I'm trying to implement my own IdP on Spring boot. I followed the documentation of Spring security SAML to give me a clear idea but there are no good examples of this. The only part I found is
You can test IDP initialized single sign-on with URL https://idp.ssocircle.com:443/sso/saml2/jsp/idpSSOInit.jsp?metaAlias=/ssocircle&spEntityID=replaceWithUniqueIdentifier, after replacing the service provider identifier with the one configured as entityId in your securityContext.xml. It is possible to provide relayState data sent to your SP with parameter RelayState.
But this example bases on ssocircle is the IdP and the sample Java project is the SP. So I can't see any of the ssocircle configurations (what endpoints I need and other configs) and really can't find any good example of this. In some part I read that with the Spring security SAML dependency I can make my application act as an IdP, then I reread the full document I noticed this
This chapter provides essential information needed to enable your application to act as a service provider and interact with identity providers using SAML 2.0 protocol. Later in this guide you can find information about detailed configuration options and additional use-cases enabled by this component.
Basically, this document does not cover what I'm trying to do, and right now I don't even know if this dependency will help me to reach my goal or I will need to move to another library like Shibboleth project. Have you faced this issue before?
Related
I'm currently in the process of implementing an OAuth2 authentication into a Spring Boot application (using the latest Spring Boot Version 2.0.1). I followed the tutorial from http://www.java-allandsundry.com/2018/03/spring-boot-2-native-approach-to-sso.html which already put me into the lucky position where the authentication itself is up and running.
However after the authentication using OAuth2 (I'm using Google as authentication provider for now) I would like to enhance the Principal(or any other object accessible to the application) with additional data.
The basic usecase is like this:
Perform OAuth2 authorization.
Check the user infomation returned from the OAuth provider.
If a user with the matching ID from the OAuth provider can be found in a local database then enhance the Principalwith that user information and proceed.
If a user with the matching ID from the Oauth provider can not be found in the local database then show an error message and block the login.
Step 1 Is working fine but I cannot find any way to add a listener, an interceptor or any other kind of configurative element into the default Spring processing that would allow me to do steps 2-4.
I already looked into the multiple configuration options inside the WebSecurityConfigurerAdapter and several other source, so far without success. The closest thing I found online was using a PrincipalExtractor but that doesn't seem to be supported any more since Spring Boot 2.
Any idea of how I can perform the interception and inject my additional logics?
We have a requirement where we need to enable SAML authentication in our application for a customer that has ADFS as IDP.
After considering various options, I was able to get this working with Spring SAML security as provided in the documents.
Now the issue is to integrate the SAML security with our application.
Unfortunately, our application is still a leagacy java application using servlets and jsp and not spring based.
I was just wondering how can the 2 be integrated. The document mentions that this possible .However, i was unable to find any write up on it.
Can someone plz direct me to the relevant source that can provide guidelines for this approach.
Thanks.
Classes in package org.springframework.security.saml.websso contain the core of SAML processing functionality and are independent of Spring Security. They do contain few class imports from Spring, therefore Spring-core classes need need to be on the classpath, but the application itself doesn't need to use Spring/SpringSecurity.
You will need to re-implement yourself logic which is specific to Spring Security - package org.springframework.security.saml - e.g. SAMLEntryPoint, SAMLProcessingFilter, and call your implementation during your authentication lifecycle. Logic of these classes is simple, so enabling basic use-cases is pretty easy.
Thanks Vladimír for the guidance. This is how i integrated a standard legacy java app with spring security for saml based authentication:
Modified securityContext.xml
set idpDiscoveryEnabled=false
set forceAuthN= true to force user to login when saml token expires
updated defaulttargetURL in successHandler to authhandler.jsp page,present in spring security app, to redirect back to my application
I have a filter applied on all the web calls in my java app . This
filter redirects the call to /spring-security-saml2/saml/login
spring saml authenticates the user with ADFS.On successful authentication, user is redirected to authhandler.jsp
Authhandler.jsp is same as index.jsp but the retrieved claims are hidden fields here. These values in hidden fields are send back to my standarda java application.
Here my java application performs other application level authentication and proceeds as desired.
Would appreciate any suggestions for improvisation or identification of any flaws in the above approach
I have several multi module spring web application each application like below, each of them differently develop no inter - connection.
war
|...webModule
|...coreModule
I want to integrate them with one admin module with security settings.
How can i do that?? is their any frameworks for that??
I go through the OSGI approach but it has lot migration work. What about component based (I never do that)... Can any one suggest some way to create my integration application which can handle common login & security for other sub application ? (need single sign on multiple war solution)
I strongly advise reading up on the Angular JS and Spring Security series, especially related is the https://spring.io/blog/2015/01/20/the-resource-server-angular-js-and-spring-security-part-iii
The approach that they describe seems completly viable for you. Key points
Spring Security uses the HttpSession to store authentication data by
default. It doesn’t interact directly with the session though: there’s
an abstraction layer (SecurityContextRepository) in between that you
can use to change the storage backend.
After authenticating through your admin module you should store your authentication data into a storage accessible to all your other modules, and using a session id as a key for the data. You can easily achieve this with a help of Spring Session where you can use an out-of-the-box supported Redis as your shared storage for authentication data.
Finally, the key will be set inside a custom header of the requests that target other modules, which will use this custom header and a changed session strategy to pull the authentication data from the storage and authenticated the user
There are quite a few details behind the approach, but the series come with the sample implementation so you should be able to find your way
Are you able to use Spring SAML if you are implementing as an IDP?
I have used it in the past when acting as a Service Provider, and having read the documentation its not clear on whether I can use it as an IDP.
Note - I originally asked for opinions on another question which was put on hold by Users, I reworded the question as above but its still on hold hence I have asked again.
There's no support for acting as an IDP in Spring SAML. Capabilities of Spring SAML are described in the manual:
"The extension enables both new and existing applications to act as a
Service Provider in federations based on Web Single Sign-On and Single
Logout profiles of SAML 2.0 protocol."
For implementing SAML 2.0 IDP using open source tools have a look at for example Shibboleth.
Current Spring app requires to add additional authentication checking from a POJO library. The POJO library includes several customized authentication module to choose. Some can be quite simple, like check the username and encrypted password within a URL from database, or from a file, others can be LDAP authentication or Web Service authenticate.
The tricky part is current application has its own authentication method within security.xml, and we don't want to compromise either one.
My goal is make this work based on minimal change.
I think there might be several solutions for this but trying to get a good practice:
Customize a Spring authentication provider to handle the pojo authentication for the authentication manager
Customize a Spring pre-authentication(or something alike) bean for pojo and let app security do the next.
Extends a filter class and register in web.xml, so this can make minimal change to the existing spring security context, but I am not sure how to make this handle the LDAP and WS authentication.
and many other options if anyone can give a better hint. Thanks in advance.
Create a custom Spring Authentication manager that extends the one that already exists. Call super.authenticate() and if that goes through then add the extra authentication logic.