I try integrating Spring Security SAML in my project. I have experienced the demo of okta. And I know the URI /saml/SSO is used to consume the SAMLResponse from Idp. But I have registered a consume-uri which different with the URI /saml/SSO in my Idp and it can't be changed.
so I have to find a way to change the default SSO processesUrl.
I think I need to change something as next:
- change FilterChainProxy
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
samlEntryPoint));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
samlLogoutFilter));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
metadataDisplayFilter));
// chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
// samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/consume/**"),
samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
samlDiscovery));
return new FilterChainProxy(chains);
}
- Create a new class to extends SAMLProcessingFilter
public class CustomSAMLProcessingFilter extends SAMLProcessingFilter {
public CustomSAMLProcessingFilter() {
this("/saml/consume");
}
public CustomSAMLProcessingFilter(String defaultFilterProcessesUrl) {
super(defaultFilterProcessesUrl);
}
@Override
protected String getProfileName() {
return super.getProfileName();
}
@Override
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
return super.requiresAuthentication(request, response);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
return super.attemptAuthentication(request, response);
}
}
- replace the SAMLProcessingFilter by CustomSAMLProcessingFilter
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
// SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
SAMLProcessingFilter samlWebSSOProcessingFilter = new CustomSAMLProcessingFilter("/saml/consume");
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(samlAuthSuccessHandler);
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(samlAuthFailureHandler);
return samlWebSSOProcessingFilter;
}
- make consume-uri permitted
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/pre-auth**").permitAll()
.antMatchers("/form-login**").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.antMatchers("/saml2/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/sw.js").permitAll()
.anyRequest().authenticated();
After that, when I tried to login, there is no reaction in Filter Chain. In console, my project has received the SAMLResponse, but no more reaction.And the web page shows an error page.
When I did the Okat demo before, it got my login info and showed in success page.
I would like to know how to change the default SSO processesUrl and login successfully. Would you guys give me some ideas or suggestions to help me resolve this problem please, thanks a lot!
