<%@ page language="java" contentType="text/html; charset=UTF-8" %>
<%@ page import="com.sun.identity.sae.api.SecureAttrs"%>
<%@ page import="com.sun.identity.sae.api.Utils"%>
<%@ page import="java.io.*"%>
<%@ page import="java.util.*"%>
<%@ page import="com.sun.identity.common.SystemConfigurationUtil"%>
public void jspInit()
String deployuri = SystemConfigurationUtil.getProperty(
if ((deployuri == null) || (deployuri.length() == 0)) {
deployuri = "../../..";
<title>Secure Attributes Exchange IDP APP SAMPLE</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="<%= deployuri %>/com_sun_web_ui/css/css_ns6up.css" />
<%@ include file="header.jspf" %>
<br><b>Secure Attributes Exchange IDP APP SAMPLE</b><br>
// Crypto type to be used with local <OpenAM>-IDP
String cryptotype = SecureAttrs.SAE_CRYPTO_TYPE_SYM;
// For SYM: Shared secret with local <OpenAM>-IDP
// For ASYM: Private Key Alias for IDP-APP's signing cert
String secret = "secret12";
// For SYM: Shared secret with local <OpenAM>-IDP. Same value as secret.
// For ASYM: Public Key Alias for <OpenAM>-IDP.
String encSecret = secret;
String encryptionAlg = "DES";
String encryptionStrength = "56";
// Keystore path (for asym signing)
String keystore = "";
// Keystore Password (for asym signing)
String keypass = "";
// Private key Password (for asym signing)
String privkeypass = "";
// identity of this application : this string should match a already
// registered application in one of the hosted IDP extended metadata.
String idpAppName = request.getRequestURL().toString();
// <OpenAM>-IDP hosted SAE url that will act like the gateway.
String saeServiceURL="http://sa.idp.com:8080/sa/idpsaehandler/metaAlias/idp";
// String representing authenticated user.
String userid = "testuser";
String authlevel = "0";
// String representing profile attributes of authenticated user
String mail = "testuser@foo.com";
String branch = "mainbranch" ;
// SP-App to be invoked with profile attributes above.
String spapp = "http://www.spp.com:8080/sp/samples/saml2/sae/saeSPApp.jsp";
// Whether cached SecureAttrs class instance should be used
String usecached = "on";
String useencryption = "on";
if (request.getMethod().equals("GET"))
This sample represents an IDP-App wishing to securely invoke a remote SP-App and pass it some secure attributes (mail and branch).
IDP-App -sae---> IDP-<OpenAM> --samlv2---> SP-<OpenAM> --sae--> SP-App
<b>Prerequisites :</b>
IDP=Identity Provider SP=Service Provider
i) Trust key (shared secret for symmetric crypto or privatekey for asymmetric signing; shared secret for symmetric crypto data encryption or publickey for asymmetric data encryption) & this application provisioned on IDP-<OpenAM> in one of the hosted extended metadata - you will enter the same appname and secret here.
ii) SP_App and corresponding shared secret or key-pair provisioned on SP-<OpenAM> and destination SP-App. You will enter SP-App here.
iii) "auto-federation" and corresponding attributes setup (branch and mail) on both SP-<OpenAM> and IDP-<OpenAM> ends.
iv) SP-App is already deployed and ready to accept requests.
<b>Please Fill up the following form :</b> (Note that it is assumed userid you are about to enter is already authenticated.)
<form method="POST">
<td>Userid on local IDP : </td>
<td><input type="text" name="userid" value="<%=userid%>"></td>
<td>Authenticated auth level : </td>
<td><input type="text" name="authlevel" value="<%=authlevel%>"></td>
<td>mail attribute : </td>
<td><input type="text" name="mail" value="<%=mail%>"></td>
<td>branch attribute : </td>
<td><input type="text" name="branch" value="<%=branch%>"></td>
<td>SP App URL : </td>
<td><input type="text" name="spapp" size=80 value="<%=spapp%>"></td>
<td>SAE URL on IDP end: </td>
<td><input type="text" name="saeurl" size=80 value=<%=saeServiceURL%>></td>
<td>This application's identity (should match Secret below) : </td>
<td><input type="text" name="idpappname" size=80 value="<%=idpAppName%>"></td>
<td>Crypto Type : </td>
<select name="cryptotype" >
<option <%= cryptotype.equals("symmetric") ? "SELECTED" : ""%> value="symmetric">symmetric</option>
<option <%= cryptotype.equals("asymmetric") ? "SELECTED" : ""%> value="asymmetric">asymmetric</option>
<td>Signing Shared Secret / This App's Private Key alias : </td>
<td><input type="text" name="secret" value="<%=secret%>"></td>
<td>Enable encryption: </td>
<td><input type="checkbox" name="useencryption"></td>
<td>Encryption Shared Secret / IDP's Public Key alias : </td>
<td><input type="text" name="encSecret" value="<%=encSecret%>"></td>
<td>Encryption Algorithm : </td>
<td><input type="text" name="encAlgorithm" value="<%=encryptionAlg%>"></td>
<td>Encryption Strength : </td>
<td><input type="text" name="encStrength" value="<%=encryptionStrength%>"></td>
<td>Use Cached SecureAttrs instance: </td>
<td><input type="checkbox" name="usecached" checked="true"></td>
<tr> <td colspan=2><hr></td> </tr>
<td>Key store path (asymmetric only) : </td>
<td><input type="text" name="keystore" value="<%=keystore%>"></td>
<td>Key store password (asymmetric only) : </td>
<td><input type="text" name="keypass" value="<%=keypass%>"></td>
<td>Private Key password (asymmetric only) : </td>
<td><input type="text" name="privkeypass" value="<%=privkeypass%>"></td>
<tr> <td colspan=2><hr></td> </tr>
<td><input type="submit" value="Generate URL"></td>
<% } else {// POST
HashMap map = new HashMap();
userid = request.getParameter("userid");
authlevel = request.getParameter("authlevel");
mail = request.getParameter("mail");
branch = request.getParameter("branch");
spapp = request.getParameter("spapp");
saeServiceURL = request.getParameter("saeurl");
idpAppName = request.getParameter("idpappname");
cryptotype = request.getParameter("cryptotype");
secret = request.getParameter("secret");
encSecret = request.getParameter("encSecret");
keystore = request.getParameter("keystore");
keypass = request.getParameter("keypass");
usecached = request.getParameter("usecached");
privkeypass = request.getParameter("privkeypass");
useencryption = request.getParameter("useencryption");
encryptionAlg = request.getParameter("encAlgorithm");
System.out.println("Encryption alg" + encryptionAlg);
encryptionStrength = request.getParameter("encStrength");
// Check if we already have a cached SecureAttrs instance.
String mySecAttrInstanceName = "sample"+cryptotype;
SecureAttrs sa = SecureAttrs.getInstance(mySecAttrInstanceName);
if (sa == null || usecached == null) {
out.println("Obtaining new SecureAttrs instance");
Properties saeparams = new Properties();
if (SecureAttrs.SAE_CRYPTO_TYPE_ASYM.equals(cryptotype)) {
saeparams.put(SecureAttrs.SAE_CONFIG_KEYSTORE_FILE, keystore);
saeparams.put(SecureAttrs.SAE_CONFIG_PRIVATE_KEY_PASS, privkeypass);
saeparams.put(SecureAttrs.SAE_CONFIG_DATA_ENCRYPTION_ALG, encryptionAlg);
saeparams.put(SecureAttrs.SAE_CONFIG_ENCRYPTION_KEY_STRENGTH, encryptionStrength);
} else {
saeparams.put(SecureAttrs.SAE_CONFIG_DATA_ENCRYPTION_ALG, encryptionAlg);
saeparams.put(SecureAttrs.SAE_CONFIG_ENCRYPTION_KEY_STRENGTH, encryptionStrength);
SecureAttrs.init(mySecAttrInstanceName, cryptotype, saeparams);
sa = SecureAttrs.getInstance(mySecAttrInstanceName);
} else
out.println("Using cached SecureAttrs instance");
// Following code secures attributes
map.put(SecureAttrs.SAE_PARAM_USERID, userid);
map.put(SecureAttrs.SAE_PARAM_AUTHLEVEL, authlevel);
map.put(SecureAttrs.SAE_PARAM_SPAPPURL, spapp);
map.put(SecureAttrs.SAE_PARAM_IDPAPPURL, idpAppName);
String encodedString = null;
if(useencryption != null) {
encodedString = sa.getEncodedString(map, secret, encSecret);
} else {
encodedString = sa.getEncodedString(map, secret);
out.println("<br>Setting up the following params:");
HashMap slomap = new HashMap();
slomap.put(SecureAttrs.SAE_PARAM_IDPAPPURL, idpAppName);
String sloencodedString = null;
if(useencryption != null) {
sloencodedString = sa.getEncodedString(slomap, secret, encSecret);
} else {
sloencodedString = sa.getEncodedString(slomap, secret);
// We are ready to format the URLs to invoke the SP-App and Single logout
String url = null;
String slourl = null;
String postForm = null;
HashMap pmap = new HashMap();
pmap.put(SecureAttrs.SAE_PARAM_DATA, encodedString);
if (saeServiceURL.indexOf("?") > 0) {
url = saeServiceURL+"&" +
SecureAttrs.SAE_PARAM_IDPAPPURL+"="+idpAppName + "&" +
slourl = saeServiceURL+"&" +
SecureAttrs.SAE_PARAM_IDPAPPURL+"="+idpAppName + "&" +
SecureAttrs.SAE_PARAM_DATA+"=" +sloencodedString;
else {
url = saeServiceURL+"?" +
SecureAttrs.SAE_PARAM_IDPAPPURL+"="+idpAppName + "&" +
slourl = saeServiceURL+"?" +
SecureAttrs.SAE_PARAM_IDPAPPURL+"="+idpAppName + "&" +
SecureAttrs.SAE_PARAM_DATA+"=" +sloencodedString;
// This function is a simple wrapper to create a form - to
// autosubmit the form via javascriopt chnage false to true.
pmap.put(SecureAttrs.SAE_PARAM_IDPAPPURL, idpAppName);
postForm = Utils.formFromMap(saeServiceURL, pmap, false);
out.println("<br><br>Click here to invoke the remote SP App via http GET to local IDP : "+spapp+" : <a href="+url+">ssourl</a>");
out.println("<br><br>Click here to invoke the remote SP App via http POST to IDP : "+spapp+" : <input type=\"button\" onclick=\"document.forms['saeform'].submit();\" value=POST>");
out.println("<br><br>This URL will invoke global Logout : <a href="+slourl+">slourl</a>");