Multiple IDP's for spring boot SAML Authentication - spring-boot

Looking for Spring boot SAML integration (OKTA, any other IDP), able to do it single OKTA IDP. Now need to do it with multiple IDP's. It is like some one can login from OKTA or by using any SAML based IDP. IS there a way by which this can be achieved. Any suggestion would be great.

As you mentioned that you already did the SAML SSO integration with OKTA (IDP Provider), extending your application to support multiple Idp's won't be an issue. Exchange your metadata files with other IDP. Your existing SP metadata could be used on other IDP. The change you need to do on the application side to configured & load those IDPs metadata files.
You can follows this link for more details.
spring-security-saml-reference

Related

Is there a Spring boot SAML client for integrating SAML with spring boot application?

I am developing a spring boot application that integrates with multiple Idp's. I have checked many examples over the internet on integrating Spring application with SAML, all of them show how to integrate with IDP's via application properties.
In the case of OAuth 2.0, we had Clients provided by MSAL libraries, we integrated as below.
ConfidentialClientApplication
.builder(decryptCredential(adClientId), clientSecret)
.authority(authorityURL).build();
clientApplication.getAuthorizationRequestUrl(parameters).toString();
clientApplication.acquireToken(authorizationCodeParameters);
Is there a similar way in Spring boot, to have a Client call to ADFS SAMLIDP and get the user authenticated?
Based on the request, fetch IDP details from Database and invoke a call to the appropriate IDP to get the user authenticated.
thanks in advance.
I explored coveooss library, which has clients and it is easiest one to invoke ADFS to fetch SAML assertions. Here is the link for COVEOOSS git link

Openid-connect or SAML 2.0

Our current Application
Backend is in Spring Boot 2(RestAPI's) and Angular in the front-end.
Once Authentication is done it currently uses JWT(Bearer) to perform create, update, and delete resources via passing Authorization headers for RestAPI's. For reading operations, it can be accessed by all without any authorization.
Now, due to the increase in applications, we are moving to IDP with KEYCLOAK
I wanted to know which type of SSO to be used for the given case.
SAML 2.0
If implemented, after SSO with SAML how do I create/Update/Delete response for my REST endpoint? as I see SAML provides assertion and I require a bearer token to create the resource.
How to use assertion to create/Update/Delete response for my REST endpoint?
I tried to implement this using the Spring-Saml extension. But, I was not able to achieve the above objective.
OIDC-OAuth
If implemented, how do I filter read-only endpoints to all that is certain URL's to be available without an authorization?
Keycloak default implementation is out-of-the-box for OIDC.
I’ve implemented this in oidc using Keycloaks adapter for spring rest .
Thanks!!
SAML 2.0 is an older XML based protocol whereas Open Id Connect is JSON based and browser / mobile friendly. In any modern architecture use OIDC. See also this summary.
It is still possible to integrate SAML identity providers into an OIDC architecture by using federation features of the authorization server. However, your actual application code should know nothing about SAML - it should just work with OAuth 2.0 tokens after sign in.
If possible I would avoid SAML completely.

Can Spring security SAML be used to configure IDPs at Runtime

I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?

SSO SAML in Spring - supporting dynamic Multi-Tenant settings

I am new to SAML
I currently have a Spring Restful web server application which use spring security with Basic Authentication.
Since I have multiple enterprise customers i would like to support SAML SSO.
Trying to find documentation and preferably examples of how to set up SAML to authenticate with different IDPs for different customers, where the SAML IDP details are read from a persistence layer (DB).
Also would like to know the strategy for supporting the right login in the web application. Would i need now to support different URLs for each customer, so i know against which IDP to authenticate against?
For example I have two customers
Customer A - uses SAML IDP server A'
Customer B - uses SAML IDP server B'
When customer A's user gets to my site:
how would i know that now i need to authenticated against SAML IDP A'?
is it by the url, or some url parameter?
Once i know who he is, how do i setup spring saml to authenticate with IDP A' (read that from the DB settings for that customer). Notice i cant pre-set the IDPs in the spring configuration, as new customers can join later with new IDP.
thanks

spring cloud oauth sso without authorize step

I have a spring cloud oauth #EnableAuthorizationServer that uses a jpa backend to store the accounts. I also have a couple of different clients, a website, an intranet and a ionic mobile app.
all the clients have separate client credentials inline in the oauth config block.
i have then tried to use the spring cloud sso to not have to login again.
my problem is that I want to remove the authorize step since all my clients are known to me and i simply want the user to be logged in across all my apps.
is this possible with spring cloud sso?
The authorization happens on the authorization server (so nothing to do with Spring Cloud). A UserApprovalHandler would do what you need, but the default one should work if you just set autoapprove=true (or a pattern matching te scopes you want to auto approve) in the client details. (Assuming your auth server is Spring OAuth.)

Resources