I am new to SSO and Sping SAML extension.
i have implemented Spring SAML extension into our application where our application acts as a SP. i have following question related to our requirement.
1) I would like to understand the use of samlKeystore.jks in Spring saml extension
2) I would like to know if we can skip the use of samlKeystore.jks in any manner.
Basically the reason for this the client can give us information on Just the meta data
and nothing apart from that.if we are using samlKeystore.jks do we need anything else
If you don't need to sign SAML protocol message or encrypt SAML assertions you don't need the keystore. However some SAML Bindings mandates or at least highly recommend to sign so that the protocol messages are not tampered with at the user agent.
The keystore is used for storage of private certificates used to digitally sign messages created by the Service Provider and decrypting of messages sent from Identity Providers.
Spring SAML currently requires you to have at least a default key available, even in case it won't get used.
Related
I'ld like to implement SSO using SAML 2.0 in my web applications. I have seen spring-security-saml and example of spring boot application. There are a couple of things I wanted to know after I went through the sample:
Is it possible to take Idp Url and certificates at run time and use spring saml to validate against that Idp? (So essentially I do not want to predefine any of the Idp related details and take an input from admin user to configure Idp)
Is metadata of Idp a necessary field or Is it possible that if IDP is not reachable directly from the SP then also it can just create a SAMLRequest to the Idp Url provided?
I am learning to implement Saml, so far i have downloaded a sample of spring security with saml from this link https://github.com/spring-projects/spring-security-saml/tree/master/sample , went through the reference guide and various other SAML links.
One thing which i need to ask is, as the Service Provider has to send the Saml AuthRequest where do we define it in the program.
I have tried to implement the sample and created dummy projects to work it with OpenAM, which is working fine for SSO, but I didn't understand from where the Saml Auth Request is getting generated.
I got to know that the SP's system itself is going to generate authentication request and send it to IDP using SAML 2.0 protocol. I need help about the parameters i need to pass so that i can customize my own saml authentication request
Any Help is Highly Appreciated!. Thanks in Advance. (I know its a stupid question to ask, but couldn't help it as I am failing to get any idea.)
The authentication request is performed according to the authentication provider selected and the configuration of your filter chain. Some details of those aspects are transparent while using an high-level framework like Spring.
Spring SAML is based on the OpenSAML library, providing a set of facilities in order to easily handle the whole AuthN process for Spring applications.
Indeed, to properly complete this process, you need to setup your application endpoint (entityID), the certificates to verify the parties' identity, secure your application paths, configure the binding protocols, establish a trust relationship between an IdP and your application exchanging some metadata.
For instance, consider the code stub as follows, taken from vdenotaris/spring-boot-security-saml-sample:
#Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("com:vdenotaris:spring:sp");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
}
You can check my custom parameters for the metadata generation, customizing my application settings for the SAML-based SSO.
The AuthN request is typically performed by redirecting the user on a third-party resource (i.e. a website), where provide the credentials. After the verification, the IdP sends a SAML envelope to the requester application (Service Provider), containing user information.
I am new with the extension, so I've been reading the documentation which in one part stays "Usage of HTTP-Artifact binding requires Spring SAML to make a direct SOAP call to the Identity Provider". please, fix me if I am mistaken: Does it mean that it is possible to send a SOAP message to identity provider to do authentication, avoiding the need for redirecting to the IDP login page?. if it does not, what is this feature for?.
Is this something related to /saml/SSO/ endpoint?
Thank you very much.
HTTP-Artifact binding is used to deliver SAML message from IDP to SP. It avoids delivery through user's browser (which is the case with HTTP-POST binding), so the SAML is only exchanged between the servers.
There is no standard way to authenticate using SOAP with SAML 2.0 WebSSO profiles.
I am relatively new to SSO. There are two requirements (see title) I'd like to check against my Spring Framework environment but I am not sure how to get the answers. It seems like the docs also don't provide a direct answer to this.
Any input would be appreciated on how to determine what is supported or not in this SAML implementation.
Yes, Spring SAML is able to receive SAML messages encrypted using AES-256 (http://www.w3.org/2001/04/xmlenc#aes256-cbc) by default. But it is not possible to configure Spring SAML to encrypt messages sent to IDP.
I've implemented SSO using Spring SAML and everything is working fine for an interaction with idp.ssocircle.com.
Now I am trying to use another identity provider. I have downloaded the metadata of the IdP and have linked it in my spring XML config. I have also uploaded the metadata of the service provider to the iDP and have linked it in the spring XML config.
I am redirected to the login page of my IdP and can successful enter my credentials. But an error like that appears "Signature did not validate against the credential's key".
There is another stackoverflow post which describes a similiar problem, see "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO
But I have problems to follow the solution, because my SAML response captured by Fiddler does not contain an element like "X509Certificate".
Edit(!):But I have to say that the metadata of my identity provider contains a element like "ds:X509Certificate" in "ds:keyInfo" with some content. But there also another empty "ds:keyInfo"-Element with an empty "ds:X509Data"-Element.
Is there something wrong with the configuration of the identity provider?
Can anybody tell my what is happening here?
Complete log file: https://drive.google.com/file/d/0B3RlRCEjz-cvZGQ5aldzaUc0blE/edit?usp=sharing
Thanks in advance,
Andi
It seems that the Response message is signed using a different certificate than what is included in the IdP metadata. You should ask your IdP to tell you what certificates they use for their signatures and add them to their metadata file. Based on what you say it could also be that the metadata file is simply incomplete or corrupted.
The other option is to add the certificate they provide you to the samlKeystore.jks (and remember the alias). Then define the alias as signingKey on the ExtendedMetadata of your IdP's metadata definition in Spring configuration. You can find details on using the ExtendedMetadata in the Spring SAML manual.
The fact that the key is not included in the Response message is not wrong, Spring SAML knows which keys to use from the metadata and ExtendedMetadata configuration.