This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


titleClick here for more information on assertion consumers, the authentication request and response.

SAML 2.0 SSO assertion consumers

Service providers act as SAML assertion consumers. They have two basic functions:

  • Create messages and redirect users to the identity provider with the created message.
  • Process messages from the identity provider and make decisions based on them.

The following code is a sketch of a sample service provider servlet in a SAML 2.0 web browser-based SSO system.

Code Block
public class Resource extends HttpServlet 
     private static SamlConsumer consumer = new SamlConsumer();           
     public void doGet(HttpServletRequest request, HttpServletResponse response) 
             requestMessage = consumer.buildRequestMessage();
     public void doPost(HttpServletRequest request, HttpServletResponse response) 
             responseMessage = request.getParameter("SAMLResponse").toString();  
             result = consumer.processResponseMessage(responseMessage);

When a web user attempts to access the above servlet, its doGet() method is called. Inside the doGet() method, it generates an message and then redirects the user to the identity provider.

After authentication is completed by the identity provider, it does a POST callback to the above servlet with a message. Then the doPost() method of the servlet gets called and inside the doPost() method, it retrieves the message from the request and then the message is passed to the SamlConsumer instance for processing.

<AuthnRequest> message

To create an <AuthnRequest> message using the OpenSAML library, do the following.

  1. Add the OpenSAML library to the build path of the project. You can download the OpenSAML .jar file from here.
  2. A sample <AuthnRequest> message can be found here.
  3. According to SAML 2.0 specifications, the message must contain an element. Create the Issuer element first.

    Code Block
    String issuerId = "saml2.sso.demo";
    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
  4. Create the <AuthnRequest> next.

    Code Block
    // the issuerUrl is the url of the service provider who generates the  message
    String issuerUrl = "http://localhost:8080/saml2.sso.demo/consumer";
    DateTime issueInstant = new DateTime();
    AuthnRequestBuilder authnRequestBuilder = new AuthnRequestBuilder();
    AuthnRequest authnRequest = authnRequestBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequest", "samlp");

    The message may contain many other elements like "," etc. those elements can be created and added to the message in the same way.

  5. Next encode the message.

    Code Block
    Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(authnRequest);
    Element authDOM = marshaller.marshall(authnRequest);
    StringWriter rspWrt = new StringWriter();
    XMLHelper.writeNode(authDOM, rspWrt);
    String requestMessage = rspWrt.toString();
    Deflater deflater = new Deflater(Deflater.DEFLATED, true);
    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
    DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
    /* Encoding the compressed message */
    String encodedRequestMessage = Base64.encodeBytes(byteArrayOutputStream.toByteArray(), Base64.DONT_BREAK_LINES);
    String encodedAuthnRequest = URLEncoder.encode(encodedRequestMessage,"UTF-8").trim();
  6. Construct the redirection URL.

    Code Block
    redirectionUrl = identitypProviderUrl+ "?SAMLRequest=" + encodedRequestMessage;
  7. Redirect the user to the identity provider.

    Code Block

<Response> message

The Identity provider must use HTTP POST or artifact binding to transfer the <SAMLResponse> message to the service provider. To read the <Response> message issued by the WSO2 Identity Server, do the following:

  1. A sample <Response> message can be found here.
  2. The response message must be fetched from the request.

    Code Block
    responseMessage = request.getParameter("SAMLResponse").toString();
  3. The fetched responseMessage is unmarshaled and the SAML message is retrieved.

    Code Block
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
    byte[] base64DecodedResponse = Base64.decode(responseMessage);
    ByteArrayInputStream is = new ByteArrayInputStream(base64DecodedResponse);
    Document document = docBuilder.parse(is);
    Element element = document.getDocumentElement();
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
    Response response = (Response) unmarshaller.unmarshall(element);
  4. The retrieved SAML 2.0 response message can be easily processed. For example, let's take the username or the subject's NameID.

    Code Block
    String subject = response.getAssertions().get(0).getSubject() .getNameID().getValue();
  5. Alternatively, if the response is signed by the identity provider, you can retrieve the certificate.

    Code Block
    String certificate = response.getSignature().getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();


titleRelated Topics