How is SSO with SAML 2.0 typically implemented for a Spring MVC application?
My application is required to implement SSO so the users can log in without creating a new account with my application.
My understanding is that, and correct me if I'm wrong, I need a Service Provider to communicate with the Identity Provider the third party uses in order to exchange the metadata. But how do I go about to achieve this process?
Also, what is required on the Spring MVC application side?
Thanks in advance :D
https://github.com/spring-projects/spring-security-saml implements the SAML SP and integrates into the web app via servlet filters. For SAMLv2 SSO overview look at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Related
I have two applications: Spring MVC one and Dropwizard microservice. They communicate through Kafka. I have configured simple Spring security in MVC and have no security in microservice yet.
I need to implement SSO, so when I sign in on one application, I don't need to do it again on another.
My plan is to use LDAP. Maybe you'll recomend smth better?
Any advices on how to start, helpful links?
Thanks!
You should take a look at Keycloak. Users authenticate with Keycloak, which can use LDAP as a back end. Keycloak generates signed authentication tokens which the user forwards on each request. Each service can independently verify the token.
We have a requirement where we need to enable SAML authentication in our application for a customer that has ADFS as IDP.
After considering various options, I was able to get this working with Spring SAML security as provided in the documents.
Now the issue is to integrate the SAML security with our application.
Unfortunately, our application is still a leagacy java application using servlets and jsp and not spring based.
I was just wondering how can the 2 be integrated. The document mentions that this possible .However, i was unable to find any write up on it.
Can someone plz direct me to the relevant source that can provide guidelines for this approach.
Thanks.
Classes in package org.springframework.security.saml.websso contain the core of SAML processing functionality and are independent of Spring Security. They do contain few class imports from Spring, therefore Spring-core classes need need to be on the classpath, but the application itself doesn't need to use Spring/SpringSecurity.
You will need to re-implement yourself logic which is specific to Spring Security - package org.springframework.security.saml - e.g. SAMLEntryPoint, SAMLProcessingFilter, and call your implementation during your authentication lifecycle. Logic of these classes is simple, so enabling basic use-cases is pretty easy.
Thanks VladimĂr for the guidance. This is how i integrated a standard legacy java app with spring security for saml based authentication:
Modified securityContext.xml
set idpDiscoveryEnabled=false
set forceAuthN= true to force user to login when saml token expires
updated defaulttargetURL in successHandler to authhandler.jsp page,present in spring security app, to redirect back to my application
I have a filter applied on all the web calls in my java app . This
filter redirects the call to /spring-security-saml2/saml/login
spring saml authenticates the user with ADFS.On successful authentication, user is redirected to authhandler.jsp
Authhandler.jsp is same as index.jsp but the retrieved claims are hidden fields here. These values in hidden fields are send back to my standarda java application.
Here my java application performs other application level authentication and proceeds as desired.
Would appreciate any suggestions for improvisation or identification of any flaws in the above approach
We have a custom REST web app (Java based) that uses username/password to login. Call this application 'Admin'. The users of Admin also use a couple of commercial cloud based applications, call these App1 and App2.
What I've been asked to do is investigate how we can use single sign on between Admin, App1 and App2. App1 and App2 can be configured to use SAML and I have full access to the code of the Admin application. I've done some preliminary reading and understand the principles involved.
I want to prototype some code but I'm not sure where to start! For example how should I proceed with the identity provider? What interface should it implement, is there an abstract class that should be extended? Similarly for the service provider. Given that App1 and App2 can be configured to use SAML what changes/extensions are needed on the Admin app?
Many Thanks
M
Disclaimer: I'm the creator of pac4j.
If you have Java apps and want to secure them using SAML, you should definitely take a look at pac4j which is a security engine available for many Java frameworks: J2E, Spring MVC / Boot, Play and so many more.
For SAML support: http://www.pac4j.org/1.9.x/docs/clients/saml.html
Shibboleth provides both IdP and SP (implemented with OpenSAML v3) for you to test with:
https://wiki.shibboleth.net/confluence/display/IDP30/Installation
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
If you want to integrate SAML into your own application in Java, there are:
OpenSAML v3: https://wiki.shibboleth.net/confluence/display/OS30/Home
Spring Security SAML: http://projects.spring.io/spring-security-saml/
Spring boot Security SAML: https://github.com/vdenotaris/spring-boot-security-saml-sample
I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.
Are you able to use Spring SAML if you are implementing as an IDP?
I have used it in the past when acting as a Service Provider, and having read the documentation its not clear on whether I can use it as an IDP.
Note - I originally asked for opinions on another question which was put on hold by Users, I reworded the question as above but its still on hold hence I have asked again.
There's no support for acting as an IDP in Spring SAML. Capabilities of Spring SAML are described in the manual:
"The extension enables both new and existing applications to act as a
Service Provider in federations based on Web Single Sign-On and Single
Logout profiles of SAML 2.0 protocol."
For implementing SAML 2.0 IDP using open source tools have a look at for example Shibboleth.