Minimalistic wrapper around the Apache HTTPClient adding Shibboleth support
A bit of naming first:
The process goes roughly like this:
The goal of this project is to perform the steps 2-4 for you.
This client aims to be minimalisic but functional. So the "features" are:
// Initialize OpenSAML
DefaultBootstrap.bootstrap();
// The last argument indicates to accept any certificate
HttpClient client = new ShibHttpClient(aIdpUrl, aUsername, aPassword, true);
HttpGet req = new HttpGet("https://my/protected/url");
HttpResponse res = client.execute(req);
... = res.getEntity().getContent(); // returns an InputStream
shib-http-client is available from Maven Central.
You can download and use it as a JAR, or you can add it to a Maven project as a dependency:
<dependency>
<groupId>de.tudarmstadt.ukp.shibhttpclient</groupId>
<artifactId>shib-http-client</artifactId>
<version>1.0.0</version>
</dependency>
The IdP URL should point directly at the ECP profile endpoint of the IdP, so it should be similar to this:
https://MY-IDP-HOST/idp/profile/SAML2/SOAP/ECP
If the client does not work as expected, you should check if the SP does support ECP at all. You can do this with a 'simple' command (replace URL with the URL you want to test):
curl -k -I -H 'Accept: application/vnd.paos+xml' -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' URL
Note: The command is quite long. You may need to scroll sideways to see the rest.
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2013 10:54:36 GMT
Server: Apache/2.2.17 (Linux/SUSE)
Expires: 01-Jan-1997 12:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Content-Length: 1356
Content-Type: application/vnd.paos+xml
If the reply does not look approximately like this, in particular if the Content-Type line is not there, then the remote host does not have ECP enabled and you cannot use this client to access the host. Ask the administrator of the remote host to enable the ECP profile.
Thanks to the folks from the Shibboleth mailing list.
The development of this project was supported by DARIAH-DE project.
The development of this project was supported by PaNData as part of the Umbrella ID system.
Licensed under the Apache Software License 2.0. For copyright information, refer to the NOTICE.txt file.