How to use Spring SAML code with jks or signed metdata

1
votes

The IDP only provided .crt file and metadata xml file, and IDP told us there is no password for .crt file, I created jks file with command:keytool -import -alias zoom -trustcacerts -file qa.crt -keystore keystory.jks. Now,I downloaded the spring SAML demo code, and changed the securiyContext.xml as bellow:

--------matadata.xml---------------------

<md:EntityDescriptor entityID="gene.com" cacheDuration="PT1440M" ID="dfhGJ7yKW7C3nvicVEN.puf7bSh" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#dfhGJ7yKW7C3nvicVEN.puf7bSh">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>lSCVZb+3JcGXnhwYj5IQqxaM2UaBbmiTOYa/fO5NRAo=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        {my ds:SignatureValue}
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                {my ds:X509Certificate}
            </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>
                    {my ds:Modulus}
                </ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    {my ds:X509Certificate}
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="WorkPhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ChrisID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Account" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MobilePhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Sex" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">
    <md:Company>Genentech Inc.,</md:Company>
    <md:GivenName>IAM-DFS</md:GivenName>
    <md:EmailAddress>GLOORG_SAS-AMS-Web-Access-Services-Comms@msxdl.roche.com</md:EmailAddress>
</md:ContactPerson>


<bean id="samlMetadataManager" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean id="samlRocheIDP" class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">classpath:qa.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="samlParserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

--------------securiyContext.xml-------------------- But there is always failed where SP initialize, error message:

Signature verification failed.
Signature trust establishment failed for metadata entry https://b2b.roche.com
Error filtering metadata from E:\Workspace2\saml\spring-security-saml\target\classes\qa.xml

And my question is that how to integration the spring saml with signed metadata xml file. should i create another jks file? I have cloned many java demos, they have configured metadata xml files and jks files in springWebSecurityContext.xml .

But I think the metadata xml already contains the certificate and the secret key. I don't think I need to configure the jks file anymore, right?

Can you help me find out how to integrate saml into my project? Thank you everyone!

1
javaspring-mvcsaml-2.0opensamlspring-security-saml2
JKSKeyManager(Resource storeFile, String storePass, Map<String, String> passwords, String defaultKey)juhao

1 Answers

2
votes

Make sure you have proper .jks file . You will need a bean for keyManager.

@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader
        .getResource("classpath:/saml/keystore.jks");
    String storePass = "nalle123";
    Map<String, String> passwords = new HashMap<String, String>();
    String defaultKey = "apollo";
    passwords.put("apollo", "nalle123");
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

You can have multiple keys and password for this in Map but it need one as default. This bean is also used by MetadataGenerator bean

You can import certificate in keystore , below script can be used

IDP_HOST=<hostip>
IDP_PORT=<port>
CERTIFICATE_FILE=certfile.cert
KEYSTORE_FILE=keystore.jks
KEYSTORE_PASSWORD=<password>

openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
keytool.exe -delete -alias <put alias name here> -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool.exe -import -alias <put alias name here> -file $CERTIFICATE_FILE - 
keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt