IdP and SPS both the services provide SAML meta data interface to negotiate the service.
This meta data API can be integrated with SPS to get service negotiation.
http://localhost:8081/alok-idp/saml/idp/metadata
This meta data API can be integrated with IdP to get service negotiation.
http://localhost:8082/hello-sp/saml/sp/metadata
SAML authentication initiated by IdP.
SPS- SPS sends SAML Request toIdPIdPauthenticate the user and responds with SAML Response
Usecase:
- TBD
SAML authentication initiated by SPS.
IdP- IdP directly sends SAML Response toSPS. No SAML Request generated.
Usecase:
- Signle Sign-on - if we want to embed a secure web page provided by guest application (will act as SPS service) as iFrame to the web page provided by host application (will act as IdP service). The Guest server validates the user credentials as part of login process and the same time generates SAML Response for guest application. When loading guest application web page to the Web page (as iFrame) the SAML Reponse shall be sent to guest application. Guest application shall use SAML Response to Authenticate/Authorize user without asking additinal credentials from user. Seamless single sign-on takes place.
Both the services sign and encrypt Metadata/SAML Request/SAML Response.
openssl req -new -newkey rsa:4096 -nodes -keyout IdP_pkcs8.key -out IdP.csrNote: no pwd
openssl rsa -in IdP_pkcs8.key -out IdP_pkcs1.keyopenssl x509 -req -CA rootCA_Alok.crt -CAkey rootCA_Alok.key -in IdP.csr -out IdP.crt -days 365 -CAcreateserialopenssl req -new -newkey rsa:4096 -nodes -keyout saml_spcs_pkcs8.key -out saml_spcs.csrNote: no pwd
openssl rsa -in saml_spcs_pkcs8.key -out saml_spcs_pkcs1.keyopenssl x509 -req -CA rootCA_Alok.crt -CAkey rootCA_Alok.key -in saml_spcs.csr -out saml_spcs.crt -days 365 -CAcreateserial