Spring Security with OpenAM

0
votes

Currently we have web app which uses spring Security for role based Authentication and Authorization. Since we want to use SSO I see this example to integrate Spring with Openam https://wikis.forgerock.org/confluence/display/openam/OpenSSO+Spring+Security+%28Acegi%29+Integration so it's like

My Web app (using spring to talk to openam) <===> IDP Proxy <====> IDP

But when I use the SAML tracer (The plugin for Firefox to track SAML requests/Responses) I don't see any SAML payloads between My web app and IDP proxy. Is it that Spring is using SOAP request to talk to IDP proxy by picking urls from AMConfig.properties ?

I thought of using Fedlet but reading the saml response from Fedlet and integrating that with Spring Security is not feasible. If Spring security3 doesn't use SAML2 is it a good idea to use spring framework to talk to openam ? Any inputs ?

Thanks in advance Ram

2
spring-securitysaml-2.0openam
What is the IDP proxy? OpenAM?Stefan Rasmusson
Are you being redirected to the IDP for authentication?Stefan Rasmusson
yes IDP proxy is another openam instance. yes I see the request are being redirected from IDP Proxy to IDP.Reddymails

2 Answers

2
votes

Ok folks we got our JSF2 web app working by integrating with Spring SAML extension and Spring Security along with open am. Spring SAML extension is here - (https://github.com/SpringSource/spring-security-saml)

So now we are pulling all user roles from LDAP using Openam as IDP and the saml request and response is processed by spring saml extension. The role based access within application is controlled by Spring Security.

I would like to thank Vladimir Schaefer - Author of Spring Saml , Stefan - from opensaml team, Peter Major- from Openam @ forge rock.

Wanted to add this note to let others know that the integration can be done to JSF app or any other web app and it uses Spring security SAML extension (which uses SAML 2.0 end to end) . We finally have single sign on working finally. I will put up an article on this shortly and will update this post.

I was able to add some more notes please see my articles on generic info related to Openam concepts http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html

Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security. http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html

Thanks Ram

1
votes

I don't see any SAML payloads between My web app and IDP proxy

According to the page, the integration is very similar to a normal agent approach. This probably means that you app talks to OpenAM using SOAP and OpenAM talks to the IDP using SAML.

But when I use the SAML tracer (The plugin for Firefox to track SAML requests/Responses) I don't see any SAML payloads between My web app and IDP proxy. Is it that Spring is using SOAP request to talk to IDP proxy by picking urls from AMConfig.properties ?

If things are working correctly you should see a SAML authentication request when you are forwarded to the IDP. What you should do is probably start plowing through the OpenAM debug logs. Especially the Federation log.

I thought of using Fedlet but reading the saml response from Fedlet and integrating that with Spring Security is not feasible. If Spring security3 doesn't use SAML2 is it a good idea to use spring framework to talk to openam ? Any inputs ?

There is an spring extension that allows you to use SAML directly. http://static.springsource.org/spring-security/site/extensions/saml/index.html

You could have a look at that.