Use OneLogin’s open-source SAML toolkit for JAVA to enable single sign-on (SSO) for your app via any identity provider that offers SAML authentication.

java-saml is available in maven repositories.

This document provides instructions to create an SSO connection between your app and OneLogin. We’ll use the java-saml-tookit-jspsample app java-saml-master/samples/java-saml-tookit-jspsample delivered in the toolkit to demonstrate the setup tasks.

The sample app is a simple app that demonstrates the SSO and single logout (SLO) flow enabled by the SAML toolkit. We assume you understand how to deploy a java project. See deploy a project with Eclipse and Tomcat if you require guidance to deploy java projects.

Note, there is specific code documentation available for the OneLogin SAML Toolkit Java library. See toolkit documentation and core documentation.

Use the SAML Test Connector (Advanced) connector to build an application connector for your app. For demo purposes, we’ll build one for the demo1 app.

This app connector provides the SAML values your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin requires to communicate with your app as a service provider.

Select the SAML Test Connector (IdP w/ attr) app.

Edit the Display Name, if required. In the case of working with the demo1 app, enter demo1.

In this step, select the identity provider values for your app so it can communicate with OneLogin.

Copy values from the SSO tab and paste them into the ‘idp’ (identity provider, the parameters that start with onelogin.saml2.idp) section of onelogin.saml.properties, as shown below.

Issuer URL

onelogin.saml2.idp.entityid

SAML 2.0 Endpoint (HTTP)

onelogin.saml2.idp.single_sign_on_service.url

SLO Endpoint (HTTP)

onelogin.saml2.idp.single_logout_service.url

X.509 Certificate > View Details

onelogin.saml2.idp.x509cert

Save onelogin.saml.properties.

In this step, define the service provider values to identify your app to OneLogin. To do this:

The following values are related to the url where the sample is published. Let’s suppose that the base url of the sample app is ‘http://localhost:8080/sample/’ Then we should define:

For the onelogin.saml2.sp.nameidformat, change unspecified to emailAddress. This is the value used by OneLogin.

In the OneLogin app connector UI, open from the previous task, select the Configuration tab.

onelogin.saml2.sp.assertion_consumer_service.url

ACS (Consumer) URL

Recipient

onelogin.saml2.sp.single_logout_service.url

Single Logout URL

onelogin.saml2.sp.entityid

Audience

For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for more details.

You can leave RelayState blank. It respects the value sent by the Service Provider.

Your Configuration tab should look like this:

Click save

If you need advanced security for production, configure the parameters prefixed by Onelogin.saml2.security of the onelogin.saml.properties file.

For more information about how configure those settings, read the settings section of the Java toolkit documentation.

In this task, provide users with access to the app connector you created and configured. For example, ensure you have access to the app connector and the sample app.

To do this:

Verify that the settings provide access to the app connector. For example, enable a role that will give you access. In this case, the selected Default role grants access to relevant users, as shown below.

Click Save.

At this point, the setup is complete. You can single sign-on and logout of your app. For demo purposes, we demonstrate the login and logout behavior using the sample app.

The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or service provider.

Access the sample app, as shown in below. Access http://localhost:8080/sample/index.jsp.

Select Login. Selecting the Login link in the sample app demonstrates the user experience when logging into your app via SSO.

A page listing the values from the app connector’s Parameters UI displays. When implemented for your app, this point in the flow displays your app in a logged in state.

Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO, as shown below.

Troubleshooting: If you see the following UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your app connector.

The following login flow illustrates identity provider-initiated SAML, in which the login request is initiated from OneLogin. In this case, that user experience is as follows:

On your OneLogin App Home page, select the app connector you created and the sample, as shown below.

The page listing the values from the app connector’s Parameters UI displays. For your app, this displays your app in a logged in state.

Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO.

?tags=onelogin+saml+java” target=”_blank”>StackOverflow.