Using Single Sign-On Service
The com.sabre.edge.cf.sso.SsoService provides the capability of generating the assertion following the SAML standard. Such assertion can be used by Red App’s web service to authenticate users signed in to Sabre Red 360.
Requirements
Sabre Red 360 has defined some requirements for Single Sign-On service.
Minimal Dependencies
-
com.sabre.edge.cf.core
-
com.sabre.edge.cf.model
-
com.sabre.edge.cf.sso
Classes
-
If your Red App does not contribute to the UI, your Activator must extend AbstractEdgeBaseNonUIPlugin.
-
If your Red App does contribute to the UI, your Activator must extend AbstractEdgeBasePlugin.
-
You must use the getServiceReference() method to get a reference to the token.
Recommended Authentication using the SSO service
-
Create your redapp.xml configuration file and add the following authorization entry to the file to use the SSO communications service: <Authorization name="com.sabre.edge.cf.sso.SsoService" threshold="10" metric="tpm" />
-
Obtain a reference to the ISRWCommunication service: ISRWCommunication COM = Activator.getDefault().getServiceReference(ISRWCommunication.class);
-
Create an instance of the SSORequest class, providing your Service Provider ID. You can also pass additional (Red App’s specific) parameters as a map (optionally) using the other constructor.
-
Create an instance of the SsoServiceClient class and call the send() method with an instance of the SSORequest class.
-
Retrieve a response to the ClientResponse<SsoResponse> reference. This class provides these methods:
-
isSuccess() to check for status - if it returns false, getPayload() will return null value.
-
getErrors() retrieving errors (if occurred)
-
getPayload() to obtain a response (returns Base64 encoded assertion)
-
-
Send the assertion to your web service.
-
Your web service should validate the assertion to make sure it was generated by Sabre’s Single Sign-On Service, using one of the following ways:
-
Create a request to the web service sending an assertion (see: Assertion Validation). This is the recommended way.
-
Validate the assertion manually using Sabre Red 360 public key and external libraries supporting SAML (like Shibboleth or OpenAM)
-
Note
|
It is very important that your service validates the assertion before creating a session, as it could be counterfeited. |
The following code listing demonstrates how to use Single Sign-On service:
HashMap <String, String> applicationParameters = new HashMap <String, String>();
applicationParameters.put("address", "Wadowicka 6D");
SsoServiceClient client = new SsoServiceClient(COM);
SsoRequest request = new SsoRequest("http://yourdomain.com/yourservice", applicationParameters);
ClientResponse <SsoResponse> response = client.send(request);
if (response.isSuccess())
{
String assertion = response.getPayload().getAssertion();
// Process assertion
}
else
{
for (IError error : response.getErrors())
{
// Process error
}
}
You can find error codes retrieved in SRWRuntime Error Codes section.
Assertion’s parameters included automatically
Sabre Red 360 includes the following parameters to each assertion automatically (included parameters names as they come in the assertion):
-
Agent ID (used to sign in to Sabre Red 360) as epr
-
Agent PCC (used to sign in to Sabre Red 360) as pcc
-
First Name as firstName
-
Last Name as lastName
-
Email as email
-
Full Phone Number as phone
-
Agency Name as agencyName
-
Affiliation as affiliation
-
Language as language
-
City as city
-
State as state
-
Country as country
-
Region as region
-
ARC IATA as arcIata
-
Agent Sign as agentSign
-
Red App ID as redappId
-
Point of Sale as pos
-
Customer business unit (T3) as custBU, since 1.0.2 version of com.sabre.edge.cf.sso plugin
-
Customer employee id (T4) as custEmplID, since 1.0.2 version of com.sabre.edge.cf.sso plugin
Note
|
Agents can configure items 3 through 7 in Agent’s Profile preference page. The other items cannot be modified. |
Assertion Processing
In most cases assertion processing will involve sending the assertion in a POST request to your server side component. If you maintain separate environments for development and production, you need to use IConfigService to configure these URLs using proper environment suffixes.
Assertion Validation
Information about available ways to validate SAML assertions can be found here.
Sample implementation
See the com.sabre.redapp.example3.web.sso sample for implementation.