Skip Navigation

Using Single Sign-On Service

The com.sabre.edge.cf.sso.SsoService provides the capability of generating the assertion following the SAML standard. Such assertion can be used by Red App’s web service to authenticate users signed in to Sabre Red 360.

Requirements

Sabre Red 360 has defined some requirements for Single Sign-On service.

Minimal Dependencies

  • com.sabre.edge.cf.core

  • com.sabre.edge.cf.model

  • com.sabre.edge.cf.sso

Classes

  • If your Red App does not contribute to the UI, your Activator must extend AbstractEdgeBaseNonUIPlugin.

  • If your Red App does contribute to the UI, your Activator must extend AbstractEdgeBasePlugin.

  • You must use the getServiceReference() method to get a reference to the token.

Recommended Authentication using the SSO service

  1. Create your redapp.xml configuration file and add the following authorization entry to the file to use the SSO communications service: <Authorization name="com.sabre.edge.cf.sso.SsoService" threshold="10" metric="tpm" />

  2. Obtain a reference to the ISRWCommunication service: ISRWCommunication COM = Activator.getDefault().getServiceReference(ISRWCommunication.class);

  3. Create an instance of the SSORequest class, providing your Service Provider ID. You can also pass additional (Red App’s specific) parameters as a map (optionally) using the other constructor.

  4. Create an instance of the SsoServiceClient class and call the send() method with an instance of the SSORequest class.

  5. Retrieve a response to the ClientResponse<SsoResponse> reference. This class provides these methods:

    • isSuccess() to check for status - if it returns false, getPayload() will return null value.

    • getErrors() retrieving errors (if occurred)

    • getPayload() to obtain a response (returns Base64 encoded assertion)

  6. Send the assertion to your web service.

  7. Your web service should validate the assertion to make sure it was generated by Sabre’s Single Sign-On Service, using one of the following ways:

    • Create a request to the web service sending an assertion (see: Assertion Validation). This is the recommended way.

    • Validate the assertion manually using Sabre Red 360 public key and external libraries supporting SAML (like Shibboleth or OpenAM)

Note
 It is very important that your service validates the assertion before creating a session, as it could be counterfeited.

The following code listing demonstrates how to use Single Sign-On service:

HashMap <String, String> applicationParameters = new HashMap <String, String>();
applicationParameters.put("address", "Wadowicka 6D");
SsoServiceClient client = new SsoServiceClient(COM);
SsoRequest request = new SsoRequest("http://yourdomain.com/yourservice", applicationParameters);
ClientResponse <SsoResponse> response = client.send(request);
if (response.isSuccess())
{
      String assertion = response.getPayload().getAssertion();
      // Process assertion
}
else
{
      for (IError error : response.getErrors())
      {
            // Process error
      }
}

You can find error codes retrieved in SRWRuntime Error Codes section.

Assertion’s parameters included automatically

Sabre Red 360 includes the following parameters to each assertion automatically (included parameters names as they come in the assertion):

  1. Agent ID (used to sign in to Sabre Red 360) as epr

  2. Agent PCC (used to sign in to Sabre Red 360) as pcc

  3. First Name as firstName

  4. Last Name as lastName

  5. Email as email

  6. Full Phone Number as phone

  7. Agency Name as agencyName

  8. Affiliation as affiliation

  9. Language as language

  10. City as city

  11. State as state

  12. Country as country

  13. Region as region

  14. ARC IATA as arcIata

  15. Agent Sign as agentSign

  16. Red App ID as redappId

  17. Point of Sale as pos

  18. Customer business unit (T3) as custBU, since 1.0.2 version of com.sabre.edge.cf.sso plugin

  19. Customer employee id (T4) as custEmplID, since 1.0.2 version of com.sabre.edge.cf.sso plugin

Note
 Agents can configure items 3 through 7 in Agent’s Profile preference page. The other items cannot be modified.

Assertion Processing

In most cases assertion processing will involve sending the assertion in a POST request to your server side component. If you maintain separate environments for development and production, you need to use IConfigService to configure these URLs using proper environment suffixes.

Assertion Validation

Information about available ways to validate SAML assertions can be found here.

Sample implementation

See the com.sabre.redapp.example3.desktop.sso sample for implementation.