2. OpenSSO 8.0 Update 2 Patch Releases
3. Installing OpenSSO 8.0 Update 2
4. Using the Security Token Service
5. Using the Oracle OpenSSO Fedlet
About the Oracle OpenSSO Fedlet
Requirements for the Oracle OpenSSO Fedlet
Oracle OpenSSO Fedlet Configuration
New Features for the Fedlet in OpenSSO 8.0 Update 2
Fedlet Version Information (CR 6941387)
Java Fedlet Password Encryption and Decryption (CR 6930477)
Java Fedlet Support for Signing and Encryption
To Configure the Java Fedlet for Signing and Encryption
Java Fedlet Support for Attribute Query (CR 6930476)
To Configure the Java Fedlet for Attribute Query
.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)
To Configure the .NET Fedlet for Encryption and Decryption of Requests and Responses
.NET Fedlet Signing of Requests and Responses (CR 6928530)
To Configure the .NET Fedlet for Signing of Requests and Responses:
.NET Fedlet Single Logout (CR 6928528 and CR 6930472)
To Configure a .NET Fedlet Service Provider Application for Single Logout:
.NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)
.NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)
To Configure the .NET Fedlet for Multiple Identity Providers
.NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)
To Configure the .NET Fedlet to Use the Identity Provider Discovery Service:
6. Integrating the OpenSSO 8.0 Update 2 with Oracle Access Manager
Oracle OpenSSO 8.0 Update 2 includes the following new features for the Fedlet:
.NET Fedlet Encryption and Decryption of Requests and Responses (CR 6939005)
.NET Fedlet Service Provider Initiated Single Sign-on (CR 6928525)
.NET Fedlet Support for Multiple Identity Providers and Discovery Service (CR 6928524)
.NET Fedlet Support for the Identity Provider Discovery Service (CR 6928524)
The Oracle OpenSSO Fedlet includes version information. After you extract the files in the Fedlet package (ZIP file), determine the Fedlet version by viewing one of the following files:
Java Fedlet: java/conf/FederationConfig.properties
.NET Fedlet: asp.net/bin/Fedlet.dll.config
The Java Fedlet provides the fedletEncode.jsp in the fedlet.war file to encrypt the storepass and keypass passwords. By default, a different encryption key is generated for each Fedlet. To change this encryption key, set the am.encryption.pwd property in the Fedlet FederationConfig.properties file.
The Java Fedlet supports XML signature verification and decryption of encrypted assertion and NameID elements and their corresponding attributes.
com.sun.identity.saml.xmlsig.passwordDecoder= com.sun.identity.fedlet.FedletEncodeDecode
com.sun.identity.saml.xmlsig.keystore=path/keystore.jks com.sun.identity.saml.xmlsig.storepass=path/.storepass com.sun.identity.saml.xmlsig.keypass=path/.keypass
keytool -export -keystore keystore.jks -rfc -alias test
The tool prompts you to enter the password used to access keystore.jks and then generates the certificate.
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
<KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </X509Certificate> </X509Data> </KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor>
The AuthnRequestsSigned attribute is set to true, configuring the Java Fedlet to sign all authentication requests.
signingCertAlias contains the alias of the XML signing certificate in the keystore.
encryptionCertAlias contains the alias of the XML encryption certificate in the keystore.
wantAssertionEncrypted
wantNameIDEncrypted
wantAttributeEncrypted
wantAuthnRequestsSigned in the idp.xml file tells the Fedlet what to sign.
AuthnRequestsSigned and WantAssertionsSigned in the sp.xml file tells the identity provider what the Fedlet plans to sign.
wantArtifactResponseSigned in the sp-extended.xml file tells the Fedlet what to sign.
wantPOSTResponseSigned in the sp-extended.xml file
wantLogoutRequestSigned in the sp-extended.xml file
wantLogoutResponseSigned in the sp-extended.xml file
If the identity provider requires signing for specific messages, set the respective attributes to true in the idp-extended.xml file. For example, wantLogoutRequestSigned and wantLogoutResponseSigned.
Note - If you set attributes in the sp-extended.xml file, convey this information to the identity provider administrator, so that the necessary configuration changes can be made in the identity provider.
Example 5-1 Java Fedlet Sample SPSSODescriptor Element
<EntityDescriptor entityID="fedlet" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <b><KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor></b> <b><KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </X509Certificate> </X509Data> </KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor></b> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat ><AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://server.sun.com:7070/fedlet/fedletapplication"/> </SPSSODescriptor> </EntityDescriptor>
The Java Fedlet supports the SAMLv2 Attribute Query to query an identity provider such as Oracle OpenSSO 8.0 Update 2 for specific identity attribute values. You can configure the Fedlet to sign the query and encrypt the query. Signing is required for issuing a Fedlet query, but encryption is optional.
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> --certificate-- </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> --certificate-- </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize> </EncryptionMethod> </KeyDescriptor> </RoleDescriptor>
If you plan to configure the identity provider to encrypt the assertion, also encrypt the NameID element. Thus, the value of the wantNameIDEncrypted attribute must be set to true. Add the XML code to the AttributeQueryConfig element. For example:
<Attribute name="signingCertAlias"> <Value>test</Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value>test</Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value>true</Value> </Attribute>
In this example, test is the alias for the sample key.
Also, perform the additional configuration steps in the identity provider to support the Attribute Query for the Fedlet.
The .NET Fedlet can encrypt outgoing XML requests and decrypt incoming responses for the NameID, Attribute, and Assertion elements.
<Attribute name="encryptionCertAlias"> <Value>MyFedlet</Value>
Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:
<KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor>
Next Steps
To test this configuration, use the sample application. Also, set the following attributes to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:
Assertion: Set the wantAssertionEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAssertion element in incoming responses from the identity provider.
Attribute: Set the wantAttributeEncrypted attribute in the sp-extended.xml metadata file to true to have the .NET Fedlet decrypt the EncryptedAttribute element in incoming responses from the identity provider.
NameID: Set the wantNameIDEncrypted attribute in the idp-extended.xml metadata file to true to have the .NET Fedlet encrypt the NameID element in outgoing requests. Set this same attribute in sp-extended.xml to have the .NET Fedlet decrypt the EncryptedID element in incoming responses from the identity provider.
The .NET Fedlet supports the signing of outgoing XML requests such as Authn requests and logout requests.
<Attribute name="signingCertAlias"> <Value>MyFedlet</Value>
Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+ RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC /FfwWigmrW0Y0Q== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
The .NET Fedlet supports both identity provider initiated and service provider initiated single logout. To implement single logout, the .NET Fedlet sample application includes the logout.aspx and spinitiatedslo.aspx files in the asp.net/SampleApp folder. To see how the Fedlet single logout feature works, deploy the .NET Fedlet sample application.
In the sp.xml file, make sure the path to the logout.aspx file points to the correct location of the file for your application.
In the idp.xml file (or during the identity provider configuration) make sure the path to the spinitiatedslo.aspx file points to the correct location of the file for your application.
wantLogoutRequestSigned
wantLogoutResponseSigned
Also, inform the identity provider administrator that you configured single logout for the Fedlet service provider, so that any additional required changes can be made to the identity provider configuration.
The .NET Fedlet supports the SAMLv2 service provider initiated single sign-on (SSO). In addition, artifact support is required to allow the .NET Fedlet to receive an artifact and then have it resolved through SOAP with the issuing identity provider's Artifact Resolution Service.
The .NET Fedlet sample application shows how you can configure single sign-on. After your application has the necessary artifacts installed, a specific URI is required to receive the HTTP POST containing the SAMLv2 response after successful authentication by the identity provider. The following code example shows how you can retrieve this information in a .NET application:
Example 5-2 Code Example to Retrieve the AuthnResponse in a .NET Fedlet Application
AuthnResponse authnResponse = null; try { ServiceProviderUtility spu = new ServiceProviderUtility(Context); authnResponse = spu.GetAuthnResponse(Context); } catch (Saml2Exception se) { // invalid AuthnResponse received } catch (ServiceProviderUtilityException spue) { // issues with deployment (reading metadata) }
If your application receives the SAMLv2 response, the authnResponse object will be populated with the assertion information. The sample application shows how to retrieve the attributes and subject information from this object.
The .NET Fedlet supports multiple identity providers and the identity provider discovery service.
In some deployments, you might want to configure the .NET Fedlet with multiple identity providers such as Oracle OpenSSO 8.0 Update 2. Perform the following task for each additional identity provider you wan to add.
To add the new identity provider to an existing circle of trust:
In the fedlet.cot file in your application's App_Data folder, append the new IDP entity ID (indicated by the entityID attribute in the idp2.xml metadata file) to the value of the sun-fm-trusted-providers attribute, using a comma (,) as a separator.
To add the new identity provider to a new circle of trust:
<Attribute name="cotlist"> <Value>saml2cot</Value> <Value>cot2</Value> </Attribute>
In this scenario, the .NET Fedlet is configured with multiple identity providers in a circle of trust and you want to configure the Fedlet to use the identity provider discovery service to determine the preferred identity provider.
The discovery service must be configured for the identity providers you are using with the .NET Fedlet. For information about configuring the identity provider discovery service in Oracle OpenSSO 8.0 Update 2, see the following documentation collection:
http://download.oracle.com/docs/cd/E19681-01/index.html
sun-fm-saml2-readerservice-url=http://discovery.common.com/opensso/saml2reader