I’ve an existing Spring Boot project used to authenticate an Angular SPA with SAML.
The dependencies included in the Spring Boot project are:
-spring-boot-starter-security (version 2.6.6)
-spring-security-saml2-core (version 1.0.10.RELEASE)
I’ve replaced the spring-security-saml2-core with spring-security-saml2-service-provider
because spring-security-saml2-core is being superseded by the SAML feature set in Spring Security Core and the configuration it’s more simplified.
Exist a similar feature (see : Section 9.5
https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/configuration-sso.html#configuration-authentication-assertion)
to serialize the SAML assertion response with spring-security-saml2-service-provider ?
I've solved. Saml2Authentication returns the SAML response object, as decoded XML (see: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.html)
Related
I wanted to try the new SAML2 Metadata endpoint in Spring Security 5.4.0-RC1 (with Spring Boot 2.3.2) but accessing /saml2/service-provider-metadata/{registrationId} returns 404.
I had to add the filter myself, like this:
#Bean
public Saml2MetadataFilter saml2MetadataFilter(RelyingPartyRegistrationRepository repository) {
return new Saml2MetadataFilter(new DefaultRelyingPartyRegistrationResolver(repository), new OpenSamlMetadataResolver());
}
Then the metadata endpoint works as expected.
Is this by design or is there a missing configuration on my part or in Spring Security?
I searched for Saml2MetadataFilter in the spring security repository on GitHub but only found it in a test.
Answering my own question: The Spring Security SAML2 documentation is now updated with instructions on how to enable the metadata endpoint.
https://docs.spring.io/spring-security/site/docs/5.4.0/reference/html5/#servlet-saml2login-metadata
This instruction make sure Saml2MetadataFilter is added before the Saml2WebSsoAuthenticationFilter so it's always publicly accessible.
The Spring Security SAML extension sample application doesn't seem to be compatible with Spring Security 4.2.2 (the latest at the time of this writing). At least not out of the box. Is this due to a compatibility issue between the SAML extension and Spring Security or just something that needs to be tweaked / updated in the sample application?
I've seen this link...
Spring Saml not working with latest Spring Security 4.0.0.RELEASE
...where a commenter says that the SAML extension should be compatible with Spring Security 4, but I can't seem to figure out what changes need to be made to the SAML example application to get it working. Has anyone else figured this out?
Thanks!
I have downloaded the sample project on spring-saml 2.0. I have noticed that in the Assertion.xml file under the saml:NameID tag, Format tag is referring to saml 1.1. Would anyone please clarify why? I am new to Spring-saml 2.0 and I have no idea of earlier saml version?
<saml:Subject>
<saml:NameID NameQualifier="http://idp.ssocircle.com" Format="urn:oasis:names:tc:**SAML:1.1**:nameid-format:emailAddress">test#abc.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:**SAML:2.0**:cm:bearer">
<saml:SubjectConfirmationData Recipient="http://192.168.1.100:8080/spring-security-saml2-sample/saml/SSO" NotOnOrAfter="2016-02-26T05:23:54.000Z" InResponseTo="a37gbidcfgff98de3064i3eij6ee7bj"/>
</saml:SubjectConfirmation>
</saml:Subject>
Thanks in Advance!
Relevant constants which were available as part of previous SAML version are re-used in SAML 2.0. The values are part of the SAML 2.0 specification which you can refer to to find details.
Where can I find an basic applicationContext.xml configuration of an OAuth2 Client for Authorization Code grant type using spring-security-oauth2 version 2.0.x ?
There's a sample in the integration tests: https://github.com/spring-projects/spring-security-oauth/blob/master/tests/xml/client/src/main/resources/context.xml. The old 1.0.* XML should work with 2.0.* as well, so just look at the tonr2 sample in the 1.0.x branch.
I am working with an app that uses spring-security 3.0 and oauth2 using spring-security-oauth-1.0.0.M3. It works fine. But it looks like migrating to spring-security 3.1 will not be trivial. I have been unable to find confirmation that the oauth module is still supported.
For example, the oauth tutorial mentions 3.0 not 3.1:
https://github.com/SpringSource/spring-security-oauth/wiki/tutorial
And I have encountered a problem similar to the Mar 4, 2012 comment in the following discussion when I attempt to do a straight upgrade to 3.1 using spring-security-oauth 1.0.0.M3 or M4:
http://code.google.com/p/spring-security-social/wiki/Usage
Specifically I see this in the Tomcat logs:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration
problem: Failed to import bean definitions from URL location ...
Offending resource: class path resource [spring/applicationContext.xml]; nested
exception is org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected
exception parsing XML document from URL ...; nested exception is
org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class
[org.springframework.security.oauth2.config.OAuth2SecurityNamespaceHandler] for namespace
[http://www.springframework.org/schema/security/oauth2]: problem with handler class file or
dependent class; nested exception is java.lang.NoClassDefFoundError:
org/springframework/security/web/util/AntUrlPathMatcher
Can someone suggest a solution to the above problem, or point to a reference for using spring-security 3.1 and spring-security-oauth, or else suggest a better alternative to implement oauth2 using spring-security 3.1?
Or if I'm missing a fundamental point of spring-security 3.1, that would also be useful to know.
Thanks!
Yes, Spring Security OAuth milestone build 1.0.0.M6, and specifically the oauth2 module, supports Spring Security 3.1.0. It is not yet considered a release. The OAuth 2.0 spec itself is not final.
The 1.0.0.M6 samples appear to be the most accurate and complete reference for implementation. The full 1.0.0.M6 tag zipball is here.
The OAuth 2 Developers Guide is a good textual reference. It's not 100% accurate, at least with respect to 1.0.0.M6. For example, the attribute user-approval-page belongs to authorization-server not authorization-code.
The Maven pom.xml must refer to artifactId spring-security-oauth2 (not spring-security-oauth as in older versions such as 1.0.0.M3).