Authentication using SAML in spring boot

1
votes

Actually we are developing a application, in Spring boot 1.5 and authentication and authorization done with spring security with oauth2 implementation , now we have a requirement, in authentication part, splitting the authentication and move the authentication part to third party which is SAML integration,

Flow: login->SAML authentication-> authenticated user ->authorization part which we handle(role part)->generate our token ->user access resources with this token only.

how to authorize the user in my spring security with userid only and generate custom token(customizing any spring security filter),

how to populate Authentication object in my Spring security Filters(if AuthenticationProvider is used),

best way to redirect to IDP in SAML authentication server .

best way to implement logout functionality.

how can I implement these requirement,can anyone suggest as I am new to this.

My current configuration Every thing is Java configured, 

**spring security,Resource server,Authorization server**

I am worked on a sample provided in documention, https://github.com/vdenotaris/spring-boot-security-saml-sample

when started the spring boot Application following error occured,

2017-12-29 10:15:12.192 ERROR 25076 --- [Metadata-reload] o.o.s.m.p.HTTPMetadataProvider : Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml

java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[?:1.8.0_66] at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_66] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_66] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:434) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:286) ~[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_66] at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_66]

2017-12-29 10:15:12.193 DEBUG 25076 --- [Metadata-reload] .s.m.p.AbstractReloadingMetadataProvider : Error occurred while attempting to refresh metadata from 'http://idp.ssocircle.com/idp-meta.xml'

org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_66] at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_66] Caused by: java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[?:1.8.0_66] at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_66] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_66] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:434) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:286) ~[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar:?] ... 10 more

2017-12-29 10:15:12.194 INFO 25076 --- [Metadata-reload] .s.m.p.AbstractReloadingMetadataProvider : Next refresh cycle for metadata provider 'http://idp.ssocircle.com/idp-meta.xml' will occur on '2017-12-29T04:50:12.194Z' ('2017-12-29T10:20:12.194+05:30' local time) 2017-12-29 10:15:12.194 ERROR 25076 --- [Metadata-reload] o.o.s.m.p.AbstractMetadataProvider : Metadata provider failed to properly initialize, fail-fast=true, halting

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_66] at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_66] Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar:?] ... 9 more Caused by: java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[?:1.8.0_66] at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_66] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_66] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:434) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:286) ~[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar:?] ... 9 more

2017-12-29 10:15:12.195 ERROR 25076 --- [Metadata-reload] o.s.s.s.m.MetadataManager : Initialization of metadata provider org.opensaml.saml2.metadata.provider.HTTPMetadataProvider@6ae8b7 failed, provider will be ignored

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) ~[opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_66] at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_66] Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from http://idp.ssocircle.com/idp-meta.xml at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar:?] ... 9 more Caused by: java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[?:1.8.0_66] at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_66] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_66] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_66] at java.net.Socket.connect(Socket.java:538) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:434) ~[?:1.8.0_66] at java.net.Socket.(Socket.java:286) ~[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar:?] ... 9 more

2017-12-29 10:15:12.196 DEBUG 25076 --- [Metadata-reload] o.s.s.s.m.MetadataManager : Reloading metadata was finished

how to sort this error? whether this sample can be run and tested in local environment? or i need some external configuration?

1
spring-bootspring-security
Could you please elaborate the question? What do you mean by “how to authorize the user in my spring security with userid only ” ?Agam
authentication part is done in idp and on success it returns a assertion part as userid and groupid from as idp response, after that we have to go through our(SP side) spring security filters(custom authorization and role mapping), which takes only userid , no password as parameter ,and generated custom tokens which are used for all api calls.user_vs

1 Answers

2
votes

I would suggest you to start with implementing spring-saml extention in your SP first. It will help you with following requirements:

how to populate Authentication object in my Spring security Filters(if AuthenticationProvider is used),

best way to redirect to IDP in SAML authentication server .

best way to implement logout functionality.

After your app is able to authenticate the user with IDP through SAML, then extend the implementation of class SAMLAuthenticationProvider . This class receives the assertion from IDP and validates it. Once the assertion is validated, you can map the incoming authorities in SAML token, to your local authorities by having custom implementation of userContextMapper. In this part you can generate a JWT token and use it for all api calls. Most of the IDP's provide an interface to exchange the SAML token to OAuth2 access token. In that case, you do not have to generate any token.

Let me know if you need any further information or detail.

Update:

enter image description here