Are you able to use Spring SAML if you are implementing as an IDP?
I have used it in the past when acting as a Service Provider, and having read the documentation its not clear on whether I can use it as an IDP.
Note - I originally asked for opinions on another question which was put on hold by Users, I reworded the question as above but its still on hold hence I have asked again.
There's no support for acting as an IDP in Spring SAML. Capabilities of Spring SAML are described in the manual:
"The extension enables both new and existing applications to act as a
Service Provider in federations based on Web Single Sign-On and Single
Logout profiles of SAML 2.0 protocol."
For implementing SAML 2.0 IDP using open source tools have a look at for example Shibboleth.
Related
I'm trying to implement my own IdP on Spring boot. I followed the documentation of Spring security SAML to give me a clear idea but there are no good examples of this. The only part I found is
You can test IDP initialized single sign-on with URL https://idp.ssocircle.com:443/sso/saml2/jsp/idpSSOInit.jsp?metaAlias=/ssocircle&spEntityID=replaceWithUniqueIdentifier, after replacing the service provider identifier with the one configured as entityId in your securityContext.xml. It is possible to provide relayState data sent to your SP with parameter RelayState.
But this example bases on ssocircle is the IdP and the sample Java project is the SP. So I can't see any of the ssocircle configurations (what endpoints I need and other configs) and really can't find any good example of this. In some part I read that with the Spring security SAML dependency I can make my application act as an IdP, then I reread the full document I noticed this
This chapter provides essential information needed to enable your application to act as a service provider and interact with identity providers using SAML 2.0 protocol. Later in this guide you can find information about detailed configuration options and additional use-cases enabled by this component.
Basically, this document does not cover what I'm trying to do, and right now I don't even know if this dependency will help me to reach my goal or I will need to move to another library like Shibboleth project. Have you faced this issue before?
How is SSO with SAML 2.0 typically implemented for a Spring MVC application?
My application is required to implement SSO so the users can log in without creating a new account with my application.
My understanding is that, and correct me if I'm wrong, I need a Service Provider to communicate with the Identity Provider the third party uses in order to exchange the metadata. But how do I go about to achieve this process?
Also, what is required on the Spring MVC application side?
Thanks in advance :D
https://github.com/spring-projects/spring-security-saml implements the SAML SP and integrates into the web app via servlet filters. For SAMLv2 SSO overview look at http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
I am implementing Single Sign On in java application via ADFS.
I have only ADFS URL, and its metadata.xml.ADFS is using SAML. Access to the ADFS logs I dont have. I need to implement SSO, so I can only send requests from https? How can I achieve https on tomcat If, maybe via Azure? Maybe I can Set up this environment on Ubuntu? I used very many example and non of them are working, usually, I get response from ADFS server saying "An error ocured, contact your administrator". Is there any tutorial that is working?
Found this useful posting on SO on how to ADFS SSO-enable a Java app. Hope this helps.
Your application needs to act as a SAML SP, either directly (from your code), or indirectly (e.g. through SAML SP support on reverse proxy, application server, ...).
For direct options (which require more modifications to your application) you can:
• code the SAML SP yourself (most likely with OpenSAML, you can find examples in sources of existing products)
• use a ready-made product to integrate into your application, such as Spring SAML or OpenAM Fedlet
For indirect options (which require less modifications to your application) you can:
• use Shibboleth SAML SP plugins on your Apache reverse proxy (if you use one)
• deploy SAML SP as another application on your container (e.g. Spring SAML or OpenAM) and make it communicate with your application - so SAML SP performs authentication with ADFS and communicates this to your application e.g. through a shared cookie, or a custom token
You can find more comparison details and considerations in this thread.
ADFS 3 should have support for OAuth Authorization Server and it might well be an easier way to integrate, see here and here. Implementing authentication using OAuth is generally significantly easier than SAML, with no relevant disadvantages.
I have requirement for our application where we need to implement Spring SAML within our app to enable federated SSO for one customer. However we need to maintain existing login flow using spring-security for other customer.
So my question is can we have two security mechanism for an web application so that it will be treated as multi-tenancy.
Can i implement OAuth and SAML in same application.
thanks in advance..
Yes, you can combine your existing password authentication with SAML. See the sample application of Spring SAML for details - it contains both of the methods combined. It is also possible to include OAuth use-cases, but I'm not aware of any guide for it.
The Problem:
I want to implement a set of Webservices, protected with SAML. I need to authenticate the users, and also need to authorize based on the user role.
I found some questions similar to this one, but none with satisfactory answers.
The scenario:
Java Webapp accessed only using Webservices;
SOAP - metro;
Clients use some Desktop application that they will develop.
Key features that I need:
Free software;
SAML 2.0;
LDAP(or similar solution) to manage users information;
Message level security (SOAP).
The question:
I study some SAML (SSO) solutions (e.g. Shibboleth, opemAM, JOSSO...);
Can I use any of those, without compromise any of the key features?
Or do I need to implement my own way to handle the SAML tokens?
How to do it?
Thank you!
Here are some results that I found, and/or some tips from the answers:
Shibboleth:
http://shibboleth.1660669.n2.nabble.com/Web-Service-End-to-End-Security-td5526934.html
Shiboleth doesn't do ent-to-end, just point-to-point.
http://www.predic8.com/shibboleth-web-services-sso-en.htm
Requires a proxy module for authentication, before the SP.
OpenAM:
https://wikis.forgerock.org/confluence/display/openam/Web+Services
Doesn't present a service provider (SP). Define an architecture based on client-server, where client explicitly ask for tokens, when use web methods to authenticate.
WSO2:
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
Doesn't provide SP, you need to implement it using OpenSAML.
Still searching, please contribute!!
I am an architect at WSO2. WSO2 produces WSO2 Identity Server supporting all the features you required. You can deploy WSO2 Identity Server over an existing LDAP user store and make it act as an SAML2 IdP. We are using this functionality of Identity Server in our Platform as a Service [PASS] offering - https://stratoslive.wso2.com for SAML2 single sign on.
This is a good starting point and you can download WSO2 Identity Server from here.
Since no one answered with a valid option. I decide to secure the services with metro SAML, and try to provide the tokens using OpenAM.
For this you could have a look at jasig CAS.
We don't use SAML yet, but it should work as described here