Comments (4)
Hi,
The solution has been personally tested with AD FS and it works fine.
You just need to define your own ExtendedMetadataDelegate
bean implementation in the same way I did with SSOCircle:
@Bean
@Qualifier("contoso-idp")
public ExtendedMetadataDelegate contosoADFSExtendedMetadataProvider() throws MetadataProviderException {
String idpMetadataURL = "https://ADFS.Contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(), idpMetadataURL);
httpMetadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata());
// setup your extendedMetadataDelegate options.
backgroundTaskTimer.purge();
return extendedMetadataDelegate;
}
And then add it as metadata provider:
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(contosoADFSExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
Do not forget to add server certificates inside your keystore.
Note: This solution is meant to be used just as starting reference in implementing a SAML 2.0 Service Provider in Spring Boot. No public support will be provided for custom configurations.
Cheers, V.
from spring-boot-security-saml-sample.
Hi vdenotaris,
Thank you.
I did not get "Do not forget to add server certificates inside your keystore". Server certificate is kind of what SSL certificate?
and If it is how to add that?
@qualifier("contoso-idp") is it necessary and This name is based on what?
I can see that the name is kinda picked from the idpmetadataurl.
from spring-boot-security-saml-sample.
A digital certificate is needed in order to define a trust relationship between and Identity Provider and a Service Provider in a SAML-based AuthN scenario. For more info, please refer to the protocol specifications.
A bean qualifier can be arbitrarily defined in Spring.
There may be a situation when you create more than one bean of the same type and want to wire only one of them with a property. In such cases, you can use the @qualifier annotation along with @Autowired to remove the confusion by specifying which exact bean will be wired.
from spring-boot-security-saml-sample.
Hi vdenotaris,
I am confused with this samlkeystore.jks. For SSOCircle IdP you used one samlkeystore.jks and update-certificate.sh, how did u get that or it is automatically generated. The metadata.xml interchange is not enough to build trust between SP and IdP?
Now For ADFS IdP I got the metadata.xml, I thought that is enough for the trust and I will use https.
But I am now confused with samlkeystore.jks and update-certificate.sh from where to get it.
how did you implement this:
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "nalle123";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("apollo", "nalle123");
String defaultKey = "apollo";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
Please help.
And why we use @qualifier I am aware of it. But I was asking about the name that we are inside @qualifier(name). This name is based on what or it can be anything I know it will be based on the IdP but how to set that?
from spring-boot-security-saml-sample.
Related Issues (20)
- CurrentUserHandlerMethodArgumentResolverTest is failing HOT 1
- Docker: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null HOT 1
- Deserialization of Untrusted Data (CVE-2019-16335) HOT 1
- Deserialization of Untrusted Data (CVE-2019-14540) HOT 1
- Deserialization of Untrusted Data (CWE-502) HOT 1
- Deserialization of Untrusted Data (CVE-2015-4852, CVE-2015-7501) HOT 1
- Improper Certificate Validation (CVE-2012-5783)
- Man-in-the-Middle (CVE-2012-6153)
- Purpose of apollo key in the JKSKeyManager HOT 1
- Localhost redirect on first click regardless user's context HOT 1
- Behind reverse proxy advertises localhost and internal port HOT 1
- How to add "NameQualifier" and "Format" attributes to LogoutRequest/Issuer HOT 1
- Authentication statement is too old to be used with value 2020-08-31T09:32:00.759Z HOT 1
- With global logout from Identity provider side local session and authentication remain active and valid
- Need help to find the entity if
- Browser back redirects to "/saml/SSO" page. HOT 1
- Handle URL encoding in SAML response HOT 1
- Use Spring Boot 2.7 and Spring Security without WebSecurityConfigurerAdapter
- Metadata refreshing has failed
- Error retrieving metadata
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-boot-security-saml-sample.