I am using Spring SAML and have a service provider configured that accepts encrypted assertions. Is there a way to configure the SP so that it rejects assertions that are not encrypted?
No you can't configure Spring SAML to enforce this rule. The easiest way to get it in place is to extend WebSSOProfileConsumerImpl, override e.g. method processAuthenticationResponse and throw org.opensaml.xml.security.SecurityException in case the assertion isn't encrypted.
Related
Scenario: The application sits behind an NGINX that terminates the TLS connection and does the mutual authentication with the client. The NGINX then forwards the client certificate in an X-SSL-CERT header to the spring-based application. In the application I want to access the information provided inside the certificate and also based on this create an Authentication.
Current Approach: To get it up and running, I implemented a custom Filter that extracts the header, parses the string into an X509 certificate, extracts the required information into a custom Authentication and then uses the SecurityContextHolder to add the Authentication into the SecurityContext. This works and I can access the Authentication inside my controller methods with #AuthenticationPrinciple annotation.
However, while reading the documentation I felt that this approach might not be secure and also not as it is intended by spring since there is already an X509AuthenticationFilter to use in pre-authentication scenarios.
I then came up with the idea to just place the parsed X509Certificate inside the ServletRequest attribute and use the provided X509AuthenticationFilter. I quickly ran into issues, since I do not provide an UserDetailsService.
Questions:
Is the first approach I described considered to be valid/secure?
How can I use the X509AuthenticationFilter for pre-authentication use cases
and without providing a UserDetailsService since I don't require anything to get those information
Is it secure to directly use the SecurityContextHolder to add my custom Authentication from inside the filter
For example I need that my Web app will support two different auth methods, for GUI it will be OpenID, already configured and worked. For API it will be Http Basic Authentication based (I guess) on <basicRegistry>.
How do I need to configure web.xml that liberty will know (if it possible at all) to which authentication method redirect user?
Thank you.
See if you can make use of the authentication filters for openID. So that it will go to openID for the specified cases in filters and use default authentication otherwise. You will define a filter in server.xml and then make use of that filter in openID configuration(server.xml too).
Configuring Authentication Filters:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_auth_filter.html
You can use the authentication filter to determine whether certain HTTP servlet requests are processed by certain providers.
Liberty server authentication filter uses the filter criteria that are specified in the authFilter element in the server.xml file to determine whether certain HTTP servlet requests are processed by certain providers, such as OpenID, OpenID Connect, or SPNEGO, for authentication.
Configuring Authentication Filter for OpenId:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_config_rp_openid.html
Optional: Configure the Authentication Filter.
If the providerIdentifier attribute is configured inside the openId element in the server.xml file, you can configure authFilterRef to limit the requests that should be intercepted by the OpenID provider defined by the providerIdentifier attribute.
I am learning to implement Saml, so far i have downloaded a sample of spring security with saml from this link https://github.com/spring-projects/spring-security-saml/tree/master/sample , went through the reference guide and various other SAML links.
One thing which i need to ask is, as the Service Provider has to send the Saml AuthRequest where do we define it in the program.
I have tried to implement the sample and created dummy projects to work it with OpenAM, which is working fine for SSO, but I didn't understand from where the Saml Auth Request is getting generated.
I got to know that the SP's system itself is going to generate authentication request and send it to IDP using SAML 2.0 protocol. I need help about the parameters i need to pass so that i can customize my own saml authentication request
Any Help is Highly Appreciated!. Thanks in Advance. (I know its a stupid question to ask, but couldn't help it as I am failing to get any idea.)
The authentication request is performed according to the authentication provider selected and the configuration of your filter chain. Some details of those aspects are transparent while using an high-level framework like Spring.
Spring SAML is based on the OpenSAML library, providing a set of facilities in order to easily handle the whole AuthN process for Spring applications.
Indeed, to properly complete this process, you need to setup your application endpoint (entityID), the certificates to verify the parties' identity, secure your application paths, configure the binding protocols, establish a trust relationship between an IdP and your application exchanging some metadata.
For instance, consider the code stub as follows, taken from vdenotaris/spring-boot-security-saml-sample:
#Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("com:vdenotaris:spring:sp");
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager());
return metadataGenerator;
}
You can check my custom parameters for the metadata generation, customizing my application settings for the SAML-based SSO.
The AuthN request is typically performed by redirecting the user on a third-party resource (i.e. a website), where provide the credentials. After the verification, the IdP sends a SAML envelope to the requester application (Service Provider), containing user information.
I am new with the extension, so I've been reading the documentation which in one part stays "Usage of HTTP-Artifact binding requires Spring SAML to make a direct SOAP call to the Identity Provider". please, fix me if I am mistaken: Does it mean that it is possible to send a SOAP message to identity provider to do authentication, avoiding the need for redirecting to the IDP login page?. if it does not, what is this feature for?.
Is this something related to /saml/SSO/ endpoint?
Thank you very much.
HTTP-Artifact binding is used to deliver SAML message from IDP to SP. It avoids delivery through user's browser (which is the case with HTTP-POST binding), so the SAML is only exchanged between the servers.
There is no standard way to authenticate using SOAP with SAML 2.0 WebSSO profiles.
I am new to SSO and Sping SAML extension.
i have implemented Spring SAML extension into our application where our application acts as a SP. i have following question related to our requirement.
1) I would like to understand the use of samlKeystore.jks in Spring saml extension
2) I would like to know if we can skip the use of samlKeystore.jks in any manner.
Basically the reason for this the client can give us information on Just the meta data
and nothing apart from that.if we are using samlKeystore.jks do we need anything else
If you don't need to sign SAML protocol message or encrypt SAML assertions you don't need the keystore. However some SAML Bindings mandates or at least highly recommend to sign so that the protocol messages are not tampered with at the user agent.
The keystore is used for storage of private certificates used to digitally sign messages created by the Service Provider and decrypting of messages sent from Identity Providers.
Spring SAML currently requires you to have at least a default key available, even in case it won't get used.