PAS SAML implementation needs an intermediate client application that acts as a mediator between an IdP and a PAS server. This article uses a node.js application as mediator.
Requests made to a PAS server reach the node.js application first. Then the request will be redirected to an IdP login page (SAML request) by the node.js application.
Authentication is successful when the user provides valid credentials and SAML response is sent to the node.js application.
The response contains a SAML assertion which is extracted and sent to the PAS server in the request header by the node.js application.
On receiving the SAML assertion from the node.js client, the PAS server validates the assertion (optional) and sends the response back. In this scenario, the PAS server also generates a ClientPrincipal object with the user information.
Identity Provider Configuration:
This article uses Okta as the Identity Provider (IdP). An account has been created and the following information set:
Single Sign-On URL, Recipient URL and Destination URL:
Then under “Assignments” in Okta, assign the current user to this application which makes the application accessible to the user.
Download the Identity Provider Metadata (idp.xml) and X.509 Certificate from Okta (okta.cert).
Place the certificate in the node.js application folder and the Identity Provider Metadata (idp.xml) in PAS instance’s metadata folder
Service Provider Configuration:
sp.xml file created using the website: https://www.samltool.com/sp_metadata.php
EntityID, Attribute Consume Service Endpoint (HTTP-POST) and Single Logout Service Endpoint (HTTP-REDIRECT): http://localhost:8080/spring-security-saml2-sample/saml/metadata
PS: remove the XML tag from the metadata file (i.e. "
<?xml version="1.0"?>"). The validation fails if this tag exists once it is not returned in Okta's SAML assertion response.
Prior to executing the Node.js program, install the libraries below:
(i.e. command: npm install saml2-js)
This application does the following:
- When a particular URL is hit (http://localhost:8080/pasoe/GetCustName/<any_number>), it redirects to IdP (Okta) login page
- After entering a username and a password, Okta sends the SAML response (which contains SAML assertion) to the ACS endpoint (Single Sign-On URL) URL configured in Okta.
- The node.js application extracts the assertion using app.post on the ACS endpoint URL and forwards it to PAS with the actual PAS resource URL.
- The PAS server validates the assertion and sends the response back to the node.js application.
- The node.js application then redirects to another URL with the intended response from PAS.
- Change client.login.model to saml
- Place service provider (sp.xml) and IdP (idp.xml) metadata files in the instance’s metadata folder (WEB-INF/metadata).
Deploy a REST application.
For test purposes, dump ClientPrincipal details and configure sessionActivateProc as activate.p. (This procedure dumps ClientPrincipal attribute details to cp_details.out file under the instance’s work directory.)SAML assertion length can be large to accommodate that length in the request header. Configure maxHttpHeaderSize in conf/server.xml file accordingly. For now, modified it as 65536.
To test a simple roundtrip:
- Start node.js in the node.js prompt (I.e node NodeJS_ServiceProvider_Custname.js)
- Start PAS instance
- Open a browser and hit the following URL: http://localhost:8080/pasoe/GetCustName/1
- It will prompt for credentials. Enter credentials and see the response from the PASOE server as customer name with customer number as 1 (Lift Tours)