Here is my situation where I am suppose create an IDP (Identity provider) of my own which follows SAML 2.0 protocol and should be able to authenticate users and let them log in to any service provider (service provider can be anything).? Can anyone help me with the brief whole process and let me tell you I do not know have any idea from where to start. (I have to use java spring).
Whenever the registered user with IDP tries to sign into any service provider the IDP should be able to authenticate and also authorize the user. Also the IDP should be capable to storing users data in any form.
Related
I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
We have a WebAPI that needs to service different client apps, each one using different authentication mechanisms. One web app client will authenticate using SAML and then pass a SAML based token to the WebAPI. Another one will be using an OpenID Connect token for authentication.
We need to be able to digest both types of tokens in our WebAPI, validate them and authenticate them. Could anyone shed some light on how this could possibly be achieved? Any advice would be much appreciated.
What IDP are you using?
Some IDP e.g. ADFS can be configured to pass JWT tokens on a SAML connection.
SAML wasn't really meant for web API. You could e.g. authenticate using SAML / OIDC and then use the client credential flow to the web API which simply relies on a secret key. That would not have user context though.
I am new to SAML
I currently have a Spring Restful web server application which use spring security with Basic Authentication.
Since I have multiple enterprise customers i would like to support SAML SSO.
Trying to find documentation and preferably examples of how to set up SAML to authenticate with different IDPs for different customers, where the SAML IDP details are read from a persistence layer (DB).
Also would like to know the strategy for supporting the right login in the web application. Would i need now to support different URLs for each customer, so i know against which IDP to authenticate against?
For example I have two customers
Customer A - uses SAML IDP server A'
Customer B - uses SAML IDP server B'
When customer A's user gets to my site:
how would i know that now i need to authenticated against SAML IDP A'?
is it by the url, or some url parameter?
Once i know who he is, how do i setup spring saml to authenticate with IDP A' (read that from the DB settings for that customer). Notice i cant pre-set the IDPs in the spring configuration, as new customers can join later with new IDP.
thanks
I am learning to implement Saml, so far i have downloaded a sample of spring security with saml from this link https://github.com/spring-projects/spring-security-saml/tree/master/sample , went through the reference guide and various other SAML links.
One thing which i need to ask is, as the Service Provider has to send the Saml AuthRequest where do we define it in the program.
I have tried to implement the sample and created dummy projects to work it with OpenAM, which is working fine for SSO, but I didn't understand from where the Saml Auth Request is getting generated.
I got to know that the SP's system itself is going to generate authentication request and send it to IDP using SAML 2.0 protocol. I need help about the parameters i need to pass so that i can customize my own saml authentication request
Any Help is Highly Appreciated!. Thanks in Advance. (I know its a stupid question to ask, but couldn't help it as I am failing to get any idea.)
The authentication request is performed according to the authentication provider selected and the configuration of your filter chain. Some details of those aspects are transparent while using an high-level framework like Spring.
Spring SAML is based on the OpenSAML library, providing a set of facilities in order to easily handle the whole AuthN process for Spring applications.
Indeed, to properly complete this process, you need to setup your application endpoint (entityID), the certificates to verify the parties' identity, secure your application paths, configure the binding protocols, establish a trust relationship between an IdP and your application exchanging some metadata.
For instance, consider the code stub as follows, taken from vdenotaris/spring-boot-security-saml-sample:
#Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("com:vdenotaris:spring:sp");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
}
You can check my custom parameters for the metadata generation, customizing my application settings for the SAML-based SSO.
The AuthN request is typically performed by redirecting the user on a third-party resource (i.e. a website), where provide the credentials. After the verification, the IdP sends a SAML envelope to the requester application (Service Provider), containing user information.
I've configured the SAML extension in my application, and I want to authenticate an user. The flow that I implemented is the following:
Getting the user credentials (username and password) from a rest service.
Configuring application to use SAMLAuthenticationProvider.
Building a SAMLAuthenticationToken object to be sent to the SAMLAuthenticationProvider.
Building the SAMLMessageContext which will be inyected to SAMLAuthenticationToken.
But I've not been able to build the SAMLMessageContext object which I guess that will wrap the user credentials (among other data) that I got from the rest service.
Does anybody know how to build this object?. or if is the flow correct?
thanks.
You do not provide credentials to your SP when using SAML authentication. Credentials are only presented to the IDP during authentication. So the flow is incorrect.
Good starting points to learn more are SAML 2.0 wiki page, SAML 2.0 standard itself and the Spring SAML manual. This issue has also been discussed couple of times here on Stackoverflow, so you can find more in old questions.