ADFS integration using Spring SAML -SP metadata vs IDP metadata?

1
votes

I implemented the Spring SAML sample application using ssocircle and it worked fine. Now I have been trying to implement it for the client's ADFS. Following is the configuration I think that is required, please correct me if I am wrong:

  1. Change the first parameter below, to the federationMetadata.xml url provided by client
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
    <constructor-arg>
        <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
    </constructor-arg>
    <constructor-arg>
        <value type="int">5000</value>
    </constructor-arg>
    <property name="parserPool" ref="parserPool"/>
</bean>
  1. Replace the entity id of SP metadata below:
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="entityId" value="replaceWithUniqueIdentifier"/>
    <property name="extendedMetadata">
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="signMetadata" value="false"/>
            <property name="idpDiscoveryEnabled" value="true"/>
        </bean>
    </property>
</bean>

I haven't been able to figure out the following:

  • All I have received is a url to adfs/../federationMetadata.xml, who is supposed to create the SP metadata?
  • Am I supposed to create SP metadata and provide to the client, to add it in adfs? Because, that's what I did using sample application. I added the generated metadata to ssocircle
  • Is my understanding, that point 1 would be adfs url, and point 2 will be SP entity id, correct?

I would be grateful if you could clarify the above to me, also if possible, point me to straightforward tutorial that helps in integrating SAML with Spring security enabled application as I haven't been able to find the same.

Many thanks

1
springspring-securitymetadataadfsspring-saml
Your understanding is correct. You can leave the SSOCircle metadata provider in the configuration and add another provider for the ADFS Federation services. Then, the SP metadata needs to be uploaded to the ADFS server. Full details are available in the Spring Data SAML documentation. - manish
Thanks @manish . So just verifying my understanding, I ll have to create metadata using my application, and that metadata I ll have to share with client, as it needs to be uploaded in adfs server. Right? So this metadata generation part will it always be there in my application? Or can I remove that metadataGenerator Bean once I have created and shared metadata with client? I ll also read the link you shared. Thanks - Ridhi Jain
Also it's not mandatory to leave ssoCircle provider in configuration right? If I remove it then too it should work? - Ridhi Jain
Yes, you can remove the SSOCircle configuration once you get everything working perfectly with ADFS. Your application, which will be a SAML consumer (a SAML Service Provider to be precise) will always have its own metadata. The metadata bean provided in the samples is only used to extract the metadata specific to your application so that it can be shared with other SAML actors like IPs and SPs. So yes, once everything is working well, you no longer need the metadata generation bean in your configuration. - manish
Thanks a lot. If you could write it in answer, I can mark it as answer - Ridhi Jain

1 Answers

1
votes

To make SAML between SP and IdP (ADFS) work, you have to mutually exchange metadata.

The ADFS metadata are available on the URL https://adfs-host/FederationMetadata/2007-06/FederationMetadata.xml and you can register them in your SP either with HTTPMetadataProvider, or download them and read them from classpath, or file system with ResourceBackedMetadataProvider.

For SP metadata, you have to configure MetadataGenerator (as you have it in your question) and then expose it via FilterChainProxy. Here is a Java configuration (it's equivalent for XML):

@Bean
public FilterChainProxy samlFilter() throws Exception {
    List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();

    chains.add(new DefaultSecurityFilterChain(
        new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter()));

    return new FilterChainProxy(chains);
}

Than, you can access SP metadata on the URL https://sp-host/saml/metadata and register them on ADFS as a Relying Party Trust. Again, you can do this either via URL, or import data from the (downloaded) file.

Basically, you should be fine if you follow Spring Security SAML Reference Documentation which uses XML configuration. In case, you'll need to switch to Java configuration, you can find handy either referenced vdenotaris/spring-boot-security-saml-sample, or my working prototype sw-samuraj/blog-spring-security.