I am trying to use sample application for inhouse adfs now, the difference is SSOCircle idp url is not http secured, whereas the adfs url I am configuring is https secured.
I have explained my approach here
Spring saml sample application with https idp url throws exception: No IDP was configured, please update included metadata with at least one IDP
Could you please look into the same and explain me the steps to make https url working?
Thanks
One thing you need to do is add the ssl certificate to your saml keystore.
You can get this ssl certificate a couple of ways. One way is to view the idP logon form in your browser, then export the certificate using browser functionality.
Spring also provide a utility program for extracting the ssl certificate. Check out this link...
http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-key-management-ssl-keys
Related
I have a legacy desktop application that communicates with a Spring Boot server (latest version 2.2.2.RELEASE). I'm using OAuth2 for authentication (provided by spring-boot-starter-oauth2-client). I want to avoid changing the client because is a legacy application. It is capable of collecting the credentials and start the session via HTTP Basic Authentication, and then keep the cookies for the session in the following requests.
Given this scenario, I think best option is to make use the OAuth2 Resource Owner Password Credentials grant. With this, we can exchange the collected credentials by the OAuth2 Tokens. We have two options:
Option 1:
Modify the client application to use the access tokens via the Authorization header. This will require to make an initial call to the Authorization Provider to exchange the collected credentials by the tokens.
Option 2:
Keep using the Spring session and store the information about the OAuth client in the server.
I found this project ALMOST does that: https://github.com/jgrandja/spring-security-oauth-5-2-migrate. It has a client (messaging-client-password) defined with authorization-grant-type: password which will activate the OAuth2 Resource Owner Password Credentials grant in Spring Boot.
It creates an OAuth2 client and stores its information in the session, then Spring is able to use that client in further requests. The problem with this project is it seems to only work as when the OAuth client is used to make HTTP requests (e. g. an endpoint that makes a call to another service) and not provide authentication to the controller. You can find more information about this in here:
Spring Security 5.2 Password Flow
Github related issues: link1, link2, link3
Exception thrown when we try to use the password client as authentication
The natural idea to overcome this is to implement a proxy and use the OAuth2 client in the requests. Well, Spring already offers a proxy solution, the Spring Cloud Gateway. But I don't know to accomplish that with this setup.
Any insights? Am I thinking correctly or should I follow a different approach?
I am trying to integrate saml with java spring boot application. I integerated it with okta, and works fine. But when i change the config to point to actual adfs(not Okta), i get this error on adfs "MSIS0037: No signature verification certificate found for issuer 'https://xxx.mydomain.com/saml/metadata'.
I checked my SAML auth request using SAML tracer and in that issuer is https://xxx.mydomain.com/saml/metadata, but i guess it should be https://xxx.mydomain.com and i am guessing that is why i get this error. I have installed an internally generated certificate on the server, and put the public key in the metadata i have provided to the adfs team which they have inserted successfully. Can anyone guide me to how to change issuer in my saml request?
You can change the issuer in the SAML request: <saml:Issuer> https://xxx.mydomain.com</saml:Issuer>
This guide has some good samples for doing this with ADFS and spring boot: https://myshittycode.com/2016/02/18/spring-security-saml-configuring-binding-for-sending-saml-messages-to-idp/
I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
Can anybody provide me with a code sample to access rest service url secured with https using spring rest template.
I have the certificate(.pfx format) password and send cient side certificate to server. server side is used on the client side certificate and established the connection
I want to create a springboot application that work as 2 way SSL between client and server.
Thanks.
I created a sample Spring Boot application that demonstrates how to create a RestTemplate that is configured for SSL client authentication. The sample application acts as the server as well which requires SSL mutual authentication (to demonstrate usage via the test case). In practice, the RestTemplate bean would interact with an external service. Hope this helps.
https://github.com/steve-oakey/spring-boot-sample-clientauth
I should note that the most important part of the example is creating the SSLContext. There are plenty of ways to create the SSLContext, I chose a method that uses the SSLContextBuilder from the org.apache.httpcomponents:httpclient library. Other methods such as using the Java API directly, or setting the javax.net.ssl.* JVM properties would also work.
I've implemented SSO using Spring SAML and everything is working fine for an interaction with idp.ssocircle.com.
Now I am trying to use another identity provider. I have downloaded the metadata of the IdP and have linked it in my spring XML config. I have also uploaded the metadata of the service provider to the iDP and have linked it in the spring XML config.
I am redirected to the login page of my IdP and can successful enter my credentials. But an error like that appears "Signature did not validate against the credential's key".
There is another stackoverflow post which describes a similiar problem, see "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO
But I have problems to follow the solution, because my SAML response captured by Fiddler does not contain an element like "X509Certificate".
Edit(!):But I have to say that the metadata of my identity provider contains a element like "ds:X509Certificate" in "ds:keyInfo" with some content. But there also another empty "ds:keyInfo"-Element with an empty "ds:X509Data"-Element.
Is there something wrong with the configuration of the identity provider?
Can anybody tell my what is happening here?
Complete log file: https://drive.google.com/file/d/0B3RlRCEjz-cvZGQ5aldzaUc0blE/edit?usp=sharing
Thanks in advance,
Andi
It seems that the Response message is signed using a different certificate than what is included in the IdP metadata. You should ask your IdP to tell you what certificates they use for their signatures and add them to their metadata file. Based on what you say it could also be that the metadata file is simply incomplete or corrupted.
The other option is to add the certificate they provide you to the samlKeystore.jks (and remember the alias). Then define the alias as signingKey on the ExtendedMetadata of your IdP's metadata definition in Spring configuration. You can find details on using the ExtendedMetadata in the Spring SAML manual.
The fact that the key is not included in the Response message is not wrong, Spring SAML knows which keys to use from the metadata and ExtendedMetadata configuration.