Spring Security SAML extension on Spring framework 4.0 and Spring security 3.2.4

1
votes

I would like to use annotation configurations for my spring based application. And also SAML2.0 digestion and generation is required for SSO purpose.

Annotation configuration only supported by Spring 4.0 and Spring security 3.2.4

Is the integration of Spring security SAML 1.0 possible?

Updated: The sample project provided by Vladimír Schäfer is really helps.

But after the sso login, the page had been redirected to the authentication failure URL on the service provider app.

The SAML response as below:

 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            Destination="http://myIP:8080/websso/saml/SSO"
            ID="s237fe42260c297d9dfd7845b3691ef76e0bc27c76"
            InResponseTo="a14hc23eda9j396g2h5aff4076216g5"
            IssueInstant="2014-08-28T07:36:07Z"
            Version="2.0"
            >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.ssocircle.com</saml:Issuer>
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
                              xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                              />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="s2e84d407027285a27d32a70c93ebdc70298956c8d"
                    IssueInstant="2014-08-28T07:36:07Z"
                    Version="2.0"
                    >
            <saml:Issuer>http://idp.ssocircle.com</saml:Issuer>
            <saml:Subject>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                                 NameQualifier="http://idp.ssocircle.com"
                                 >nameID</saml:NameID>
                    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                            <saml:SubjectConfirmationData InResponseTo="a14hc23eda9j396g2h5aff4076216g5"
                                                          NotOnOrAfter="2014-08-28T07:46:07Z"
                                                          Recipient="http://myIP:8080/websso/saml/SSO"
                                                          />
                    </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2014-08-28T07:26:07Z"
                             NotOnOrAfter="2014-08-28T07:46:07Z"
                             >
                    <saml:AudienceRestriction>
                            <saml:Audience>entityID</saml:Audience>
                    </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement AuthnInstant="2014-08-28T07:35:44Z"
                                 SessionIndex="s274ab5c8a81ed49654745a6583214314f65138201"
                                 >
                    <saml:AuthnContext>
                            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                    </saml:AuthnContext>
            </saml:AuthnStatement>
    </saml:Assertion>
   </samlp:Response>

I suspect this is due to the time zone of SP is differ from the IDP, how do I skip this?

2
javaspringspring-mvcspring-securityspring-saml
From the Reference manual for Spring security SAML 1.0 The current version of SAML Extension has been tested to work with Spring 3.1.2, Spring Security 3.1.2 and OpenSAML 2.6.1. Later versions of these libraries are likely to be compatible without need for modifications. . You should try ...Serge Ballesta

2 Answers

2
votes

Spring SAML seems to work well with Spring 4.0 and Spring Security 3.2.4. You can use spring-boot-security-saml-sample project as a reference.

Next version of Spring SAML will most likely contain additional support for Java configuration, but as the example above shows it is possible to get everything working with the project as is.

0
votes

checkout this answer: It basically describes a plugin I recently released that allows you to configure Spring Boot and Spring Security SAML this way:

@SpringBootApplication
@EnableSAMLSSO
public class SpringBootSecuritySAMLDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecuritySAMLDemoApplication.class, args);
    }

    @Configuration
    public static class MvcConfig extends WebMvcConfigurerAdapter {

        @Override
        public void addViewControllers(ViewControllerRegistry registry) {
            registry.addViewController("/").setViewName("index");
        }
    }

    @Configuration
    public static class MyServiceProviderConfig extends ServiceProviderConfigurerAdapter {
        @Override
        public void configure(ServiceProviderSecurityBuilder serviceProvider) throws Exception {
            serviceProvider
                .metadataGenerator()
                .entityId("localhost-demo")
            .and()
                .sso()
                .defaultSuccessURL("/home")
                .idpSelectionPageURL("/idpselection")
            .and()
                .logout()
                .defaultTargetURL("/")
            .and()
                .metadataManager()
                .metadataLocations("classpath:/idp-ssocircle.xml")
                .refreshCheckInterval(0)
            .and()
                .extendedMetadata()
                .idpDiscoveryEnabled(true)
            .and()
                .keyManager()
                .privateKeyDERLocation("classpath:/localhost.key.der")
                .publicKeyPEMLocation("classpath:/localhost.cert");

        }
    }
}