Minimalistic wrapper around the Apache HTTPClient adding Shibboleth support
A bit of naming first:
- IdP (identity provider) - the server who knows who you are
- SP (service provider) - the server who wants to know who you are
- ECP (Enhanced Client or Proxy) - the protocol used by this client to perform authentication (needs to be enabled on the IdP and SP, see Troubleshooting below)
The process goes roughly like this:
- You make a request to the SP
- SP wants to know who you are
- You ask IdP to prove your identity by giving you a ticket
- You pass the ticket on to the SP
- the SP replies to your request
The goal of this project is to perform the steps 2-4 for you.
This client aims to be minimalisic but functional. So the "features" are:
- No IdP discovery - a pre-defined IdP is used
- No fancy logins - login to the IdP happens via HTTP Basic authentication
- No certificate checks - it is easy to disable all certificate checks. If you don't disable this, make sure your Java environment knows about the certificates used by the IdP and SP.
// Initialize OpenSAML DefaultBootstrap.bootstrap(); // The last argument indicates to accept any certificate HttpClient client = new ShibHttpClient(aIdpUrl, aUsername, aPassword, true); HttpGet req = new HttpGet("https://my/protected/url"); HttpResponse res = client.execute(req); ... = res.getEntity().getContent(); // returns an InputStream
shib-http-client is available from Maven Central.
You can download and use it as a JAR, or you can add it to a Maven project as a dependency:
<dependency> <groupId>de.tudarmstadt.ukp.shibhttpclient</groupId> <artifactId>shib-http-client</artifactId> <version>1.0.0</version> </dependency>
IdP URL sanity check
The IdP URL should point directly at the ECP profile endpoint of the IdP, so it should be similar to this:
If the client does not work as expected, you should check if the SP does support ECP at all. You can do this with a 'simple' command (replace URL with the URL you want to test):
curl -k -I -H 'Accept: application/vnd.paos+xml' -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' URL
Note: The command is quite long. You may need to scroll sideways to see the rest.
HTTP/1.1 200 OK Date: Wed, 23 Oct 2013 10:54:36 GMT Server: Apache/2.2.17 (Linux/SUSE) Expires: 01-Jan-1997 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Content-Length: 1356 Content-Type: application/vnd.paos+xml
If the reply does not look approximately like this, in particular if the Content-Type line is not there, then the remote host does not have ECP enabled and you cannot use this client to access the host. Ask the administrator of the remote host to enable the ECP profile.
Thanks to the folks from the Shibboleth mailing list.
The development of this project was supported by DARIAH-DE project.
The development of this project was supported by PaNData as part of the Umbrella ID system.
Licensed under the Apache Software License 2.0. For copyright information, refer to the NOTICE.txt file.