Hello Spring Security SAML pros and enthusiasts alike,
For instance, Service Provider metadata generation yields something like
<md:AssertionConsumerService Location="http://localhost:8080/<app-servlet-context>/saml/SSO"/>
when deployed and running on local Tomcat container, which can be used by Identity Management to configuration SAML Consumer URL.
We're using Okta and OneLogin to test. Everyone's happy.
Issue I'm facing is that same web application configuration deployed on to docker container preconfigured with specific DNS record returns
<md:AssertionConsumerService Location="http://<app-context-root>:8080/<app-servlet-context>/saml/SSO"/>
replacing localhost with application context root (default?).
Actual domain http://<app-name>.<company-domain>.com is nowhere to be found, rendering Assertion Consumer Service Location value unusable for purpose of configuring IdP-initiated SSO.
Same case for Single Logout Service Location value.
Can someone help me understand this behavior and configure my implementation so Location for both AssertionConsumerService and SingleLogoutService provided in Service Provider Metadata looks like
<md:AssertionConsumerService Location="http://<my-app-dns-domain-name>:8080/<app-servlet-context>/saml/SSO"/>
<md:SingleLogoutService Location="http://<my-app-dns-domain-name>:8080/<app-servlet-context>/saml/SingleLogout"/>
Thank you!
How did you generate your metadata ? Did you do it programmatically ?
If yes you can use the method setEntityBaseURL() of MetadataGenerator class.
Related
I have a Spring Boot Cloud Gateway application running on a k8s POD. That application have no page, no endpoint at all, just receive the traffic from Ingress and redirect for a Vue Web Application with just static pages on another POD.
That Gateway is also a OAuth2 Client, authentication on GitHub, over a authentication code mode. Everything works fine, except I can't access the authenticated user. I'd like to apply my own validations, besides the GitHub IDP itself.
I tried used the Spring Security 5 Custom Configuration, but it just doesn't works. Maybe because I have no Controller, no endpoint aside the Gateway redirects. I haven't tried everything: with WebSecurityConfigurerAdapter, without it... All I got it just dependencies error and even I overcame them, it just doesn' run...
So, I quit Spring Security 5 Custom and tried use the Gateway Filters (AbstractGatewayFilterFactory) that I knew already that works, in order to read SecurityContextHolder.getContext().getAuthentication(), waiting to read the GitHub OAuth2 authenticated user over it. However, I just got null reference...
All my logs are turned on and I know the Spring is reading user-info endpoint from GitHub. I just want to get access to that information and negate access on Gateway Filters, based on my own rules.
Anyone have an idea about how can I read the Oauth2 authenticated principal in Gateway Filters?
Thanks at advance.
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:
admin: username/password registration
client: Facebook/Google/username&password registration
Based on the user's role each of them has a specific action to which he's authorized.
From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).
I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?
I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.
Your gateway shouldn't be responsible for handling authentication.
One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.
It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.
For api security, after moving to #Kubernetes, you can use Envoy or similar solution
For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.
I am writing a set of Puppet modules that deploy WSO2 ESB & Identity Service and the API & authentication services we are providing to a client.
For the most part, I have been able to figure out which XML config files I need to update to automatically configure the WSO2 product.
However, I can't work out how to automatically provision an OAuth2 service provider via the config files. I can create and successfully use an OAuth2 service provider through the Identity Service mgmt console, however I'd really rather not have to do that as a manual step when my aim is to configure a set of machines using Puppet to automatically provision an OAuth2 provider.
To confirm, screenshot of the UI below that I am trying to apply settings for via an XML config file, rather than having to do it in the UI:
After some googling, is the correct directory /repository/conf/identity/service-providers?
If so, could somebody point me in the direction of an example where this is used for configuring an OAuth2 service provider?
If not, any more pointers would be gratefully received!
Many thanks
Chris
In case of searching configuration file for adding OAuth configuration without management console UI, you are in the right place. As you specified you can use the configuration in /repository/conf/service-providers/default.xml.
When you add service provider you have to call IdentityApplicationManagementService. You can use IdentityApplicationManagementServiceStub to call IdentityApplicationManagementService. When you add OAuth configuration you have to call OAuthAdminService. You can use OAuthAdminServiceStub to call OAuthAdminService. After creating the service provider and OAuth configurations separately, you have to bind service provider with created OAuth configs.
Note that I will recommend to check the source code in UI classes which used to add service providers, OAuth configs and binding those two. Hope this helps.
I have integrated CAS to Spring Security using Spring security tutorial on cas wiki. Now I want to get the current user and don't know how!
Should I get it from Spring security or CAS?
SecurityContextHolder.getContext().getAuthentication() returns null :|
If SecurityContextHolder.getContext().getAuthentication() is null means that the user is not authenticated yet.
Some pointers on CAS
Make sure that you use SSL for the communication to CAS thus CAS
must be hosted on SSL ports (443 or 8443)
Make sure that you Spring
Apps is hosted on SSL ports so that CAS can call to your Spring via
SSL server.
Common error is that both CAS and Spring Apps are not on SSL ports.
If this is the case, get a free SSL cert from www.startssl.com
Found the problem! I was going to use my own Access Control system, so I commented filters who where responsible for checking user's roles to access URLs. Apparently if I don't intercept URLs, spring security's context won't be accessible through that request (or at least it seems like that! I am not a big fan of Documents, so I try out codes and when I get an exception, I try to guess the reason! I really should stop doing that :| but anyway now that I intercept URLs, SecurityContextHolder.getContext().getAuthentication() doesn't return null anymore :) )