Simple Java client for accessing Shibboleth-protected services?

Richard Eckart de Castilho richard.eckart at gmail.com
Sun Jul 14 12:07:17 EDT 2013 

Hi,

I have implemented a HttpClient variant based on Apache Commons httpcore 4.2.2 and opensaml 2.5.3 which tries to detect if the remote site is protected using Shibboleth and if so, tries to log in to a predefined IdP using ECP and a username and password.

The authentication itself is based on a Java port of the simple bash ECP script [1].

The approach of using a HttpRequestPostprocesser used by the jasig SAML provider [2] was very useful.

The nice thing is, that the implementation actually seems to work. I have one remote IdP and SP against which I can test and that appears to work nicely.

However, when trying to test with a locally installed SP using the Spring Security SAML integration and the TestShib.org IdP, it doesn't seem to work. I'm trying to log in with the username/password combination "myself"/"myself" by sending an "Authorization" HTTP header with the base64 encoded credentials along with the login request to the IdP. The IdP replies this:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_ab950a185ec33e5d49ec567556ab0dcd" InResponseTo="a2952ea74iidja8f658j6ja7041e1g" IssueInstant="2013-07-14T16:03:03.289Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.testshib.org/idp/shibboleth</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/>
    </saml2p:StatusCode>
  </saml2p:Status>
</saml2p:Response>

Since this approach appears to be working against my other IdP (no idea what implementation that is), I wonder what the problem is.

Any ideas?

Cheers,

-- Richard

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash

[2] http://grepcode.com/file/repo1.maven.org/maven2/org.jasig.service/delegated-saml-authentication/1.1.2/org/jasig/portal/security/provider/saml/HttpRequestPostprocessor.java#HttpRequestPostprocessor.0samlService

More information about the users mailing list