Tuesday, December 30, 2014

How to get a session cookie from a webapp which uses SAML SSO


  1. WSO2 IS is configured for SSO and acts as IDP.
  2. Web app is placed in Tomcat 7.x
  3. Web app contains the SAML Assertion Response from IDP.
  4. By using the SAML Assertion Response from web app, we should obtain the cookie to access admin services like updating password, retrieving tenants etc ....

You can learn more about enabling SSO in WSO2 IS 5.0 by going through this references. In order to demo this scenario, I have modified the code provided in this article.
Source code for above mentioned article can be found here.

I have written a sample web app to update the password by invoking the admin service.
In this sample app, cookie is obtained by logging in to the admin service  "SAML2SSOAuthenticationService" by passing the the SAML response.

In the event of successful login to the admin service, it returns a cookie string. This cookie can be lately used to access the admin service method "changePasswordByUser".

The diagram flow can be displayed below.

[1] SAML Request to the IDP.
[2] SAML Assertion Response to the Web app
[3] Login in to the admin services by using SAML Assertion response
[3] Cookie will be returned to valid login

  • WSO2 IS server 5.0 - PORT 9443 ( PortOffset 0 ) . You can download it from here.
  • TOMCAT 7 - PORT 8080 

  • Check out and build the code from here (In order to test this sample you have to build the POM file using "mvn clean install").  The war file "saml2.sso.demo.war" can be found in target folder. 
  • Configure WSO2 IS 5.0 for SSO by using following link.  While configuring the SP please make sure to have following configuration values when configuring SP.
    1. Issuer - "saml2.sso.demo"
    2. Assertion Consumer URL - "http://localhost:8080/saml2.sso.demo/consumer"
    3. Check the options in Enale Response Signing and Enable Response Signing   in SP.                                                                                                                     

  • Navigate to repository/conf/security/authenticators.xml and update the "ServiceProviderID" value same as Issuer's value.
  • Now you can deploy the "saml2.sso.demo.war" in to tomcat's webapps folder.
  • Start the both IS and tomcat.
  • you can use the http://localhost:8080/saml2.sso.demo/ to test the web app .
Source Code can be found here   


  1. thanks for the post... getting the session cookie after getting saml response is not mentioned clearly in the documentation.

    1. This comment has been removed by the author.