I'm wondering if we can have a single Spring Boot application that supports both OIDC and SAML as authentication protocols at the same time. I could not find much help on this on the internet. If this is not possible, what are my options?
I integrated both in my local Spring Boot application and built it, but it did not work. I'm not sure if I did something wrong or if this is completely unsupported. Please guide.
Related
I am new to spring boot. I am doing an integration with spring security and SAML.
I have
IDP metadata.xml
Certificate.pem
If there are any references which reflects this requirement please share. It would be really of great help.
There are lot many resources in internet available however the one that really helped me to implement the SSO integration using spring boot are
spring-saml2.0-websso-and-jwt-for-mobile-api
spring-security-saml2.0-websso-with-angular-client
My requirement is to implement SCIM 2.0 server for Spring Boot application which supports SAML for OKTA authentication.
I haven't found any library provided by Spring Boot for SCIM sever and neither the documentation exists for it in Spring's Repos.
I have found some third party implementations like Better Cloud SCIM 2.0 or WSO2 Charon etc. But should I use those third party implementations ? Because what if their git hub repos are messed up later or we may not get our issues resolved.
Also if there does not exist any documentation for SCIM server implementation in Spring Boot. Then should it just be treated as implementing other restful APIs ?
Any help on this will be much appreciated.
I'm watching over my company's SCIM API. So far what I have seen is there's no Spring official library and you should stick to the protocol description to provide your implementation (see more here: https://www.rfc-editor.org/rfc/rfc7644).
Despite the lack of an official Spring Boot library (that would be cool, I agree!), I'm using this thirty party library: https://github.com/pingidentity/scim2. It has all the resources you need to expose your endpoints for users operations as well as filtering when getting users, that can become quite complicated implementing from scratch as the specification provides a quite extensive query language for it.
Open source version for a lightweight SCIM spring-boot server.
https://bitbucket.org/wouter29/personify-scim-server/src
For using SAML, a custom java authentication filter can be plugged in, because only Basic and Bearer tokens are implemented.
Don't know if SAML is even mentioned in the specs/RFC
Storage layer can be chosen : ldap, mongo, postgres or MySQL.
I want to use Spring Cloud Gateway with SAML. Is this possible?
It seems that the Saml extension for spring security is based on the old Spring Stack and won't work with Gateway.
Has anybody got any experience on this?
I'm afraid SAML is not supported as of time of writing. Spring Cloud Gateway has been redeveloped using Reactive programming and is now based on Spring WebFlux. Only the following authentication methods are currently supported :
OAuth 2.0 or OpenID Connect 1.0
x509 authentication
This is stated on SCG page:
Spring Cloud Gateway is built on Spring Boot 2.x, Spring WebFlux, and
Project Reactor. As a consequence, many of the familiar synchronous
libraries (Spring Data and Spring Security, for example) and patterns
you know may not apply when you use Spring Cloud Gateway. If you are
unfamiliar with these projects, we suggest you begin by reading their
documentation to familiarize yourself with some of the new concepts
before working with Spring Cloud Gateway.
The previous gateway spring-cloud-netflix-zuul, based on Servlets and which supported SAML, has been removed from Spring Cloud 2020.
Here is an open issue on GitHub, SAML2 for reactive environment, where we can vote for asking for this to be implemented.
I was wondering if Spring Boot SSO implementation is based on JWT or keeps the session open in the server memory?
Thanks in advance.
The answer would depend on which Spring implementation you are referring to
Spring Security SAML
Spring Security OAuth
I would discuss more on the latter i.e. OAuth and in that you have multiple options. You can use the in-memory token store to debug and test it out, but for production implementations, you can use different token stores. JWT and JDBC are pretty popular in my experience.
I can build REST services with spring-security-oauth2
I can build website security with spring-security
And as you know, oauth2 has oauth-server, resource and client side. But I cannot put them together. I want to know how to build oauth2 website that I can login(session) with browser and I can use it as secure REST services(with access token). Any help? Thanks very much.
I'm not expert in Spring, but Spring security examples link has some examples how to implement OAuth2.0 servers and resource servers.