ADFS with spring saml about spring-boot-security-saml-sample HOT 4 CLOSED

Hi,

The solution has been personally tested with AD FS and it works fine.

You just need to define your own ExtendedMetadataDelegate bean implementation in the same way I did with SSOCircle:

@Bean
@Qualifier("contoso-idp")
public ExtendedMetadataDelegate contosoADFSExtendedMetadataProvider() throws MetadataProviderException {
    String idpMetadataURL = "https://ADFS.Contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
    HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(), idpMetadataURL);
    httpMetadataProvider.setParserPool(parserPool());
    ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata());

    // setup your extendedMetadataDelegate options.
    
    backgroundTaskTimer.purge();
    return extendedMetadataDelegate;
}

And then add it as metadata provider:

@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    providers.add(contosoADFSExtendedMetadataProvider());
    return new CachingMetadataManager(providers);
}

Do not forget to add server certificates inside your keystore.

Note: This solution is meant to be used just as starting reference in implementing a SAML 2.0 Service Provider in Spring Boot. No public support will be provided for custom configurations.

Cheers, V.

from spring-boot-security-saml-sample.

Hi vdenotaris,
Thank you.

I did not get "Do not forget to add server certificates inside your keystore". Server certificate is kind of what SSL certificate?
and If it is how to add that?

@qualifier("contoso-idp") is it necessary and This name is based on what?
I can see that the name is kinda picked from the idpmetadataurl.

from spring-boot-security-saml-sample.

A digital certificate is needed in order to define a trust relationship between and Identity Provider and a Service Provider in a SAML-based AuthN scenario. For more info, please refer to the protocol specifications.

A bean qualifier can be arbitrarily defined in Spring.

There may be a situation when you create more than one bean of the same type and want to wire only one of them with a property. In such cases, you can use the @qualifier annotation along with @Autowired to remove the confusion by specifying which exact bean will be wired.

from spring-boot-security-saml-sample.

Hi vdenotaris,

I am confused with this samlkeystore.jks. For SSOCircle IdP you used one samlkeystore.jks and update-certificate.sh, how did u get that or it is automatically generated. The metadata.xml interchange is not enough to build trust between SP and IdP?

Now For ADFS IdP I got the metadata.xml, I thought that is enough for the trust and I will use https.
But I am now confused with samlkeystore.jks and update-certificate.sh from where to get it.

how did you implement this:
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "nalle123";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("apollo", "nalle123");
String defaultKey = "apollo";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

Please help.

And why we use @qualifier I am aware of it. But I was asking about the name that we are inside @qualifier(name). This name is based on what or it can be anything I know it will be based on the IdP but how to set that?

from spring-boot-security-saml-sample.