I am new with the extension, so I've been reading the documentation which in one part stays "Usage of HTTP-Artifact binding requires Spring SAML to make a direct SOAP call to the Identity Provider". please, fix me if I am mistaken: Does it mean that it is possible to send a SOAP message to identity provider to do authentication, avoiding the need for redirecting to the IDP login page?. if it does not, what is this feature for?.
Is this something related to /saml/SSO/ endpoint?
Thank you very much.
HTTP-Artifact binding is used to deliver SAML message from IDP to SP. It avoids delivery through user's browser (which is the case with HTTP-POST binding), so the SAML is only exchanged between the servers.
There is no standard way to authenticate using SOAP with SAML 2.0 WebSSO profiles.
Related
Our current Application
Backend is in Spring Boot 2(RestAPI's) and Angular in the front-end.
Once Authentication is done it currently uses JWT(Bearer) to perform create, update, and delete resources via passing Authorization headers for RestAPI's. For reading operations, it can be accessed by all without any authorization.
Now, due to the increase in applications, we are moving to IDP with KEYCLOAK
I wanted to know which type of SSO to be used for the given case.
SAML 2.0
If implemented, after SSO with SAML how do I create/Update/Delete response for my REST endpoint? as I see SAML provides assertion and I require a bearer token to create the resource.
How to use assertion to create/Update/Delete response for my REST endpoint?
I tried to implement this using the Spring-Saml extension. But, I was not able to achieve the above objective.
OIDC-OAuth
If implemented, how do I filter read-only endpoints to all that is certain URL's to be available without an authorization?
Keycloak default implementation is out-of-the-box for OIDC.
I’ve implemented this in oidc using Keycloaks adapter for spring rest .
Thanks!!
SAML 2.0 is an older XML based protocol whereas Open Id Connect is JSON based and browser / mobile friendly. In any modern architecture use OIDC. See also this summary.
It is still possible to integrate SAML identity providers into an OIDC architecture by using federation features of the authorization server. However, your actual application code should know nothing about SAML - it should just work with OAuth 2.0 tokens after sign in.
If possible I would avoid SAML completely.
I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
I am learning to implement Saml, so far i have downloaded a sample of spring security with saml from this link https://github.com/spring-projects/spring-security-saml/tree/master/sample , went through the reference guide and various other SAML links.
One thing which i need to ask is, as the Service Provider has to send the Saml AuthRequest where do we define it in the program.
I have tried to implement the sample and created dummy projects to work it with OpenAM, which is working fine for SSO, but I didn't understand from where the Saml Auth Request is getting generated.
I got to know that the SP's system itself is going to generate authentication request and send it to IDP using SAML 2.0 protocol. I need help about the parameters i need to pass so that i can customize my own saml authentication request
Any Help is Highly Appreciated!. Thanks in Advance. (I know its a stupid question to ask, but couldn't help it as I am failing to get any idea.)
The authentication request is performed according to the authentication provider selected and the configuration of your filter chain. Some details of those aspects are transparent while using an high-level framework like Spring.
Spring SAML is based on the OpenSAML library, providing a set of facilities in order to easily handle the whole AuthN process for Spring applications.
Indeed, to properly complete this process, you need to setup your application endpoint (entityID), the certificates to verify the parties' identity, secure your application paths, configure the binding protocols, establish a trust relationship between an IdP and your application exchanging some metadata.
For instance, consider the code stub as follows, taken from vdenotaris/spring-boot-security-saml-sample:
#Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("com:vdenotaris:spring:sp");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
}
You can check my custom parameters for the metadata generation, customizing my application settings for the SAML-based SSO.
The AuthN request is typically performed by redirecting the user on a third-party resource (i.e. a website), where provide the credentials. After the verification, the IdP sends a SAML envelope to the requester application (Service Provider), containing user information.
I've configured the SAML extension in my application, and I want to authenticate an user. The flow that I implemented is the following:
Getting the user credentials (username and password) from a rest service.
Configuring application to use SAMLAuthenticationProvider.
Building a SAMLAuthenticationToken object to be sent to the SAMLAuthenticationProvider.
Building the SAMLMessageContext which will be inyected to SAMLAuthenticationToken.
But I've not been able to build the SAMLMessageContext object which I guess that will wrap the user credentials (among other data) that I got from the rest service.
Does anybody know how to build this object?. or if is the flow correct?
thanks.
You do not provide credentials to your SP when using SAML authentication. Credentials are only presented to the IDP during authentication. So the flow is incorrect.
Good starting points to learn more are SAML 2.0 wiki page, SAML 2.0 standard itself and the Spring SAML manual. This issue has also been discussed couple of times here on Stackoverflow, so you can find more in old questions.
I am new to SSO and Sping SAML extension.
i have implemented Spring SAML extension into our application where our application acts as a SP. i have following question related to our requirement.
1) I would like to understand the use of samlKeystore.jks in Spring saml extension
2) I would like to know if we can skip the use of samlKeystore.jks in any manner.
Basically the reason for this the client can give us information on Just the meta data
and nothing apart from that.if we are using samlKeystore.jks do we need anything else
If you don't need to sign SAML protocol message or encrypt SAML assertions you don't need the keystore. However some SAML Bindings mandates or at least highly recommend to sign so that the protocol messages are not tampered with at the user agent.
The keystore is used for storage of private certificates used to digitally sign messages created by the Service Provider and decrypting of messages sent from Identity Providers.
Spring SAML currently requires you to have at least a default key available, even in case it won't get used.