1) Configuring a SAML application in Okta
The first step is to create an account at Okta and configure a SAML application. This process is mapped out at the following link. Follow the steps listed on this page with the following additional changes:
- Specify the following for the Single Sign On URL and audience URI: http://localhost:8080/fedizdoubleit/racs/sso
- Specify the following for the default RelayState: http://localhost:8080/fedizdoubleit/app1/services/25
- Add an additional attribute with name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" and value "Manager".
When the application is configured, you will see an option to "View Setup Instructions". Open this link in a new tab and set it aside for the moment - it contains information required when setting up the web application. Now click on the "People" tab and assign the application to the username that you have created at Okta.
2) Setting up the SAML SSO-enabled web application
We will use a trivial "double it" web application which I wrote previously to demonstrate the SAML SSO capabilities of Apache CXF Fediz. The web application is available here. Build the web application and deploy it in Apache Tomcat. You will need to edit 'webapps/fedizdoubleit/WEB-INF/cxf-service.xml'.
a) SamlRedirectBindingFilter configuration changes
First let's look at the changes which are required to the 'SamlRedirectBindingFilter':
- Remove "idpServiceAddress" and "assertionConsumerServiceAddress". These aren't required as we are only supporting the IdP-initiated flow.
- Also remove the "signRequest", "signaturePropertiesFile", "callbackHandler", "signatureUsername" and "issuerId" properties.
- Add <property name="addWebAppContext" value="false"/>
- Add <property name="supportUnsolicited" value="true"/>
b) RequestAssertionConsumerService (RACS) configuration changes
Now add the following properties to the "RequestAssertionConsumerService":
- <property name="supportUnsolicited" value="true"/>
- <property name="idpServiceAddress" value="..."/>
- <property name="issuerId" value="http://localhost:8080/fedizdoubleit/racs/sso"/>
- <property name="parseApplicationURLFromRelayState" value="true"/>
c) Adding Okta cert into the RACS truststore
As things stand, the SAML Response from Okta to the RequestAssertionConsumerService will fail, as the RACS will not trust the certificate Okta uses to sign the SAML Response. Therefore we need to insert the Okta cert into the truststore of the RACS. Copy the "X.509 Certificate" value from the "View Setup Instructions" page referenced earlier. Create a file called 'webapps/fedizdoubleit/WEB-INF/classes/okta.cert' and paste the certificate contents into this file. Import it into the truststore via:
- keytool -keystore stsrealm_a.jks -storepass storepass -importcert -file okta.cert