When creating a SamlClient from metadata, it sets identityProviderUrl to the SingleSignOnService location, but nothing ever pulls out the SingleLogoutService. So later if you call one of the logout helpers, it will send a LogoutRequest to the SingSignOnService instead of the SingleLogoutService.

https://github.com/coveooss/saml-client/blob/master/src/main/java/com/coveo/saml/SamlClient.java#L897

To work around this I wrote this code where I hard coded the URL of the SingleLogoutService:

final String logoutRequest = samlClient.getLogoutRequest(userIdentity);

        Map<String, String> values = new HashMap<>();
        values.put("SAMLRequest", logoutRequest);
        if (relayState != null) {
            values.put("RelayState", relayState);
        }

        BrowserUtils.postUsingBrowser(singleLogoutUrl, response, values);

The IDP responded with a 400 "Error processing LogoutRequest. Single Logout Response Service location not found"

I compared the request with a LogoutRequest from a different application that uses spring-security-saml and succeeded, and the main difference I can see is the request that succeeded had a Destination attribute on the root element.

Currently SamlClient only sets that on the login request:
https://github.com/coveooss/saml-client/blob/master/src/main/java/com/coveo/saml/SamlClient.java#L779

But doesn't set that on the logout request:
https://github.com/coveooss/saml-client/blob/master/src/main/java/com/coveo/saml/SamlClient.java#L803

Hi

I would like to link an SAML request to its response. After reading some stuff on internet it seems that the relayState is ment to be used.
Is it the same as defined in redirectToIdentityProvider method ?
And by the way do you know how to get it form an SamlResponse ?

Regards
Eric (again)

I've written in support for retrieving the HTTP-Redirect information from IdP Metadata and will submit a Pull Request for it. At least the CAS SSO server supports this method for logging into SAML SSO IdPs.

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Hello. I was testing the client with an ADFS identity provider. When sending a logout request to it, an error returns me indicating the following message "SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding". How could I fix this issue?
Thanks.

I am trying to hookup SAML with PingFederate.

The metadata.xml file generated by their system does NOT include any md:SingleSignOnService... data.

It would be nice for my users if they could just export the metadata.xml and use it as is in my system instead of having to manually add an entry for md:SingleSignOnService

I would like to build up a PR to make getIdpBinding() to return NULL if there were no md:SingleSignOnService at all, vs there were some, but none matched. Then downstream, I will make the places using the results of it handle null by defaulting to the value from assertionConsumerServiceUrl - sort of like the opposite of what you do if its Okta

It's currently possible to modify the AuthnRequest string and replace the name id format, but this does not work when using client request signing.

It would be nice to have a function exposed to set the format of the name id policy, to be used when composing an AuthnRequest.

Hi,
is this client affected by the SAML vulnerability https://www.kb.cert.org/vuls/id/475445 ?

Thanks!
Klaus

This library looks very useful. Given that OpenSAML 2.x has been EOL'd since July 2016, are there any plans to upgrade to use OpenSAML 3.x?

At the current time, 3.3.0 is the latest version

Hello, with this client is it possible to generate a logout request and send it to the IdP so that it also closes the session there? If possible, what would such an implementation look like?
Thanks.

I am getting following error while doing maven install. Can some please look into this.

[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] error: error reading /Users/xxx/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar; invalid LOC header (bad signature)
[ERROR] error: error reading /Users/xxx/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.51/bcprov-jdk15on-1.51.jar; invalid CEN header (bad signature)
[INFO] 2 errors

Hi All,

How should solved this problem ? Thank you so much. I used Okta SSO .

com.coveo.saml.SamlException: The assertion cannot be used after 2021-09-29T03:13:30.979Z
at com.coveo.saml.ValidatorUtils.enforceConditions(ValidatorUtils.java:133)
at com.coveo.saml.ValidatorUtils.validateAssertion(ValidatorUtils.java:110)
at com.coveo.saml.ValidatorUtils.validate(ValidatorUtils.java:215)
at com.coveo.saml.SamlClient.decodeAndValidateSamlResponse(SamlClient.java:281)
at com.coveo.saml.SamlClient.processPostFromIdentityProvider(SamlClient.java:316)
at com.oktasaml.demo.MyController.index(MyController.java:95)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)

Title sums it up. The 4.1.0, 4.1.1, and 4.1.2 releases don't have corresponding tags or github release notation.

Processing SAML response XML is susceptible to XXE injection.

Potential solutions include disallowing doc-type at all and/or disabling external entity processing as described in
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Hi
is there a specific reason to use several Decrypter and not use just one ?

So the LogoutRequest works for Azure Saml.
But for Okta I'm getting a 400 Bad Request.
Well, I'm not sure where to send therequest in the first place, but I assume it's where the LoginRequest goes to.
Though Azure has a separate URL for that.

Hi, Can you please how can we convert federationmetadata.xml file to *.md file format. In my application they are not using any xml file but we have only *.md file, now its time to update that file as providers signatures changed I have update metadata info on my code, this is not an issue but I am not getting help any where, by looking into my code closing previously just copy pasted ur samlclient.java code but they used *.md file for metadata it is not there in your code and no guidelines how to create it also.
Please help me on this. Thanks

When running on Java 11, I get a NoClassDefFound error for javax.xml.bind.ValidationException. This is because JAXB was deprecated in Java 9, and removed entirely from Java 11. Two possible fixes:

1. Use org.xml.sax.SAXException instead
2. Add a Maven dependency for jaxb-api

I have tried and tested the first way, and it works in 3.0.1 and 4.0.0 snapshot. I can create a pull request for that. Some people might prefer the second way, which I have not tried yet. Is there a preference?

I'm trying to use the client for identity provider redirection, and force authentication in the provider
What I need is to add ForceAuthn="true" to the saml2p:AuthnRequest tag, but I don't see any way to do it in the client. I'm using the client as follows:

SamlClient client = new SamlClient(relyingPartyIdentifier assertionConsumerService, identityProviderUrl, responseIssuer, certs, SamlClient.SamlIdpBinding.POST); 
client.getSamlRequest();
client.redirectToIdentityProvider(response, customerId);

And I can see the ForceAuthn attribute exists in the lib code, but I didn't find how to use it

Please delete.

We are integrating SAML into an existing Java 'Spring MVC' web app (war) that is not using springboot or maven.
Our IDE is Netbeans.

How would we configure an endpoint to receive the SAML Response callback from the idp?
https://www.billgoobs.com/myapp/saml/SSO?SAMLResponse=ghgadhgkjadhgkjahkga

I'm not asking about how to extract the value from the SAMLResponse query string.

My question is how to setup a post endpoint or listener in our java web app that will be hit when the idp makes the https://www.billgoobs.com/myapp/saml/SSO?SAMLResponse=ghgadhgkjadhgkjahkga callback.

Hi there I am new to SAML and SSO. I was trying to instance SamlClient and Copied my idp Metadata.xml as an argument. The metadata I am using does have ds:X509Certificatetag in it but I am getting "certificate" exception. Can you please let me know why this is happening or is there any workaround that I could try? Thank you!

Hi,

I'm curious to know if you are looking to publish a new tag with what's in master now. I'm looking to use this library and get attributes from XML response, but 3.0.2 doesn't have some handy methods like getAttributes

Thanks,
Jimmy

The saml puzzle me many days! and this client solve it in the simplest way! thanks a lot

We're considering SAML for providing SSO for our app but don't want to waste a bunch of time if it's not going to work! :)

We are trying to use this client for Ping ID. How can we use it for Ping ID? If it already works, could you please share some examples.

Thank you

SamlClient.decodeAndValidateSamlResponse() fails if the response doesn't contain NameID. It seems like the field used to be required, but isn't anymore at the moment.

Although most IDPs probably do send it, or should be configurable to, we currently have no way of accepting responses without NameID, and no way of convincing IDPs outside of our control to change this (since they are apparently sending out a compliant response).

Could the requirement be dropped, perhaps in favor of a warning, or otherwise have some option of disabling the requirement?

See also this thread: SAML-Toolkits/python-saml#112

Currently, SamlClient.fromMetadata takes a single samlBinding and uses it to both resolve the IDP endpoint and to populate the ProtocolBinding parameter in the AuthnRequest. But I should be able to set these up independently.

I'm trying to use this saml-client tool, but when I introduce it with maven dependency version 3.0.2, it show different from the newest code on github. did you update maven repository?

I am having invalid singaure request when sign with 509x and AuthnRequestsSigned="true" WantAssertionsSigned="true"

Hi I notice that there isn't a deflate compression before base64 encode, any plans to add that?
Thanks

If my IdP url is https://www.idpurl.com/ and my Sp url is https://www.spurl.com/
then, is this correct? SamlClient client = SamlClient.fromMetadata("SPIdentifier", "https://www.idpurl.com/", "<your.IDP.metadata.xml>"); what is a good metadata xml that is related to these urls, I always get Unmarshalling exception. how to generate the best metadata for this library. any tool you recommend. Thanks in advance.

Hi.

When I have "Logout URL" configured in Azure SAML, then I'll get a request from Azure containing a SAMLResponse which contains a LogoutResponse.
But the client bails out when parsing the response.

The response seems to be signed.

Processing a POST containing the SAML logout request method in SamlClient always expect NameID but in my case, I'm not getting NameID as an additional parameter from IDP in the parameters.

The method I'm using is: https://github.com/coveooss/saml-client/blob/7d334b40558aaa02d3931e0db21c8d39dde5f640/src/main/java/com/coveo/saml/SamlClient.java#L871

There should be an overloaded method that should validate the LogoutRequest but without NameID.

Like below.

/**
   * Processes a POST containing the SAML logout request.
   *
   * @param request the {@link HttpServletRequest}.
   * @return An {@link LogoutRequest} object containing information decoded from the SAML Logout
   *         Request.
   * @throws SamlException thrown is an unexpected error occurs.
   */
  public LogoutRequest processLogoutRequestPostFromIdentityProvider(HttpServletRequest request)
      throws SamlException {
    String encodedResponse = request.getParameter(HTTP_REQ_SAML_PARAM);
    return decodeSamlLogoutRequest(encodedResponse, request.getMethod());
  }

We found that saml-client is vulnerable to XSW2 attacks. I have not been able to establish if the cause lays in this library, or the underlying OpenSaml library.

When redirecting to Okta, I'm receiving a 400 Bad Request error on the Okta side. I'm using the metadata that they provided and all of the URLs appear to match up between my side and the Okta side. Is there a particular Reader I should be using to serialize the metadata.xml? I've used a FileReader, BufferedReader, and InputStreamReader, but all have failed. I suspect that the bad SAML is a problem with the serialization or encoding of the request.

Attempting to use saml-client version 4.1.0 fails to build:

[ERROR] Failed to execute goal on project testing: Could not resolve dependencies for project org.example:testing:jar:1.0-SNAPSHOT: The following artifacts could not be resolved: org.opensaml:opensaml-core:jar:4.2.0, org.opensaml:opensaml-saml-api:jar:4.2.0, org.opensaml:opensaml-saml-impl:jar:4.2.0: Could not find artifact org.opensaml:opensaml-core:jar:4.2.0 in artifactory ...

I believe this is because maven central does not have version 4.2.0 yet: https://mvnrepository.com/artifact/org.opensaml/opensaml-core

The latest version in maven central seems to be 4.0.1

unable to use SLO, how to direct request to SLO url

i am trying to saml-client to SP initiated logout with okta , i am able to use SSO login with okta. but i need guidance on how to proceed

public String sendSAMLRequest(String loggedinUser) throws SamlException, FileNotFoundException {
String publicKeyPath = "cert.x509.pem";
String privateKeyPath = "private.pk8";
final String fileSeparator = System.getProperty("file.separator");
final File file = PathUtils.getTempFile(getServerPath(), "metadata", ".xml");
final File directory = FileUtils.getFile(getServerPath(), "WEB-INF" + fileSeparator + "classes");
final File metadatafile = new File(directory + fileSeparator + SamlReportAuditFactory.FILE_NAME);
FileReader fileReader = new FileReader(metadatafile);
SamlClient client = SamlClient.fromMetadata("http://www.okta.com/jlsdjflsjdflsjjlfjlsj", "https://localhost:8443/myapp/rest/sp/consumer", fileReader);

    final File privateKeyFile = new File(directory + fileSeparator + privateKeyPath);

    final File publicKeyFile  = new File(directory + fileSeparator + publicKeyPath);
    client.setSPKeys(publicKeyFile.getAbsolutePath(),privateKeyFile.getAbsolutePath());
    String encodedRequest = client.getLogoutRequest(loggedinUser);
 
    return encodedRequest;
 
}

String encodedResponse = servletRequest.getParameter("SAMLResponse");
SamlResponse response = client.decodeAndValidateSamlResponse(encodedResponse);
String authenticatedUser = response.getNameID();
client.redirectToIdentityProvider(servletResponse, null);
SamlResponse response1 = client.processPostFromIdentityProvider(servletRequest);

Using saml-client version 4.0.3 with maven-enforcer-plugin enabled throws the dependency convergence error:

[ERROR]
Dependency convergence error for org.slf4j:slf4j-api:1.7.7 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-core:3.4.6
      +-io.dropwizard.metrics:metrics-core:3.1.5
        +-org.slf4j:slf4j-api:1.7.7
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-core:3.4.6
      +-net.shibboleth.utilities:java-support:7.5.2
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-core:3.4.6
      +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-xmlsec-api:3.4.6
        +-org.opensaml:opensaml-security-api:3.4.6
          +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-xmlsec-api:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-soap-api:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-messaging-api:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-profile-api:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-storage-api:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-security-impl:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-org.apache.santuario:xmlsec:2.0.10
          +-org.slf4j:slf4j-api:1.7.25
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-soap-impl:3.4.6
        +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.slf4j:slf4j-api:1.7.30
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.slf4j:slf4j-api:1.7.30

[ERROR]
Dependency convergence error for commons-codec:commons-codec:1.10 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-core:3.4.6
      +-net.shibboleth.utilities:java-support:7.5.2
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-core:3.4.6
      +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-xmlsec-api:3.4.6
        +-org.opensaml:opensaml-security-api:3.4.6
          +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-xmlsec-api:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-soap-api:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-messaging-api:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-profile-api:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-storage-api:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-security-impl:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-org.apache.santuario:xmlsec:2.0.10
          +-commons-codec:commons-codec:1.11
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-soap-impl:3.4.6
        +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.apache.httpcomponents:httpclient:4.5.13
        +-commons-codec:commons-codec:1.11
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-commons-codec:commons-codec:1.10
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-commons-codec:commons-codec:1.14

[ERROR]
Dependency convergence error for com.fasterxml.woodstox:woodstox-core:5.0.3 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-org.apache.santuario:xmlsec:2.0.10
          +-com.fasterxml.woodstox:woodstox-core:5.0.3
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-com.fasterxml.woodstox:woodstox-core:5.3.0

[ERROR]
Dependency convergence error for org.bouncycastle:bcprov-jdk15on:1.59 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-api:3.4.6
      +-org.opensaml:opensaml-xmlsec-api:3.4.6
        +-org.opensaml:opensaml-security-api:3.4.6
          +-org.bouncycastle:bcprov-jdk15on:1.59
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.opensaml:opensaml-xmlsec-impl:3.4.6
        +-org.cryptacular:cryptacular:1.1.4
          +-org.bouncycastle:bcprov-jdk15on:1.59
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.bouncycastle:bcprov-jdk15on:1.67

[ERROR]
Dependency convergence error for commons-collections:commons-collections:3.2.1 paths to dependency are:
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-org.opensaml:opensaml-saml-impl:3.4.6
      +-org.apache.velocity:velocity:1.7
        +-commons-collections:commons-collections:3.2.1
and
+-org.example:testing:1.0-SNAPSHOT
  +-com.coveo:saml-client:4.0.3
    +-commons-collections:commons-collections:3.2.2

Here's my pom.xml file

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>testing</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>com.coveo</groupId>
            <artifactId>saml-client</artifactId>
            <version>4.0.3</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <version>1.0.1</version>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <configuration>
                            <rules>
                                <DependencyConvergence/>
                            </rules>
                        </configuration>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Hi,

I would like to connect to a SAML2 SSO IDP with java. Is this the library to do it or should I use Spring?

Cheers

Al

I am able to login via ADFS and also successfully redirected to the desired page but on the ADFS Event Viewer there is an error-
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified SPNameQualifier: . Actual NameID properties: null. at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Also when I am trying to decode the response via SamlClient.decodeAndValidateSamlResponse() then it is failing while validateResponse(). This is the error while devoding the SAMLResponse-
Exception in thread "main" com.coveo.saml.SamlException: Invalid status code: urn:oasis:names:tc:SAML:2.0:status:Requester at com.coveo.saml.SamlClient.validateResponse(SamlClient.java:457) at com.coveo.saml.SamlClient.decodeAndValidateSamlResponse(SamlClient.java:284) at com.coveo.saml.Main.decodeAndValidateResponse(Main.java:41) at com.coveo.saml.Main.main(Main.java:48)
What other things I need to do?

Hello,
I'm having the following issues when trying to decodeAndValidateSamlResponse:

java.lang.ClassCastException: org.opensaml.saml2.core.impl.AssertionImpl cannot be cast to org.opensaml.saml2.core.Response

that occurs in the following part.

(Response) Configuration.getUnmarshallerFactory()
                  .getUnmarshaller(parser.getDocument().getDocumentElement())
                  .unmarshall(parser.getDocument().getDocumentElement());

Does anyone have any suggestions?

The cause appears to be the one discussed in this OpenSAML thread https://groups.google.com/d/msg/opensaml-users/gpXvwaZ53NA/qA5XcJHkYCgJ

We have applied the described fix to a local fork that had the original PR for handling encrypted messages already included, we've got some time set aside in our next sprint to work on a test case and should be able to submit a PR fixing the issue soon.

Hi

Should I close the Reader passed to SamlClient.fromMetadata ?

Thanks
Eric

Please see datb-com fork of this for a 3 line modification to decodeEncryptedAssertion() that uses SimpleRetrievalMethodEncryptedKeyResolver to add support where an IDP (in this case Liferay7.4) provides encrypted assertions and specifies the EncryptionKey outside of the EncryptedData, referenced using RetrievalMethod. There is already a pull request open from a previous change (and i'm not a github expert) so please contact me for further info.

Hello.
I have seen that when the logout request is made, it does not contain the attribute "Destination". Is there any way to add it? The IdP gives me an error for that reason.
Thanks.

I have the following setup that works perfectly in my test cases;

        InputStream inputStream = ClassLoader.getSystemResourceAsStream("misc/idp_meta.xml");
        Reader metadata = new InputStreamReader(inputStream);

        // Create the client
        SamlClient client = SamlClient.fromMetadata(
                "https://...",
                "https://.../#/login",
                metadata,
                SamlClient.SamlIdpBinding.POST);

This works exactly as expected. However when I build the project using maven-shade-plugin and run the identical method I get the following error;

java.lang.NullPointerException: [org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:68), org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:287), net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:61), com.coveo.saml.SamlClient.createMetadataResolver(SamlClient.java:574), com.coveo.saml.SamlClient.fromMetadata(SamlClient.java:390), com.coveo.saml.SamlClient.fromMetadata(SamlClient.java:362)

Any ideas on why this might be happening?

Any plan to add logout request?

In Redirect binding, SAML Request should be compressed and then base64-encoded. But the current (1.5.0) code doesn't compress. That makes some IDPs (OpenAM) unhappy.