I am currently looking to use Spring Security Saml to replace OpenSSO SP. I had seen that you have AuthnRequest but I could not see the ManageNameIDResponse anywhere. This is where the IDP would send to SP ManageNameIDRequest with the nameID and Terminate then SP would have to send back ManageNameIDResponse which have successful message in it. I attached sample of request from IDP and response SP for this case.
If it is not support, am I able to use openSaml to complete this use case?
Example of ManageNameIDRequest:
`
http://edpapc111.abc.com:8102/catssoidp
LvxIz/KrJUrABu9Y7/GajWS5NkJQ
'
Example of ManageNameIDResponse
'
https://applications.company.com:443/catssowlbx/user
Request is done successfully
'
The ManagedNameId protocol is not supported by Spring SAML. But it wouldn't be hard to add it, or implement stand-alone with OpenSAML.
Related
Our current Application
Backend is in Spring Boot 2(RestAPI's) and Angular in the front-end.
Once Authentication is done it currently uses JWT(Bearer) to perform create, update, and delete resources via passing Authorization headers for RestAPI's. For reading operations, it can be accessed by all without any authorization.
Now, due to the increase in applications, we are moving to IDP with KEYCLOAK
I wanted to know which type of SSO to be used for the given case.
SAML 2.0
If implemented, after SSO with SAML how do I create/Update/Delete response for my REST endpoint? as I see SAML provides assertion and I require a bearer token to create the resource.
How to use assertion to create/Update/Delete response for my REST endpoint?
I tried to implement this using the Spring-Saml extension. But, I was not able to achieve the above objective.
OIDC-OAuth
If implemented, how do I filter read-only endpoints to all that is certain URL's to be available without an authorization?
Keycloak default implementation is out-of-the-box for OIDC.
I’ve implemented this in oidc using Keycloaks adapter for spring rest .
Thanks!!
SAML 2.0 is an older XML based protocol whereas Open Id Connect is JSON based and browser / mobile friendly. In any modern architecture use OIDC. See also this summary.
It is still possible to integrate SAML identity providers into an OIDC architecture by using federation features of the authorization server. However, your actual application code should know nothing about SAML - it should just work with OAuth 2.0 tokens after sign in.
If possible I would avoid SAML completely.
I have to implement a OAUTH 2.0 server application , i know how oauth 2.0 works but when i have googled on how to implement, everywhere i am getting spring boot with oauth 2.0 and my requirement is i should give two URL's to the client
one to get the access_code and second rest call to get the access_token, is there a way that i can get this from spring boot or spring security ? in Memory storage for tokens.
I tried using spring boot oauth examples but none of them are giving separate URL's for access_code and access_token.
I think you mean you are delivering the API part:
* Client authenticates against an OAuth endpoint and gets an access token
* Client calls API with an access token
* API must validate access token
Typically you'll code the API - and use an out of the box Authorization Server for the OAuth endpoint
To answer your question properly it would help to know what type of client (partner back end / UI etc)
There will be a bunch of messages between client, API and Authorization Server - this post may give you some ideas:
https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
I may be able to help you with the spring boot stuff once I understand your scenario better
I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
Good morning, do you know if Spring currently supports OpenIDConnect in the cases where Authentication Request needs to provide the JWT "request" parameter and "code_challenge"? Please see the openIDConnect specs for the sample provided at section 6.1.1: http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.6
I found this great sample that helped me to take off but still need to work on getting those additional parameters added: http://www.baeldung.com/spring-security-openid-connect
Please see this pull request for details: https://github.com/eugenp/tutorials/issues/2279
Thank you!
To support request request parameter, an authorization server / OpenID provider implementation must be able to manage the following client metadata (OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata).
jwks
jwks_uri
request_object_signing_alg
request_object_encryption_alg
request_object_encryption_enc
To support code_challenge request parameter, the database table that manages authorization codes must have columns for the following data.
code_challenge
code_challenge_method
APIs of Spring Security OAuth such as ClientDetails and definitions of database tables don't have properties / columns for these data.
As for database tables, "OAuth 2 Developers Guide" of Spring Security OAuth is saying as follows:
NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the test code in github.
The "test code in github" implies that Spring Security OAuth does not support request and code_challenge.
I am new with the extension, so I've been reading the documentation which in one part stays "Usage of HTTP-Artifact binding requires Spring SAML to make a direct SOAP call to the Identity Provider". please, fix me if I am mistaken: Does it mean that it is possible to send a SOAP message to identity provider to do authentication, avoiding the need for redirecting to the IDP login page?. if it does not, what is this feature for?.
Is this something related to /saml/SSO/ endpoint?
Thank you very much.
HTTP-Artifact binding is used to deliver SAML message from IDP to SP. It avoids delivery through user's browser (which is the case with HTTP-POST binding), so the SAML is only exchanged between the servers.
There is no standard way to authenticate using SOAP with SAML 2.0 WebSSO profiles.