How to handle IDP metadata change dynamically without tomcat restart - spring-saml

I am using Spring SAML SSO extension for integrating with ADFS.
Currently, I have configured IDP metadata as org.opensaml.util.resource.ClasspathResource. We are noticing changes in IDP metadata(Certificates) which is causing authentication failures.
How can I fetch IDP metadata dynamically without restarting tomcat? Would org.opensaml.saml2.metadata.provider.HTTPMetadataProvider help in this scenario?

Related

Multiple IDP's for spring boot SAML Authentication

Looking for Spring boot SAML integration (OKTA, any other IDP), able to do it single OKTA IDP. Now need to do it with multiple IDP's. It is like some one can login from OKTA or by using any SAML based IDP. IS there a way by which this can be achieved. Any suggestion would be great.
As you mentioned that you already did the SAML SSO integration with OKTA (IDP Provider), extending your application to support multiple Idp's won't be an issue. Exchange your metadata files with other IDP. Your existing SP metadata could be used on other IDP. The change you need to do on the application side to configured & load those IDPs metadata files.
You can follows this link for more details.
spring-security-saml-reference

Spring SAML: alternative ways to generate SP metadata besides using /saml/metadata endpoint

Background: my web-app is running in PROD, and real users are using it. The initial authentication was implemented using Spring Basic Security.
Recently, client decided to use SSO for authentication, so my app should act as SP with client IdP. I used Spring SAML to configure my app as SP.
Integration with client IdP on QA environment involved next steps:
Get and store IdP metadata file received from customer.
Deploy code with SP configuration on the environment.
Generate SP metadata file using /saml/metadata endpoint and share it with customer.
Get a green light from customer IdP side that SP metadata file in a right place.
Verify that SSO is working successfully.
Now, It's time to deploy SP SSO configuration on PROD environment and integrate it with client PROD IdP.
I don't like to use the approach above for PROD, as real users will not be able to login into the app until app SP metadata file will be generated, and put in a right place at customer IdP.
Can anyone tell me how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD?
(1) Quote "Recently, client decided to use SSO for authentication, so my app should act as SP with client IdP. I used Spring SAML to configure my app as SP."
Response:
I suppose that you use Spring SAML provided by the official GitHub repository of Spring Security SAML to "configure your app as SP".
(2) Quote "Integration with client IdP on QA environment involved next steps:.."
Response:
The five (5) steps (provided by your post) regarding integration of your web app as SP with client IdP are the practical SAML standard for "deploying SP SSO configuration on PROD environment and integrate it with client PROD IdP."
I have shared hands-on experience on integration of web app as SAML SP with SAML IdP by providing my answer to another recent Stackoverflow question "I have provided an instruction to address another Stackoverflow How can I generate metadata file of my Java Spring Application to establish a connection with Identity Provider like Ping Federate?"
(3) Quote "I don't like to use the approach above for PROD, as real users will not be able to login into the app until app SP metadata file will be generated, and put in a right place at customer IdP."
Response:
If you "don't like to use the approach above for PROD", you can modify the source code of "spring-security-saml/samples/boot/simple-service-provider/" (provided by the official GitHub repository of Spring Security SAML) to configure your web app as SAML SP.
(4) Question "Can anyone tell me how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD?"
Answer:
(I) The README on "How to run a simple sample of an Identity Provider (IDP) and Service Provider (SP)" (provided by the official GitHub repository of Spring Security SAML) will guide you "how can I generate SP metadata file for my app in advance, before deploying SSO configuration on PROD".
(II) I highlight the related information on "how to generate SAML SP metadata file of Spring Basic Security for my web app in advance, before deploying SSO configuration on PROD" (Quote your question).
Step 2 - Start the Service Provider
Service Provider runs on http://localhost:8080/sample-sp
$git clone https://github.com/spring-projects/spring-security-saml
$cd spring-security-saml
$./gradlew :spring-security-saml-samples/boot/simple-service-provider:bootRun &
(II.a) Launch a web browser to access the URL http://localhost:8080/sample-sp
to ensure that Spring Security SAML Service Provider runs well.
(II.b) Launch a web browser to access the SP metadata endpoint
http://localhost:8080/sample-sp/saml/sp/metadata
to download or "generate SP metadata file for my app in advance, before deploying SSO configuration on PROD" (Quote your question).
(5) Question "Spring SAML: alternative ways to generate SP metadata besides using /saml/metadata endpoint"
Answer:
you can modify the source code of "spring-security-saml/samples/boot/simple-service-provider/src/main/java/sample/config/SecurityConfiguration.java" (provided by the official GitHub repository of Spring Security SAML) to "generate SP metadata besides using /saml/sp/metadata endpoint".
For example, if you want to generate SP metadata from a specific endpoint such as /example/metadata, then you just need to replace
"super("/saml/sp/", beanConfig);"
(in the source code shown below) with
"super("/example/", beanConfig);"
public SamlSecurity(BeanConfig beanConfig, #Qualifier("appConfig") AppConfig appConfig) {
super("/saml/sp/", beanConfig);
this.appConfig = appConfig;
}
As long as you know the URIs of the endpoints and the signature certificate you can generate them manually and specify it in the configuration.

Can Spring security SAML be used to configure IDPs at Runtime

I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?

Spring-Security + SAML: authorize multiple applications acting as a single service provider

We are currently developing an application for a customer. The project has the restriction that we shall deliver only deployable WAR files. The customer provides the infrastructure and doesn't allow much deviation from it.
The application is developped with Spring Boot, Spring Security and SAML. The current version is a single monolithic WAR file.
At the moment, we are in the process of splitting this monolithic application in separate applications because of multiple reasons (maintainability, deployment, code quality, ...). Unfortunately we do not know yet how to implement authorization with these given restrictions:
Infrastructure constraints:
Applications will be deployed on JBoss EAP 7.0
A custom Identity Provider is provided by the customer
Communication with IdP has to be implemented with SAML 2.0
The custom IdP has the following restrictions:
Authentication is done through a proxy, which means only authenticated users arrive at the application
Only one SP metadata file can be provided, because it is linked to the user database. We want to share the same user database for all applications.
The SP metadata file can only provide one AssertionConsumerService-Location
The AssertionConsumerService-Location is statically defined in the metadata file and cannot be overriden in an AuthnRequest
Problem description:
Each application has to authorize itself with the IdP to receive roles and assertions. With the current (monolithic) deployment this is no problem as we require only a single AssertionConsumerService. With the new architecture, each application is able to redirect to the IdP, but the IdP can only redirect to the statically configured ACS. How can each application receive the AuthnResponse, when only a single ACS is possible?
Any ideas?
From SAML-standards point of view this could be achieved with an SAML IdP Proxy. Your apps, acting as the ServiceProviders only communicate with the IdP part of the IdP Proxy. The actual IdP only communiates with the SP apart of the IdP Proxy (so there is only a single ACS url).

how to enable distributed session for spring saml project

I am using spring saml to provide authentication service to the user. But I have met an issue.
We need to deploy spring saml to kubenete for cluster management purpose. Unfortunately, spring saml is not using distributed session solution, instead of that, it requires the saml response to land at the same originating server. Spring saml said we need to use sticky session to let saml server send user back to the originating server.
But once we deploy into kubernete, this is very difficult to implement. Kubenete will send user to any pod randomly, also we do not want to use nginx plus for this purpose.
So I thought if we can use distributed session, this will resolve the whole problem. Can anyone tell me how I can use distributed session solution, such as redis, mongo etc with spring saml project?
Thanks
Using distributed HttpSessions, e.g. with Hazelcast and Spring Session will work as well as using sticky sessions.
This will be transparent for Spring SAML, as the replication will be provided automatiacally behind the scenes, so there's no need for changes there.

Resources