You can apply all of the following configurations in Windows and Linux.
1 - In the Application Server directory, decompress the file libsamlsp-windows.zip for Windows or libsamlsp-linux.zip for Linux.
Decompressed content:
libsamlsp.dll (Windows) or libsamlsp.so (Linux) -> Dynamic library containing all SAML Service Provider functionalities.
sso -> Directory exclusively used by libsamlsp.
Structure of sso directory:
sso
|- etc (Configuration files of SAML, certificates and private keys)
|- lib (Libs needed for executing the libsamlsp )
|- share
|- xml (Schema files for validating the XML's of configuration and the assertions)
|- var
|- cache (Local copy of configuration files of the configured IDPs)
|- log (Log files of libsamlsp, libsaml, libxmltooling, libxml-security, libxerces)
2 - Copy file invoker-applet.jar to directory "PATH" configured in session HTTP of the Application Server configuration file.
3 - Enable the HTTP server in the Application Server, in session HTTP set "Enable=1" to enable the http.
4 - (Optional) Within session HTTP, enter line "SAMLSessionName=Name of your choice". This is the name of the Service Provider session cookie. If you do not enter this line, the Service Provider creates a session cookie with a default name.
5 - Configuring the Service Provider:
5.1 - Change the entityID of ServiceProvider: setSAMLID.
5.2 - Change the entityID of IdentityProvider: setSAMLID.
5.3 - Configure the Service Provider to automatically recover the configuration file of the Identity Provider: setIDPConf.
5.4 - Enter and configure the Service Provider to use your digital certificate version: setSPCert.
Example (Configuring the Service Provider to use the Identity Provider of Shibboleth)
static function getCert()
certificate := "-----BEGIN CERTIFICATE-----" + CRLF;
+ "MIIC7jCCAdagAwIBAgIJAId3b8yf3qBfMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV" + CRLF;
+ "BAMTDXRlYy1sdmluaWNpdXMwHhcNMTIxMTIyMTk1MTEwWhcNMjIxMTIwMTk1MTEw" + CRLF;
+ "WjAYMRYwFAYDVQQDEw10ZWMtbHZpbmljaXVzMIIBIjANBgkqhkiG9w0BAQEFAAOC" + CRLF;
+ "AQ8AMIIBCgKCAQEAs+VCZmdnRg+YrN3rMl1IiNT0kpqCD6LrEU9Inw8rPSQ7uoJx" + CRLF;
+ "2wVfLSvzoMueHV7A2/GWEEQFRqJ8gyPvdO7ahJ60RzVKHAKiR/p5l2ONct7vXRVs" + CRLF;
+ "jn3ZHe0au4s1Zhx0nLaveHa3uFqbuKkvcfHz1jGmjxFF3Hgcz+wWp1qvKQWGSEzh" + CRLF;
+ "89ANkmVrMwyZVm+QiELSeSbF2dy+P5ymVUZ3/0sVrLW9IbCr/2SH3O0ID2PgNlPp" + CRLF;
+ "dyxFcwCqII58cbfRjkm2Hs71InRC8nRjeRdNlWmMYzYtnzuI5i7rA6Rn81I20LcT" + CRLF;
+ "duneyMEVqR0uwCbBrW8hE14CloO6xNtJczMMCwIDAQABozswOTAYBgNVHREEETAP" + CRLF;
+ "gg10ZWMtbHZpbmljaXVzMB0GA1UdDgQWBBRN+g35SDc5ugbtgbkDZ9hvLLcjezAN" + CRLF;
+ "BgkqhkiG9w0BAQUFAAOCAQEAQwdtDbpn0OQYCCUjZTLR9Bs6v3vZqlgWYfnfHoGw" + CRLF;
+ "AXHrOpjcWis85wdyEQjeE2+KcKB9mGgG2LphG9mBrfCf1BVPzENkQUnS6AqVhuJe" + CRLF;
+ "KE2mlavNONOygWmG4wQQJQBljSZyVaSL0Asdy2sDMa7v66n+qiqj+hY3JTKVYlbF" + CRLF;
+ "lJDl+POkh784T6C0OXO0XzOYpzCvyrj4lQXAZC5Vfiex30vJs6a9RuhwwSVy/BNL" + CRLF;
+ "BDDKnyLb+2KfysVecKdwEmymNNTK1pzK5VBslH6v8e7cI2bQ2aXDpb1tnKwtNxm+" + CRLF;
+ "COl5peOveKURXr1oFWXWYMbL/9/ziLkX92/60uZDfDAKCQ==" + CRLF;
+ "-----END CERTIFICATE-----"
return certificate
static function getPrivKey()
privKey := "-----BEGIN RSA PRIVATE KEY-----" + CRLF;
+ "MIIEpAIBAAKCAQEAs+VCZmdnRg+YrN3rMl1IiNT0kpqCD6LrEU9Inw8rPSQ7uoJx" + CRLF;
+ "2wVfLSvzoMueHV7A2/GWEEQFRqJ8gyPvdO7ahJ60RzVKHAKiR/p5l2ONct7vXRVs" + CRLF;
+ "jn3ZHe0au4s1Zhx0nLaveHa3uFqbuKkvcfHz1jGmjxFF3Hgcz+wWp1qvKQWGSEzh" + CRLF;
+ "89ANkmVrMwyZVm+QiELSeSbF2dy+P5ymVUZ3/0sVrLW9IbCr/2SH3O0ID2PgNlPp" + CRLF;
+ "dyxFcwCqII58cbfRjkm2Hs71InRC8nRjeRdNlWmMYzYtnzuI5i7rA6Rn81I20LcT" + CRLF;
+ "duneyMEVqR0uwCbBrW8hE14CloO6xNtJczMMCwIDAQABAoIBAE++UbfJIHtrEHeY" + CRLF;
+ "i9iwhyW4mI2gFgVOZ7stlPiFJdqdhCiCCGxZLj583Csr93P3e7BDoAynylrsThtn" + CRLF;
+ "w47nDlB5dVqXYbmW5U7Y1itogtwnvJ1bkNp9KNBeOVpnNA2GkZ6iUJgqr/f1mk+6" + CRLF;
+ "F4EACuGo8rc6peg8CjGU6tnWlgytWv32o0bIXGxL9uvoe+khefiL0tGmflgegQdQ" + CRLF;
+ "oz6grtWiclM2xGADp4bl200Uh2Ky8/+B8ByAim5ClZcKdgzD8TVymYq0JprmEjvq" + CRLF;
+ "ESTc4VFqnFy2GzEjvCb5L7ohEj7bb6aT9ruGC6y/1TNnYZa6gY6kDhuFRNltIwPL" + CRLF;
+ "9e3cn6ECgYEA10e65gzY2fezJ86BZ+TT9hnG+kPpJOkdSrxq+xI5i6NRrNdnW0C4" + CRLF;
+ "zykkbcBGnqifIOes3Bz8FtSraMEuTSqIkh80NBHDA5JwFJcXgfpNOA5FUYm+P/yx" + CRLF;
+ "DOsayrNskUXJ5HPHWBVas3RbqNCt4Uf9VLlANc8cOFwbnaLYcOUGo/sCgYEA1ewj" + CRLF;
+ "ZiMVu9DVm0thstgJQE0kAJ/2ENS3ys5/CwMBPkGLWMxX7fCnSfhC/Zi3ic9vgHbT" + CRLF;
+ "0ihZoD5KOVSW2qUPUCEgCd53+iLj6Ph6zmHpdlyAHZBnP3G2vG0YYpYXSI6fXGHb" + CRLF;
+ "ZBNPUuyYGFphq53k9AGyFJKX2HZdQOASClYfqzECgYEAlfXth1rjo9IcBlqfYhPQ" + CRLF;
+ "YtpJ9QNhYMjSEsF1dDeZxl+aAWB7KuHG2ue57InHp7WmQ3GexCWcpPq3/Fy1OCOs" + CRLF;
+ "xrzdzHei9NYJJQ6q3WvSZn3qY4Yj9Ma9PlZ3b0PVGM0Yef78masmZ2NihhH3Tbqs" + CRLF;
+ "CVySEemXqtrekcxiISIoogkCgYEAqT/R5f4+NMGOLvaeDoyEDT67DE+CtGBIJYno" + CRLF;
+ "08KF2karRA8wRk3PXWOxRMjt9XeMJVxeTHimKHT/7onxbH2JNwFuQsCjteCi5vCo" + CRLF;
+ "4N5wgre+mSVlurlyNXQvBdjwBPTqOoIlvPDWIqqTzzi667fZrAAnb8Vno9hKAYkG" + CRLF;
+ "XO000xECgYACur0xK1nXv+95NcodafMLcoonkDbNHJNfCXWDyYOYqCdPj6kVkFtE" + CRLF;
+ "U52RZ2jfby/S4vOyGirn9c4xSI6jzwCL/P6xVoUbmNl9iCEUtPWdofnpBaicVdSf" + CRLF;
+ "fcPURtz8r4tZSVCQ/YljPvsdKCl1wVBAN0hyMZPeU4BZ1zIvXZpbQw==" + CRLF;
+ "-----END RSA PRIVATE KEY-----"
return privKey
static function setIdpShib()
local error
// http://tdn.totvs.com/display/tec/setSAMLID
if setSAMLID("http://myhostname:8080/spEntityID", 1, @error) == .F.
return alert("setSAMLID: " + error)
endif
// http://tdn.totvs.com/display/tec/setSAMLID
if setSAMLID("https://idp.testshib.org/idp/shibboleth", 2, @error) == .F.
return alert("setSAMLID: " + error)
endif
// http://tdn.totvs.com/display/tec/setIDPConf
if setIDPConf("http://testshib.org/metadata/testshib-providers.xml", "shibboleth.tst.xml", @error) == .F.
return alert("setIDPConf: " + error)
endif
// http://tdn.totvs.com/display/tec/setSPCert
if setSPCert("certfile.txt", getCert(), "keyfile.txt", getPrivKey(), @error) == .F.
return alert("setSPCert: " + error)
endif
return
6 - Configuring the Identity Provider to provide identities to the Service Provider.
Note The Service Provider has a service that returns a XML file with its configuration, which is extracted from the configuration file of the Service Provider (Item 5); therefore, you are required to finalize the Service Provider configuration before doing this procedure.
You can use the XML file that contains the Service Provider configuration to automatically configure the Identity Provider. Down below, you will see an example of how to do this with the Shibboleth IDP.
6.1 - The URL of the service that returns the XML configuration file is the same one configured as entityID of SP. You need only add the path "/saml2/metadata", using the entityID of the example above, the URL would be thus: http://myhostname:8080/spEntityID/saml2/metadata.
When you access this URL from the browser, the XML file is downloaded in the local computer. The file is saved with the name "metadata". You need to rename this file with the name of your host, including the extension ".xml", e.g.: (myhostname.xml).
Example (Configuring the Identity Provider of Shibboleth from the configuration XML of the Service Provider)
1st Step:
Download the XML configuration file of the Service Provider (http://myhostname:8080/spEntityID/saml2/metadata).
2nd Step:
Access the IDP site of Shibboleth and upload the configuration XML of SP (https://www.testshib.org/metadata.html)
In this site, we have two simple steps:
Button "Choose File" opens a window for you to select the SP configuration file (Select the previously downloaded SP configuration XML).
Button "Upload File" uploads it and unifies the IDP with the SP.
7 - Testing the Service Provider:
The URL of the SAML service is the same configured as entityID of the SP. You only need to add the path "/saml2/get/totvssmartclient" (Desktop) or "/saml2/get/url?url_do_serviço_web" (Web).
Examples:
Desktop:
http://myhostname:8080/spEntityID/saml2/get/totvssmartclient
that is,
entityID/saml2/get/totvssmartclient
Web:
http://myhostname:8080/spEntityID/saml2/get/url?http://google.com
that is,
entityID/saml2/get/url?url_do_serviço_web
Note: In the web scenario, you first need to register the URL of the web service (setSAMLSvc); otherwise, the system will display the error "URL not allowed".
To test the environment, start the Application Server and access its URL of the SAML service with the browser.
Note If you have correctly configured everything, take the step above to be redirected to the IDP login page. After logging in, the IDP redirects you to the SP page and, if the validation process of the SAML response (assertion) is successfully completed, the system opens the Desktop SmartClient or the web page; otherwise, it displays an error on the page.
See Also: saveIDPXML