DARIAH-DE / shib-http-client

Minimalistic wrapper around the Apache HTTPClient adding Shibboleth support
Apache License 2.0
16 stars 8 forks source link

shib-http-client

Minimalistic wrapper around the Apache HTTPClient adding Shibboleth support

A bit of naming first:

The process goes roughly like this:

  1. You make a request to the SP
  2. SP wants to know who you are
  3. You ask IdP to prove your identity by giving you a ticket
  4. You pass the ticket on to the SP
  5. the SP replies to your request

The goal of this project is to perform the steps 2-4 for you.

This client aims to be minimalisic but functional. So the "features" are:

Example

// Initialize OpenSAML
DefaultBootstrap.bootstrap();

// The last argument indicates to accept any certificate
HttpClient client = new ShibHttpClient(aIdpUrl, aUsername, aPassword, true);
HttpGet req = new HttpGet("https://my/protected/url");
HttpResponse res = client.execute(req);
... = res.getEntity().getContent(); // returns an InputStream

Download

shib-http-client is available from Maven Central.

You can download and use it as a JAR, or you can add it to a Maven project as a dependency:

<dependency>
    <groupId>de.tudarmstadt.ukp.shibhttpclient</groupId>
    <artifactId>shib-http-client</artifactId>
    <version>1.0.0</version>
</dependency>

Troubleshooting

IdP URL sanity check

The IdP URL should point directly at the ECP profile endpoint of the IdP, so it should be similar to this:

https://MY-IDP-HOST/idp/profile/SAML2/SOAP/ECP
ECP check

If the client does not work as expected, you should check if the SP does support ECP at all. You can do this with a 'simple' command (replace URL with the URL you want to test):

curl -k -I -H 'Accept: application/vnd.paos+xml' -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' URL

Note: The command is quite long. You may need to scroll sideways to see the rest.

HTTP/1.1 200 OK
Date: Wed, 23 Oct 2013 10:54:36 GMT
Server: Apache/2.2.17 (Linux/SUSE)
Expires: 01-Jan-1997 12:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Content-Length: 1356
Content-Type: application/vnd.paos+xml

If the reply does not look approximately like this, in particular if the Content-Type line is not there, then the remote host does not have ECP enabled and you cannot use this client to access the host. Ask the administrator of the remote host to enable the ECP profile.

Acknowledgements

Thanks to the folks from the Shibboleth mailing list.

The development of this project was supported by DARIAH-DE project.

DARIAH Logo

The development of this project was supported by PaNData as part of the Umbrella ID system.

Umbrella Logo

Licensed under the Apache Software License 2.0. For copyright information, refer to the NOTICE.txt file.

githalytics.com alpha