CFML SSO demo app for consumption of SAML response

Just wanted to let people know about a CFML SSO demo app I put together for consumption of SAML response from identity providers. Currently, I have it working against okta. You can either run the app or use the code in the /saml folder to run in your own app.

Would be great if people can give it a spin and let me know if any issues. And if you want to contribute additional identity provider configurations, that would be even better!

The code is located at: GitHub - psarin/cfml-sso-demo-app: Demo app for cfml - sso integration, using the Okta identity provider as an example . Hopefully, the README.md file gives enough information to get you started!

Thanks to Giancarlo Gomez and his OneLogin code, on which this new demo app is based. Major changes include: no need to set up datasource (use JSON config files) and made more generic to allow for expansion to other identity providers.

1 Like

I may be testing this in April (2022). Thanks for sharing and I’ll let you know how it goes.

anyone have try it using onelogin, because i have error in samlAssertionSignatureBlock.setIdAttributeNS(“”, “ID”, true);

I’m also getting errors in signature.cfc > buildSignature() on line
samlAssertionSignatureBlock.setIdAttributeNS(“”, “ID”, true);

Error is:
Java.Lang.Illegalaccessexception Error: Class Lucee.Runtime.Text.Xml.Struct.Xmlelementstruct Cannot Access Class Com.Sun.Org.Apache.Xerces.Internal.Dom.Elementimpl (In Module Java.Xml) Because Module Java.Xml Does Not Export Com.Sun.Org.Apache.Xerces.Internal.Dom To Unnamed Module @5Fcfca62 (Onerror Onrequest)

Can you provide some more detail, eg which version of lucee and java you are using? And or a test case?

Was it working before and now it doesn’t? Could it be related to Allow toggling XML External Entity support for XmlParse, isXml - #3 by Zackster

Sure thing!
It looks like our team’s running command box lucee-light@5.3.10.97 in docker image ortussolutions/commandbox:jre11-3.7.6

I’m using a development Okta account and their walkthrough for a base beginning test case. I have a working punch out and return back with valid information from Okta; only the signature verification part upon return is the issue at the moment. If I comment that out, I can get a clean return from buildPacket() just without any verification data.

Would you like me to submit this as an issue in the github repo for easier tracking?

Yes, that would be great. If you have a simple test case scenario that demonstrates the error, that would be helpful as well. It may be a OneLogin specific thing as I just tried with Okta and it seems to be working.