vdenotaris / spring-boot-security-saml-sample Goto Github PK
View Code? Open in Web Editor NEWSBS3 — A sample SAML 2.0 Service Provider built on Spring Boot.
Home Page: https://sbs3.vdenotaris.com
License: Apache License 2.0
SBS3 — A sample SAML 2.0 Service Provider built on Spring Boot.
Home Page: https://sbs3.vdenotaris.com
License: Apache License 2.0
There seem to be 2 cases of threads that aren't properly terminated, which causes memory leaks when the app is re-deployed, e.g. on Tomcat
In WebSecurityConfig
:
Timer
object created (for fetching metadata over HTTP), but it's not destroyed when the bean is destroyed. (thus its TimerThread
remains alive)MultiThreadedHttpConnectionManager
has a static ReferenceQueueThread
instance, which also remains alive.Calling .cancel()
+ .purge()
on the Timer
instance, and calling MultiThreadedHttpConnectionManager.shutdownAll()
when the config is destroyed seems to solve the issue.
(It's not a big deal for the sample app, but I'm guessing that someone else might also use it as a template and run into the same issue)
Note: Using MultiThreadedHttpConnectionManager.shutdownAll()
seems a bit suspect, as it shuts down all instances in the current JVM, but it's the only way to terminate the ReferenceQueueThread
that I mentioned
Switch to a full annotation-based configuration by implementing SAML bindings as Java Config instead of XML beans.
Achieved on unstable-update
branch.
SSOCircle AuthN error while updating from Spring SAML version 1.0.0.RC
to 1.0.0.RELEASE
.
Active on unstable-update
branch.
Hi, I'm very new to SAML so my apologies if this is a stupid question.
I've setup the project locally (localhost:8080) and running it through IntelliJ. I can successfully get to the landing page and select ssocircle as the IdP. Once I'm redirected to ssocircle, I authenticate and then I get the following error:
Error occurred
Reason: Unable to do Single Sign On or Federation.
Please enable the additional debug option in "My Debug".
Detailed trace information only available with paid accounts.
Check our plans.
The handshake did not complete and my local instance never got any information from ssocircle.
Is this a limitation of my environment? Is this because ssocircle can't talk back to my server?
Thanks for your help!
I had change entity id and run successfully. In SSOCirecle, I had new a user and upload my metadata. When I select IDP, page is jump to SSOCircle login page. In login page, which Login button can be click?
And What should I do next?Thanks.
Add SSO live demo deployment by using SSOCircle as Identity Provider.
Tomcat will be used as Application Server.
Add Gradle build automation support.
Hello,
How would you go about writing test code with a TestRestTemplate instead of using mockMVC?
Kind Regards,
Ewout.
Add a fancy web layout by integrating web framework and utils such as Bootstrap, Font Awesome, etc.
Just wanted to give you props on this work... +1. Great work... I was struggling with authentication against ADFS via SAML... this helped a lot.
Please help how to run behind proxy.
I'm getting below error
17:14:45.295 [main] ERROR org.opensaml.saml2.metadata.provider.HTTPMetadataProvider - Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
java.net.UnknownHostException: idp.ssocircle.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_144]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_144]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_144]
at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_144]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:673) ~[?:1.8.0_144]
at sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:477) ~[?:1.8.0_144]
Hi vdenotaris,
First of all THANK YOU VERY MUCH your saml implementation helped me a lot.
I want to use ADFS as my IdP. I got the IdP metdata.
Now how to use that like you did for SSOCircle?
Any help would be appreciated.
018-08-16 05:51:13.865 WARN 6978 --- [ main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to parse configuration class [com.vdenotaris.spring.boot.security.saml.web.Application]; nested exception is java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
2018-08-16 05:51:13.883 ERROR 6978 --- [ main] o.s.b.SpringApplication : Application startup failed
org.springframework.beans.factory.BeanDefinitionStoreException: Failed to parse configuration class [com.vdenotaris.spring.boot.security.saml.web.Application]; nested exception is java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:183) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:308) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:228) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:272) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:92) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:687) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:525) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at com.vdenotaris.spring.boot.security.saml.web.Application.main(Application.java:33) [classes/:?]
Caused by: java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:163) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more
Caused by: java.lang.NoClassDefFoundError: javax/servlet/ServletContext
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_181]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[?:1.8.0_181]
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:152) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more
Caused by: java.lang.ClassNotFoundException: javax.servlet.ServletContext
at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[?:1.8.0_181]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_181]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) ~[?:1.8.0_181]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_181]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[?:1.8.0_181]
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:152) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more
4.0.0
<groupId>com.vdenotaris.spring</groupId>
<artifactId>spring-boot-security-saml-sample</artifactId>
<version>1.8.0.RELEASE</version>
<packaging>war</packaging>
<!-- Project description -->
<name>Spring Boot and Spring Security SAML integration sample</name>
<description>Currently Spring Security SAML module doesn't provide a starter for Spring Boot. Moreover, its configuration is XML-based as of this writing. The aim of this project is to explain how to develop a Service Provider (SP) which uses Spring Boot and Spring Security SAML Extension, by defining an annotation-based configuration (Java Configuration). Thymeleaf is also used as template engine.</description>
<url>https://github.com/vdenotaris/spring-boot-security-saml-sample</url>
<developers>
<developer>
<id>vdenotaris</id>
<name>Vincenzo De Notaris</name>
<email>[email protected]</email>
<timezone>+1</timezone>
</developer>
</developers>
<contributors>
<contributor>
<name>Vladimír Schäfer</name>
</contributor>
<contributor>
<name>Alexey Syrtsev</name>
</contributor>
</contributors>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
</license>
</licenses>
<inceptionYear>2017</inceptionYear>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<start-class>com.vdenotaris.spring.boot.security.saml.web.Application</start-class>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.15.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.2.RELEASE</version>
</dependency>
</dependencies>
<scm>
<connection>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</connection>
<url>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</url>
<developerConnection>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</developerConnection>
</scm>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>2.5.3</version>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.7.9</version>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>prepare-package</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
I can access the URL https://idp.ssocircle.com/idp-meta.xml in my browser and access the xml but on server startup i see this exception in eclipse.
org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.1.jar:?]
Please help me . I am stuck. I want to test sso with this sample project with ssocircle.If this is working I have to use a different IDP.
It seems that Authentication object does not returning SAML assertion token? We're unable to find it out from the API use for SAML
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
pageContext.setAttribute("authentication", authentication);
pageContext.setAttribute("credential", credential);
Could you please let us know how to get token?
Please change CSRF token on successful response by checking in Cookie or Header sent from User
Hello, thanks for your sample project. Currently implementing SAML authentication based on your sample.
Metadata generation works fine as well as the redirection to the IDP site. But on the way back we just get an error...
Error! Something went wrong during the authentication process.
I guess it is caused as the request request is not handled correctly or not handled at all. Can you give me a hint which class is used to handle the /saml/SSO request?
POST /saml/SSO HTTP/1.1
Host: ...
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 2285
Referer: https://...
Cookie: JSESSIONID=93D15C024BF3E8EC6EE186BA4BF33EFA
Connection: keep-alive
Upgrade-Insecure-Requests: 1
SAMLResponse=...: undefined
Hi,
the example should run out of the box, right? So i just checkout, build with
maven clean install
and run it with
java -jar spring-boot-security-saml-sample-1.4.0.RELEASE.war
Is there anything else do to? I get the error below all of the time. Do i need to add some certificates to the keystore or configure a hostname? When i call the address https://idp.ssocircle.com/idp-meta.xml with my browser, i am fine.
Thanks for any help!
Gerd
org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) ~[opensaml-2.6.1.jar!/:?]
at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_121]
at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_121]
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
... 9 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.1.jar!/:?]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.1.jar!/:?]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar!/:?]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar!/:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar!/:?]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar!/:?]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar!/:?]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar!/:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
... 9 more
We saw that you disabled the csrf in the source, but our project need to avoid the csrf attack, so we cannot disable it.
When we allow the csrf, the authentication failed, if we disable the csrf like your source, the authentication can success. So we want to know how to solve the problem. can you help us? Thank you very much.
Hi,
I have added an entity and the metadata generated using http://localhost:8080/saml/metadata in SSOCircle.
I started the application(running on localhost) and selected SSOCircle as the IdP, it redirects me to the IdP login page and after successful authentication, while redirecting back to the SP, it gives me an error message in UI screen -
"Something went wrong during the authentication process."
Kindly help.
But in Spring Boot console log,there seems to be no error.
2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator : Signature validated with key from supplied credential
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Signature validation using candidate credential was successful
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Successfully verified signature using KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Attempting to establish trust of KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.t.ExplicitKeyTrustEvaluator : Successfully validated untrusted credential against trusted key
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine : Successfully established trust of KeyInfo-derived credential
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Processing Bearer subject confirmation
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3043e9fb against requested null
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Validation of authentication statement in assertion s2959c42be21e2d85477fa1450d34a5717af116898 was successful
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute EmailAddress from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute UserID from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute FirstName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl : Including attribute LastName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.489 INFO 3912 --- [http-nio-8080-exec-8] v.s.b.s.s.w.c.SAMLUserDetailsServiceImpl : [email protected] is logged in
2018-01-10 13:08:02.494 INFO 3912 --- [http-nio-8080-exec-8] o.s.s.s.l.SAMLDefaultLogger : AuthNResponse;SUCCESS;0:0:0:0:0:0:0:1;com:infypoc:spring:sp;https://idp.ssocircle.com;[email protected];;
2018-01-10 13:08:02.494 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.SAMLProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@236cffc3: Principal: org.springframework.security.core.userdetails.User@ce0d27b9: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@ce0d27b9: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER
Hi,
When I run the application in local, I get
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
As per the read me, I need to update the certificate, however update-certifcate.sh is not available in the repository.
Please add the shell script to the repository.
Regards,
Harish
I grab the whole codebase and as soon as I start it in STS, I see huge amount of exceptions:
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 46.4.112.4
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.opens
...
[2015-07-23 12:36:23.066] boot - 56854 DEBUG [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error occurred while attempting to refresh metadata from 'https://idp.ssocircle.com/idp-meta.xml'
org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 46.4.112.4
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.
And once I load localhost:8080, and click login, I got:
Error:
Something went wrong during the authentication process.
So can you tell me what I need to do to be able to run this app successfully? Do I need to change any configuration?
Thanks
Hi,
i have been trying a few samples on your library, and i have got stuck with ECP configuration for quite a while.
Would be very helpful if you could provide some insight into resolving this.
i've made ecp configurations as below
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(true);
// extendedMetadata.setSignMetadata(false);
extendedMetadata.setEcpEnabled(true);
return extendedMetadata;
}
@Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId("urn_boot_saml");
metadataGenerator.setExtendedMetadata(extendedMetadata());
List<String> bindingsSSO = new ArrayList<>();
bindingsSSO.add("paos");
bindingsSSO.add("post");
bindingsSSO.add("artifact");
metadataGenerator.setBindingsSSO(bindingsSSO);
return metadataGenerator;
}
i keep getting the below when i try to curl the paos endpoint
curl -k -I -H 'Accept: application/vnd.paos+xml' -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://localhost:8443/saml/sso
HTTP/1.1 406 Not Acceptable
Date: Fri, 29 Jul 2016 09:46:11 GMT
X-Application-Context: application:8443
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 299
Server: Jetty(9.2.16.v20160414)
complete details in below link.
stackoverflow post
Hi, great app! I used your example little more than a year ago and since I created my own spring-boot SAML plugin. I'd like to get your input since you seem to be active in this topic.
https://github.com/ulisesbocchio/spring-boot-security-saml
Hi,
First, thanks for this sample :)
Second, I have a question (that may resolve into an actual issue).
Why does your WebSecurityConfig contain a default Spring LogoutFilter configuration:
http
.logout()
.logoutSuccessUrl("/");
From what I understand after hours spent on making Spring SAML work correctly, it (Spring SAML) overrides the default logout behavior with its own (available at /saml/logout), therefore the default Spring LogoutFilter doesn't make sense anymore (it's still available by POST to /logout, but it literally does nothing except for redirecting to /). So since LogoutConfigurer comes as a default and WebSecurityConfig uses defaults (by reusing a default constructor which in turn calls this(false)
), does it makes sense to replace the snippet above with http.logout.disable();
at least to avoid confusion?
Hi All,
I am trying to run the application as it is (only ran the update-certifcate.sh to generate the keystore and then used the command - "keytool -importcert -alias apollo -file ca.cer -keystore samlKeystore.jks" to generate private key pair ) but am getting below error in UI after selecting the default ssocircle IdP.
**Error occurred
Reason: Invalid signature in Request.**
Also, please find below spring boot logs.
Kindly help me to resolve this issue urgently. (seems to be keystore related only).
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Metadata document does not contain an EntityDescriptor with the ID com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Metadata document did not contain a descriptor for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Metadata document does not contain an EntityDescriptor with the ID com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.x.s.c.KeyStoreCredentialResolver _[0;39m _[2m:_[0;39m Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
[36mo.o.x.s.c.KeyStoreCredentialResolver _[0;39m _[2m:_[0;39m Processing PrivateKeyEntry from keystore
[36m.c.c.EvaluableCredentialCriteriaRegistry_[0;39m _[2m:_[0;39m Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[36mo.o.x.s.c.KeyStoreCredentialResolver _[0;39m _[2m:_[0;39m Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
[36mo.o.x.s.c.KeyStoreCredentialResolver _[0;39m _[2m:_[0;39m Processing PrivateKeyEntry from keystore
[36m.c.c.EvaluableCredentialCriteriaRegistry_[0;39m _[2m:_[0;39m Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[36mo.o.x.p.StaticBasicParserPool _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
[36mo.o.x.p.StaticBasicParserPool _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
[36mo.o.x.p.StaticBasicParserPool _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
[36mo.s.s.s.c.SAMLContextProviderImpl _[0;39m _[2m:_[0;39m Using user specified IDP https://idp.ssocircle.com from request
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.o.s.m.p.ChainingMetadataProvider _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.s.s.s.u.SAMLUtil _[0;39m _[2m:_[0;39m Index for AssertionConsumerService not specified, returning default
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.s.s.s.SAMLEntryPoint _[0;39m _[2m:_[0;39m Processing SSO using WebSSO profile
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.s.s.s.w.WebSSOProfileImpl _[0;39m _[2m:_[0;39m Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
[36mo.o.w.m.e.BaseMessageEncoder _[0;39m _[2m:_[0;39m Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder _[0;39m _[2m:_[0;39m Deflating and Base64 encoding SAML message
[36mo.o.w.m.e.BaseMessageEncoder _[0;39m _[2m:_[0;39m Marshalling message
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder _[0;39m _[2m:_[0;39m Building URL to redirect client to
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder _[0;39m _[2m:_[0;39m Generating signature with key type 'DSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' over query string 'SAMLRequest=fZJfb9sgFMW%2FCrrvscFLNhfFqbJV1Sp1ahS7e9jbDb5LqDB4XBzt44%2F8qdq99AkBv8OBc1je%2Fh2cOFJkG3wDqpAgyJvQW79v4Lm7n9Vwu1oyDq4a9XpKB7%2BlPxNxElnoWV92Gpii1wHZsvY4EOtkdLv%2B8airQuoxhhRMcCDWzBRTtvoWPE8DxZbi0Rp63j42cEhp1GXpgkF3CJx0LWtZngzKtn0CcZddrcd0vukJ5kzbfiyYg7HROCpMGPR8%2FqnMKyfNlnobyaRyoIRrZ5HLcdo5a7IKxH2Ihs5PauA3OiYQD3cNYPW5PyDKfS%2FV%2FqU26ssO94v6xageF7jLEG%2BQ2R7pTcY80YPnhD41UElVz6SayZtOLfTiRs9VUVXqF4jNNYiv1l8C%2Fii13QVi%2Fb3rNrPNU9uB%2BPlaVAbgWos%2Bu8f3fXx8ML6WAKtTXseefEgYM8tjzI55WJbvj15dp%2F9%2FgNU%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23dsa-sha1'
[36mo.o.x.s.SigningUtil _[0;39m _[2m:_[0;39m Computing signature over input using private key of type DSA and JCA algorithm ID SHA1withDSA
[36mo.o.x.s.SigningUtil _[0;39m _[2m:_[0;39m Computed signature: 302d02150096a63b4d16533e52c14b81d61a3eb15d8086be5d0214324c7d6be3c929a27f3250795e23cb23f328c566
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder _[0;39m _[2m:_[0;39m Generated digital signature value (base64-encoded) MC0CFQCWpjtNFlM+UsFLgdYaPrFdgIa+XQIUMkx9a+PJKaJ/MlB5XiPLI/MoxWY=
[36mo.o.w.m.e.BaseMessageEncoder _[0;39m _[2m:_[0;39m Successfully encoded message.
[36mo.s.s.s.s.HttpSessionStorage _[0;39m _[2m:_[0;39m Storing message a26dhaa0gd01gj8c17bag58jc1da5ab to session C35F885770EDA5A0A9DD205271EC04E4
[36mo.s.s.s.l.SAMLDefaultLogger _[0;39m _[2m:_[0;39m AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;https://idp.ssocircle.com;;;
In both firefox and safari, going to localhost:8080 fails with the following message:
"Too many redirects occurred trying to open "http://localhost:8080/saml/discovery?entityID=com%3Avdenotaris%3Aspring%3Asp&returnIDParam=idp". This might occur if you open a page that is redirected to another page which is then directed to open the original page.
I modify the spring port server port to 9800 (and I tried others) and i get an error from sso circle.
But if I change it back to 8080 then it works fine. Is there any reason that only port 8080 works with your example?
Also I tried to change the context path from "/" to "myservice" and that seemed to fail as well.
In all cases, I created a brand new user. But if I use localhost:8080/ then all is fine.
Is this some weird limitation of sso circle or is there some hidden configuration that I am missing?
Hi,
thanks for sharing this precious SAML-SP attempt, this standard is really hard to get, and moreover some good tutorial on it.
Now your project works after a certificate refresh.
I can reach the default choose IDP page, once logged in SSOCircle it gives me error on redirect.
I'm currently using my free SSOCircle user, already validated on the Official Spring SAML Sample tutorial.
I've got to change the EntityID to upload metadata to SSOCircle which says the current is already used.
I've changed:
metadataGenerator.setEntityId("com:mytest:spring:sp");
in WebSecurityConfig.class but the project fails to start:
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_73]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.23-dev]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_73]
Caused by: org.opensaml.common.SAMLException: Error loading metadata
... 67 more
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity com:vdenotaris:spring:sp and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found
at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity(SAMLContextProviderImpl.java:319) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext(SAMLContextProviderImpl.java:216) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalEntity(SAMLContextProviderImpl.java:107) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
at org.springframework.security.saml.SAMLDiscovery.processDiscoveryRequest(SAMLDiscovery.java:183) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
... 66 more
Thanks in advance
The constructor HTTPMetadataProvider(String arg0, long arg1)
is deprecated.
It will be substituted with HTTPMetadataProvider(Timer arg0, HttpClient arg1, String arg2)
As seen in https://github.com/vdenotaris/spring-boot-security-saml-sample/tree/master/src/main/java/com/vdenotaris/spring/boot/security/saml/web, there are two packages with the almost same name: controllers and contolles (missing the R). They both contain the same Controllers, so this is probably a simple copy/paste bug.
Hello,
I'm trying to make this application work with Okta. I found the following question on Stack Overflow that provides some guidance, but I can't quite get things to work.
http://stackoverflow.com/questions/15997221/configuring-saml-sample-sp-to-work-with-okta-idp
Here's what I'm using for values:
Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
It looks like it works from the logs:
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748 INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;
However, it redirects me to Okta's site rather than back to my site. I was able to get the following Node.js application working:
https://github.com/ThoughtWorksInc/okta-samples/tree/master/okta-node-express
Destroy method on bean with name 'org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory' threw an exception
Hey
Can you please guide us how to integrate your project with keycloak as an IDP. Or if you can just give me some pointer on where to make the change.
Thanks
Abhishek
Update Spring SAML from 1.0.0.RC
to 1.0.0.RELEASE
.
Achieved on unstable-update
branch.
I want to integrate it with Okta. Please advise.
I created an OKTA based application using this code. Here, on local system I am able to access the application on http://localhost:8080 and able to authenticate user as well using SSO url as: http://localhost:8080/saml/SSO
Question:
How to run our application on https, instead of http ? What my company has provided is https://"domain-name":8080/saml/SSO
Try to set AssertionConsumerServiceIndex using org.springframework.security.saml.websso.WebSSOProfileOptions#setAssertionConsumerIndex method.
But its not append to the AuthnRequest.
Hi, is possible add Dockerfile used in hub.docker inside project? I need change volume and i do no how is created.
Thanks and great job!
hi @vdenotaris, I m new to SAML and trying to implement SAML authentication into my existing application. The current application has server and client relationship but it's using RESTFul interface and not meant to be used with browser although some REST GET request would work with the browser but the intend is to have client and server communicate over REST APIs. Here are some questions I m hoping you can help answered:
I would like to integrate this in my Spring MVC application(however I am not using Spring boot). How can I do this?
sdugan$ sh ./update-certifcate.sh
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
Is there a way to add local user form authentication to this example?
Add rich Java documentation in order to explain the whole source code.
Hi,
This code is resulting in a multiple redirect loop when I have the logout success page is "/logout" instead of "/".
I suspect this has something to do with the logout configuration in HttpSecurity configuration method.
(Below code)
http
.logout()
.logoutSuccessUrl("/");
Please let me know if you agree with this.
Hi Guys,
I am getting following issue while retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
following is my code of security config file.
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "nalle123";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("apollo", "nalle123");
String defaultKey = "apollo";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
and using samlKeystore.jks provided in sample example.
[ERROR] org.opensaml.saml2.metadata.provider.HTTPMetadataProvider - Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
Please guide me in this regard as I am very new to Spring SAML.
Thanks & Regards
Mahesh
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.