I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.
Related
Does any of you have some example of Custom Spring Security Login form using REST Api? I am actually trying to create my own, and the problems I'm facing are:
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
Where should I post JSON file with login and password?
How should it look like?
Thanks in advance for all answers and examples of your code (github or something).
REST APIs are usually stateless. It does not know something about a session. So i think you're looking for an basic auth to protect your API.
Or you could use openid connect and check the roles based on a token. This would give you more flexibility for pre conditions and post conditions processing a service call.
Here is a good example of openid connect with spring boot and google implementation. Other provider are adaptable. Baeldung - Spring Security openid connect
If you're just looking for a simple solution with basic auth, take a look here
Baeldung - Spring Security basic auth
yes, you can use form login and rest API together, but that means that your rest API isn't going to be stateless, it means that a session will be created and rest APIs are usually stateless, that's why you have to use basic auth, jwt, etc when creating a rest API, but if you really want to use rest API with form-based authentication, I made an example for you, check this link
This example uses Spring Boot, Spring MVC, H2, Spring Security with custom form login, Spring Data Jpa, but again it's not recommended to use form login for rest API.
Regarding to your questions
How should be named classes, is it User and Role? Cuz I seen many different versions of it.
It's up to you
Where should I post JSON file with login and password?
If you are using spring security form-based authentication, there no need to post a json
How is SSO with SAML 2.0 typically implemented for a Spring MVC application?
My application is required to implement SSO so the users can log in without creating a new account with my application.
My understanding is that, and correct me if I'm wrong, I need a Service Provider to communicate with the Identity Provider the third party uses in order to exchange the metadata. But how do I go about to achieve this process?
Also, what is required on the Spring MVC application side?
Thanks in advance :D
https://github.com/spring-projects/spring-security-saml implements the SAML SP and integrates into the web app via servlet filters. For SAMLv2 SSO overview look at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
We have a requirement where we need to enable SAML authentication in our application for a customer that has ADFS as IDP.
After considering various options, I was able to get this working with Spring SAML security as provided in the documents.
Now the issue is to integrate the SAML security with our application.
Unfortunately, our application is still a leagacy java application using servlets and jsp and not spring based.
I was just wondering how can the 2 be integrated. The document mentions that this possible .However, i was unable to find any write up on it.
Can someone plz direct me to the relevant source that can provide guidelines for this approach.
Thanks.
Classes in package org.springframework.security.saml.websso contain the core of SAML processing functionality and are independent of Spring Security. They do contain few class imports from Spring, therefore Spring-core classes need need to be on the classpath, but the application itself doesn't need to use Spring/SpringSecurity.
You will need to re-implement yourself logic which is specific to Spring Security - package org.springframework.security.saml - e.g. SAMLEntryPoint, SAMLProcessingFilter, and call your implementation during your authentication lifecycle. Logic of these classes is simple, so enabling basic use-cases is pretty easy.
Thanks VladimĂr for the guidance. This is how i integrated a standard legacy java app with spring security for saml based authentication:
Modified securityContext.xml
set idpDiscoveryEnabled=false
set forceAuthN= true to force user to login when saml token expires
updated defaulttargetURL in successHandler to authhandler.jsp page,present in spring security app, to redirect back to my application
I have a filter applied on all the web calls in my java app . This
filter redirects the call to /spring-security-saml2/saml/login
spring saml authenticates the user with ADFS.On successful authentication, user is redirected to authhandler.jsp
Authhandler.jsp is same as index.jsp but the retrieved claims are hidden fields here. These values in hidden fields are send back to my standarda java application.
Here my java application performs other application level authentication and proceeds as desired.
Would appreciate any suggestions for improvisation or identification of any flaws in the above approach
We have a custom REST web app (Java based) that uses username/password to login. Call this application 'Admin'. The users of Admin also use a couple of commercial cloud based applications, call these App1 and App2.
What I've been asked to do is investigate how we can use single sign on between Admin, App1 and App2. App1 and App2 can be configured to use SAML and I have full access to the code of the Admin application. I've done some preliminary reading and understand the principles involved.
I want to prototype some code but I'm not sure where to start! For example how should I proceed with the identity provider? What interface should it implement, is there an abstract class that should be extended? Similarly for the service provider. Given that App1 and App2 can be configured to use SAML what changes/extensions are needed on the Admin app?
Many Thanks
M
Disclaimer: I'm the creator of pac4j.
If you have Java apps and want to secure them using SAML, you should definitely take a look at pac4j which is a security engine available for many Java frameworks: J2E, Spring MVC / Boot, Play and so many more.
For SAML support: http://www.pac4j.org/1.9.x/docs/clients/saml.html
Shibboleth provides both IdP and SP (implemented with OpenSAML v3) for you to test with:
https://wiki.shibboleth.net/confluence/display/IDP30/Installation
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
If you want to integrate SAML into your own application in Java, there are:
OpenSAML v3: https://wiki.shibboleth.net/confluence/display/OS30/Home
Spring Security SAML: http://projects.spring.io/spring-security-saml/
Spring boot Security SAML: https://github.com/vdenotaris/spring-boot-security-saml-sample
Are you able to use Spring SAML if you are implementing as an IDP?
I have used it in the past when acting as a Service Provider, and having read the documentation its not clear on whether I can use it as an IDP.
Note - I originally asked for opinions on another question which was put on hold by Users, I reworded the question as above but its still on hold hence I have asked again.
There's no support for acting as an IDP in Spring SAML. Capabilities of Spring SAML are described in the manual:
"The extension enables both new and existing applications to act as a
Service Provider in federations based on Web Single Sign-On and Single
Logout profiles of SAML 2.0 protocol."
For implementing SAML 2.0 IDP using open source tools have a look at for example Shibboleth.