I am currently writing a Spring Boot 2.x application that by default is authenticated by the app's oauth2 authorization server. However, I would like to add support such as the user could configure the app to use their SAML identity provider/asserting party (like Active Directory) as an alternative to the default OAuth2 authentication server.
What I can see is that developers would write a WebSecurityConfigurerAdapter with .saml2Login() or .oauth2ResourceServer(o -> o.jwt()) but I would switch between the two at runtime.
Note that I will secure the same set of URLs/APIs. It's just that I want the user to be able to choose what to use. Also as a disclaimer, I do not have experience with SAML.
Would this be possible to do in Spring Boot? Hope someone could say definitively if this is possible or not.
Related
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
I was wondering about the best way to secure your spring boot application in a dynamic way,
I am using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients,
It's not that hard but it made me questioning whether the spring auth server is the best option or I should go to Keycloak for example ?
best way to secure your spring boot application
The best way to use authentication in spring based application is using spring security. Now it depends on your use-case that you should authenticate user from application database, LDAP or Active Directory, in-memory authentication.
using my own authorization server using spring security with one client (app) now I should configure again to have dynamic clients
I believe you meant authentication instead of authorization in above line. You can stick to spring security by building admin console for user management. Both authentication and authorization can be managed from admin console. But as said before it is completely your use-case.
If your usecase says that app-users are already logging in
centralized Active Directory and they dont need to login again for
your application, implement Spring security with LDAP and SSO.
If your usecase say that there is no centralized authentication server and appuser details are very specific to you application, implement Spring securirty with database authentication
I'm using spring security saml to implement SSO. For testing, I used ssocircle as idp. But now, I want to control authenticating by myself, that means, can I build idp host on my local by using spring security (user info will be stored in my database).
Note: OpenAM is not my expectation.
It is not advisable to build your own IDP because it is a complicated process, even if you use a library like opensaml, your best option would be to install Shibboleth Idp, there are many tutorials online, some on the shibboleth.net website and some on other websites. These two are very good tutorials:
1- https://books.google.ie/books?id=AeBaAQAAQBAJ&pg=PA3&lpg=PA3&dq=Investigation+and+implementation+of+Shibboleth+SSO+authentication+mechanism&source=bl&ots=g6A_kstwJ2&sig=Nr4AR6WKillYyIl5UQaUszkTDB8&hl=en&sa=X&ved=0ahUKEwibtvL51tvJAhUI_A4KHb18DUYQ6AEIKTAB#v=onepage&q&f=true
2- https://tuakiri.ac.nz/confluence/display/Tuakiri/Installing+a+Shibboleth+3.x+IdP
I'd like to implement a Single Sign-on (SSO) authentication layer in my Spring-based application with the aim of supporting authentication and authorization from different security domains.
I've chosen Shibboleth as IdP, but I have yet to identify what I will use for the SP.
The choices are:
Spring Security SAML Extension: component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. Spring Security Extension allows seamless combination of SAML 2.0 and other authentication and federation mechanisms in a single application. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, RM5 IdM or Ping Federate) can be used to connect with Spring Security SAML Extension.
Shibboleth (also as SP): Shibboleth is a web-based technology that implements the HTTP/POST, artifact, and attribute push profiles of SAML, including both Identity Provider (IdP) and Service Provider (SP) components.
So, I've some questions:
Is it a good idea to use directly Spring SAML as SP in terms of
scalability and maintainability?
It is possible to use an external SP together with Spring Security? How have I to configure my application and/or my application sever (JBoss 8.0 - WildFly)?
Where do I define the roles (for each scenario)?
Which is the worthwhile choice?
Best regards, V.
The main difference between the two is deployment scenario:
Shibboleth SP plugins are deployed directly to the Apache/IIS web server.
Spring SAML is embedded in your application.
Both have pros and cons.
Is it a good idea to use directly Spring SAML as SP in terms of scalability and maintainability?
Spring SAML
Offers great control over how authentication is performed and how the authentication process interacts with your application. You can e.g. create your own configuration UIs and dynamically add IDPs, create custom login screens as part of your application, have complete and easy control over error handling, easily support multiple IDPs, dynamically configured details of the SSO (requested AuthnContexts, NameIDs, bindings, authentication forcing).
Easily parse received SAML attributes in various formats, support multiple authentication methods in the same application.
Dynamically generate SP metadata, it provides limited multi-tenancy and supports profiles not available in all other options (e.g. Single Logout, Holder of Key, IDP Discovery).
Seamlessly interacts with Spring Security which brings a set of benefits of its own. With Spring SAML you can also configure complete authentication and authorization policy directly in your application (e.g. which pages require authentication or not and when, role based access control to content, authentication step-up on dynamic conditions, ...).
Allows you to deploy the application on any application server or container and behind any reverse proxy or web server with no affect on functionality.
Shibboleth plugins
These are statically configured and typically interact with your application through HTTP headers. They decouple authentication logic from the application itself, so the only thing you need to take care of is acceptance of the headers and initialization of your application session with correct security context. The definition of which pages are secured is present on the IIS/Apache server and based on URL patterns which means that authentication and authorization policy is partly defined outside of your application.
You need to make sure that the application can only be accessed through the web server (= prohibit all direct access) as that would allow forging of the headers.
Doesn't require many changes to the application itself and can therefore typically be easily used with legacy systems.
It is possible to use an external SP together with Spring Security? How have I to configure my application and/or my application sever
(JBoss 8.0 - WildFly)?
Yes, it is possible, but it will require effort. You could e.g. configure WildFly to set a shared domain cookie in encrypted format and verify the cookie in your Spring Security configuration.
Where do I define the roles (for each scenario)?
With Spring SAML you define roles when processing the SAML Response by e.g. parsing of the SAML attributes. This is done by implementing SAMLUserDetailsService interface and plugging in to the samlAuthenticationProvider.
With Shibboleth you can forward attributes received from IDP to your application with headers and parse them in your application.
WildFly (probably) allows you to define security context and roles directly in SP with no need to configure this in your application. Such configuration might not be portable across application servers.
Which is the worthwhile choice?
All options will enable you to perform WebSSO with SAML 2.0. People typically choose based on their requirements (e.g. customization needs), environment (used web server, application server), preferred development methodology (Java, .NET, other), used frameworks, legacy code. Both Spring SAML and Shibboleth plugins are used by many customers.
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.