We are using spring security in our application (SP) to authenticate through a SAML IDP.
As expected accessing to the SP redirect to the IDP authentication form but after the successful authentication, POST of the SAML response to {myServerBase}/login/saml2/sso/{registrationId} in spring security fails with 403 "Invalid CORS request".
In the POST request, there is a http header "Origin: null" which seems to make spring CorsFilter to reject the SAML response.
We have this issue with 2 different SAML IDP we tested (Samling and Okta), we are using spring security 5.4.1
The only way to pass authentication with SAML is to disable CORS in spring security (but we would like cors activated)
Are there any particular steps we would have missed to configure both cors and saml with spring security ?
Arnaud
Related
I have created 2 JHipster applications (JHipster v6.3.1):
Microservice Gateway
authenticationType: oauth2
Microservice Application
authenticationType: jwt
I have configured Okta with the gateway app and this works fine, I can log in with my user. I can also see that the ROLE_ADMIN and ROLE_USER authorities are being correctly assigned in Spring Security.
However I get the following error from the Microservice Application when I attempt to add/view an entity:
Unsupported JWT token.
Unauthorized: Full authentication is required to access this resource
Is there some configuration I need to do to get the JWT token passed in to the Microservice Application?
You cannot mix authentication types between microservice apps. You have to use either OAuth 2.0 or JWT in all of them. FWIW, JHipster's OAuth 2.0 support does use JWTs.
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
I am working on integrating Spring Security SAML into our existing security infrastructure, to handle partner SSO. I am looking at the sample app that comes with Spring Security SAML as a template.
I see that in SAML, the SP must specify the AssertionConsumerServiceBinding to provide the return url to which the IdP will send the AuthenticationResponse.
With the Spring Security SAML sample, we set this to:
http://localhost:8080/spring-security-saml2-sample/saml/SSO.
However, after the IdP posts the AuthenticationResponse back to that url, the user's browser is redirected to
http://localhost:8080/spring-security-saml2-sample.
Can I specify a specific url to which the user will be redirected after the SSO authentication succeeds? I am not finding any documentation on this and am not seeing how it happens in the sample app.
One specifies the url to which the user should be routed after successful authentication via the defaultTargetUrl value in the successRedirectHandler bean's definition.
I am using spring security Oauth2 Jwt token for authentication of rest service. I want to decrypt bearer token and check the user details before Spring Security Oauth verifies it.
Can any one help me how to do?
Thanks
Is it possible to use Spring Security SAML module for enabling SAML 2.0 Service Provider functionality with CAS? Native SAML support in CAS does not support this. We have a web application which already uses CAS for authentication and now there is a requirement to enable SAML SP and IdP Initiated federated SSO into this application. CASShib makes this possible but we would have to use Shibboleth in addition to CAS and there are also some issues with CASShib.
If you want to use Shibboleth as your SAML Idp, you can use CAS for authenticating users using this method: https://github.com/Unicon/shib-cas-authn2