I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
Related
Looking for Spring boot SAML integration (OKTA, any other IDP), able to do it single OKTA IDP. Now need to do it with multiple IDP's. It is like some one can login from OKTA or by using any SAML based IDP. IS there a way by which this can be achieved. Any suggestion would be great.
As you mentioned that you already did the SAML SSO integration with OKTA (IDP Provider), extending your application to support multiple Idp's won't be an issue. Exchange your metadata files with other IDP. Your existing SP metadata could be used on other IDP. The change you need to do on the application side to configured & load those IDPs metadata files.
You can follows this link for more details.
spring-security-saml-reference
Our current Application
Backend is in Spring Boot 2(RestAPI's) and Angular in the front-end.
Once Authentication is done it currently uses JWT(Bearer) to perform create, update, and delete resources via passing Authorization headers for RestAPI's. For reading operations, it can be accessed by all without any authorization.
Now, due to the increase in applications, we are moving to IDP with KEYCLOAK
I wanted to know which type of SSO to be used for the given case.
SAML 2.0
If implemented, after SSO with SAML how do I create/Update/Delete response for my REST endpoint? as I see SAML provides assertion and I require a bearer token to create the resource.
How to use assertion to create/Update/Delete response for my REST endpoint?
I tried to implement this using the Spring-Saml extension. But, I was not able to achieve the above objective.
OIDC-OAuth
If implemented, how do I filter read-only endpoints to all that is certain URL's to be available without an authorization?
Keycloak default implementation is out-of-the-box for OIDC.
I’ve implemented this in oidc using Keycloaks adapter for spring rest .
Thanks!!
SAML 2.0 is an older XML based protocol whereas Open Id Connect is JSON based and browser / mobile friendly. In any modern architecture use OIDC. See also this summary.
It is still possible to integrate SAML identity providers into an OIDC architecture by using federation features of the authorization server. However, your actual application code should know nothing about SAML - it should just work with OAuth 2.0 tokens after sign in.
If possible I would avoid SAML completely.
We are currently developing an application for a customer. The project has the restriction that we shall deliver only deployable WAR files. The customer provides the infrastructure and doesn't allow much deviation from it.
The application is developped with Spring Boot, Spring Security and SAML. The current version is a single monolithic WAR file.
At the moment, we are in the process of splitting this monolithic application in separate applications because of multiple reasons (maintainability, deployment, code quality, ...). Unfortunately we do not know yet how to implement authorization with these given restrictions:
Infrastructure constraints:
Applications will be deployed on JBoss EAP 7.0
A custom Identity Provider is provided by the customer
Communication with IdP has to be implemented with SAML 2.0
The custom IdP has the following restrictions:
Authentication is done through a proxy, which means only authenticated users arrive at the application
Only one SP metadata file can be provided, because it is linked to the user database. We want to share the same user database for all applications.
The SP metadata file can only provide one AssertionConsumerService-Location
The AssertionConsumerService-Location is statically defined in the metadata file and cannot be overriden in an AuthnRequest
Problem description:
Each application has to authorize itself with the IdP to receive roles and assertions. With the current (monolithic) deployment this is no problem as we require only a single AssertionConsumerService. With the new architecture, each application is able to redirect to the IdP, but the IdP can only redirect to the statically configured ACS. How can each application receive the AuthnResponse, when only a single ACS is possible?
Any ideas?
From SAML-standards point of view this could be achieved with an SAML IdP Proxy. Your apps, acting as the ServiceProviders only communicate with the IdP part of the IdP Proxy. The actual IdP only communiates with the SP apart of the IdP Proxy (so there is only a single ACS url).
I am new to SAML
I currently have a Spring Restful web server application which use spring security with Basic Authentication.
Since I have multiple enterprise customers i would like to support SAML SSO.
Trying to find documentation and preferably examples of how to set up SAML to authenticate with different IDPs for different customers, where the SAML IDP details are read from a persistence layer (DB).
Also would like to know the strategy for supporting the right login in the web application. Would i need now to support different URLs for each customer, so i know against which IDP to authenticate against?
For example I have two customers
Customer A - uses SAML IDP server A'
Customer B - uses SAML IDP server B'
When customer A's user gets to my site:
how would i know that now i need to authenticated against SAML IDP A'?
is it by the url, or some url parameter?
Once i know who he is, how do i setup spring saml to authenticate with IDP A' (read that from the DB settings for that customer). Notice i cant pre-set the IDPs in the spring configuration, as new customers can join later with new IDP.
thanks
I am learning to implement Saml, so far i have downloaded a sample of spring security with saml from this link https://github.com/spring-projects/spring-security-saml/tree/master/sample , went through the reference guide and various other SAML links.
One thing which i need to ask is, as the Service Provider has to send the Saml AuthRequest where do we define it in the program.
I have tried to implement the sample and created dummy projects to work it with OpenAM, which is working fine for SSO, but I didn't understand from where the Saml Auth Request is getting generated.
I got to know that the SP's system itself is going to generate authentication request and send it to IDP using SAML 2.0 protocol. I need help about the parameters i need to pass so that i can customize my own saml authentication request
Any Help is Highly Appreciated!. Thanks in Advance. (I know its a stupid question to ask, but couldn't help it as I am failing to get any idea.)
The authentication request is performed according to the authentication provider selected and the configuration of your filter chain. Some details of those aspects are transparent while using an high-level framework like Spring.
Spring SAML is based on the OpenSAML library, providing a set of facilities in order to easily handle the whole AuthN process for Spring applications.
Indeed, to properly complete this process, you need to setup your application endpoint (entityID), the certificates to verify the parties' identity, secure your application paths, configure the binding protocols, establish a trust relationship between an IdP and your application exchanging some metadata.
For instance, consider the code stub as follows, taken from vdenotaris/spring-boot-security-saml-sample:
#Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("com:vdenotaris:spring:sp");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
}
You can check my custom parameters for the metadata generation, customizing my application settings for the SAML-based SSO.
The AuthN request is typically performed by redirecting the user on a third-party resource (i.e. a website), where provide the credentials. After the verification, the IdP sends a SAML envelope to the requester application (Service Provider), containing user information.