Spring Security SAML extension with OPENAM

0
votes

So here is the scenario.

I have my web app <==> IDP Proxy <==> IDP. Where both IDP proxy and IDP are openam instances. The ideas is we may add our additional IDPs (From other clients) so we want a proxy to shield the complexity.

So here IDP Prxy is : http://idpproxydev.devs1.int:8080/openam

IDP url is: http://idpdev.devs1.int:80/openam

My web app is : http://ocr-jq0zt91.devs1.int:9081/LOS

I started using http://static.springsource.org/spring-security/site/extensions/saml/index.html for integrating and now I see that SAML: request wassent from my web app .

The issue I have right now is when I tested my set up using Fedlet (client that is generated using Openam on IDP proxy) the request goes to proxy and then gets routed to IDP as the SAML request generated by Fedlet has that additional information, Which is this snippet in the SAML request 

<samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  ProxyCount="1"   >
       <samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:IDPEntry xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        ProviderID="http://idpdev.devs1.int:80/openam"  />
    </samlp:IDPList>
</samlp:Scoping>

So the only difference I see is this additional pay load in FEDLET generated SAML request.

So by seeing this above snippet in SAML request, the IDP proxy knows that final destination is not itself(http://idpproxydev.devs1.int:8080/openam), but another entity which in this case is http://idpdev.devs1.int:80/openam

Fedlet has additional property file for extended metadata (sp-extended.xml ) where we can add these additional things .

<Attribute name="enableIDPProxy">
           <Value>true</Value>
       </Attribute>
       <Attribute name="idpProxyList">
           <Value> http://idpdev.devs1.int:80/openam</Value>  (the attribute name is little confusing as this is the IDP)
       </Attribute>
       <Attribute name="idpProxyCount">
           <Value>1</Value>
       </Attribute>

However in spring saml security library I don’t see any way where I can add these additional attributes so that SAML request can include this info. Is there way I can feed the additional attributes listed above ?

so that spring saml extension can read when my web app sends the request ?

1
springsecuritysamlopenamspring-saml

1 Answers

2
votes

I found the fix for this issue. You need to use org.springframework.security.saml.websso.WebSSOProfileOptions

Here is one example from my web app. Add this into your security.xml

<beans:bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <beans:property name="defaultProfileOptions">
            <beans:bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <beans:property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                <beans:property name="includeScoping" value="true"/>
                <!-- to skip proxyCount, 0 to disable proxying, >0 to allow proxying-->
                <beans:property name="proxyCount" value="1"/>
                <beans:property name="allowedIDPs">
                    <beans:set>
     <beans:value>http://idpproxydev.devs1.int:80/openam</beans:value>                  
                    </beans:set>
               </beans:property>        
  <!--  Allowed Values are in  AuthnContextComparison.java -->
            <beans:property name="authnContextComparison" value="EXACT"/>
            <beans:property name="authnContexts">
                    <beans:list>
 <beans:value>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</beans:value>                  
                    </beans:list>
            </beans:property>
            <beans:property name="nameID" value="urn:oasis:names:tc:SAML:2.0:nameid-  format:transient"/>
            <beans:property name="allowCreate" value="true"/>
                </beans:bean>
        </beans:property>
    </beans:bean>

Now I see that my SAML request from WEB app has the IDP list.

Also added some additional notes to integrate JSF web app with openam using SPRING SAML extension.

Please see my articles on generic info related to Openam concepts http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html

Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security. http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html

-rama