=http://idp.ssocircle.com

You might possibly also have an issue with the filter declaration - it must be declared before the springSecurityFilterChain in your web.xml. Also, the recommended way to initialize the UrlRewriter includes dispatcher tag for REQUEST and FORWARD.

The following urlrewrite.xml will work (as a very basic example):

Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
        PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN"
        "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd">

<urlrewrite>

    <rule>
        <note>
            This rule would take incoming URL /sso/ssocircle and process it as if
            /sso?idp=http://idp.ssocircle.com/; users still have clean urls
        </note>
        <from>/ssocircle</from>
        <to last="true" type="redirect">/spring-security-saml2-sample/saml/login?idp=http://idp.ssocircle.com</to>
    </rule>

</urlrewrite>

You might want to use UrlRewrite's support in case you'd have more troubles with it.

Cheers, Vladi