Is the Spring security saml extension usable for implementing the IDP side of a SAML connection?
I can find a lot of example around the implementation of the SP side of SAML, but at the IDP side only opensaml seems to be an option if I want to make a custom java solution.
Am I correct? Or do I miss some documentation on the Spring security saml extension
Spring security SAML extension is a SAMLv2 Service Provider implementation only.
Related
Looking for Spring boot SAML integration (OKTA, any other IDP), able to do it single OKTA IDP. Now need to do it with multiple IDP's. It is like some one can login from OKTA or by using any SAML based IDP. IS there a way by which this can be achieved. Any suggestion would be great.
As you mentioned that you already did the SAML SSO integration with OKTA (IDP Provider), extending your application to support multiple Idp's won't be an issue. Exchange your metadata files with other IDP. Your existing SP metadata could be used on other IDP. The change you need to do on the application side to configured & load those IDPs metadata files.
You can follows this link for more details.
spring-security-saml-reference
I am developing a spring boot application that integrates with multiple Idp's. I have checked many examples over the internet on integrating Spring application with SAML, all of them show how to integrate with IDP's via application properties.
In the case of OAuth 2.0, we had Clients provided by MSAL libraries, we integrated as below.
ConfidentialClientApplication
.builder(decryptCredential(adClientId), clientSecret)
.authority(authorityURL).build();
clientApplication.getAuthorizationRequestUrl(parameters).toString();
clientApplication.acquireToken(authorizationCodeParameters);
Is there a similar way in Spring boot, to have a Client call to ADFS SAMLIDP and get the user authenticated?
Based on the request, fetch IDP details from Database and invoke a call to the appropriate IDP to get the user authenticated.
thanks in advance.
I explored coveooss library, which has clients and it is easiest one to invoke ADFS to fetch SAML assertions. Here is the link for COVEOOSS git link
I was wondering if Spring Boot SSO implementation is based on JWT or keeps the session open in the server memory?
Thanks in advance.
The answer would depend on which Spring implementation you are referring to
Spring Security SAML
Spring Security OAuth
I would discuss more on the latter i.e. OAuth and in that you have multiple options. You can use the in-memory token store to debug and test it out, but for production implementations, you can use different token stores. JWT and JDBC are pretty popular in my experience.
In Spring Security OAuth, can it consume/work with JWT tokens that were generated from a user authenticating with Keycloak? Keycloak's open-id far as that goes, but it all seems to be really similar. I'm still trying to understand the dividing line and also what's similar or same with this.
Basically I'd like to authenticate separately in a REST client then use the token in the Authorization header for REST calls to some web services. There seems to be some JWT stuff in in the Spring Security OAuth, so I'm wondering I can actually use that instead of the Keycloak Spring stuff? Are there any examples of this out there? (I'd love to use the Spring security checks on different methods in my controller)
You can use the Keycloak Spring adapter and still rely on Spring Security annotations for controller security. The main purpose of the Keycloak Spring adapter is simplify the integration with Keycloak for interactive login and also to correctly map JWT access token claims into the Spring Security authentication context.
Reading through the Spring Security OAuth2 documentation, I get the impression that it's not quite ready out of the box to handle OpenID Connect JWT access tokens. However, it's customizable so it could most likely be made to work.
My advice for now is to stick with the Keycloak Spring adapter if you're using Keycloak as your OIDC server. It will save you time and it's well tested with Keycloak.
I have impleneted SSO solution using Spring SAML extension now i would like test IDP initiated SSO
Could any one please give me the URL for IDP initiated SSO for Spring SAML Extension with respect to idp.ssocircle.com
Use the following URL and replace spEntityID with your own unique identifier:
https://idp.ssocircle.com:443/sso/saml2/jsp/idpSSOInit.jsp?metaAlias=/ssocircle&spEntityID=saml-federation.appspot.com