I have a Spring-SAML app with Okta as IDP. I'm doing IDP initiated flow and
get this exception :
org.opensaml.common.SAMLException: Endpoint with message binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and URL https://<myCompanyUrl>.com/saml/SSO wasn't found in local metadata
When I look at my local metadata I see:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<server IP address> :<server port>/saml/SSO" index="0" isDefault="true"/>
Looks like it is trying to match a URL containing a hostname to a URL with a server IP address. The location field is auto-generated. Does anybody know what configuration option affects this?
UPDATE 1
here is my metadataGeneratorFilter config :
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="https://myHostname/myApp"/>
</bean>
</constructor-arg>
</bean>
All right mystery solved:
Per Spring-SAML documentation , when you are in a reverse-proxy / load balancer set up you have to make sure to specify
<property name="entityBaseURL" value="https://www.myserver.com/spring-security-saml2-sample"/>
See SPRING-SAML documentation
10.1 Reverse proxies and load balancers
Related
On client machine, I am using spring-rabbit-1.6.7.RELEASE.jar and spring-amqp-1.6.7.RELEASE.jar to perform operations on RabbitMQ.
Now, need is to monitor the metrics like # of open channels, # of rejected messages etc from given client machine to RabbitMQ server.
www.rabbitmq.com/monitoring.html mentions that some client libraries and frameworks provide means of registering metrics collectors or collect metrics out of the box. RabbitMQ Java client and Spring AMQP are two examples.
Please suggest how I can use Spring AMQP to collect metrics with respect to given client machine to RabbitMQ server.
Please note I am using org.springframework.amqp.rabbit.connection.CachingConnectionFactory. But it doesn't have any method to set metric collector..
We are using xml with following tags to define connection factory, queue, binding etc.
Rabbit:Queues , Rabbit:queue-arguments , • Rabbit:DIRECTExchange , Rabbit:TOPICExchange, Rabbit:binding , Rabbit:Admin [[[ ConnectionFactory]]]
e.g.
<bean id="connectionFactory"
class="org.springframework.amqp.rabbit.connection.CachingConnectionFactory">
<constructor-arg value="#{messagingProperties['mq.hostname']}" />
<property name="virtualHost" value="#{messagingProperties['mq.virtual-host']}" />
<property name="username" value="#{messagingProperties['mq.username']}" />
<property name="password" value="#{messagingProperties['mq.password']}" />
<property name="channelCacheSize" value="25" />
</bean>
1.6.7 is extremely old; you should upgrade to at least 1.7.14; the current version is 2.1.8.
You can set the metricsCollector on the underlying rabbit connection factory.
connectionFactory.getRabbitConnectionFactory().setMetricsCollector(...);
Or use the RabbitConnectionFactoryBean to create the underlying connection factory, and then inject it into the CachingConnectionFactory.
<bean id="rcf" class= "...RabbitConnectionFactoryBean">
... set all the properties here
</bean>
<bean id="connectionFactory"
class="org.springframework.amqp.rabbit.connection.CachingConnectionFactory">
<constructor-arg ref="rcf" />
<property name="channelCacheSize" value="25" />
</bean>
I have an app that uses Spring Security, was using a custom authentication provider just fine. I need to add a SAML IDP into the mix now. So I got the sample SAML application up and running and I use that security context as a base. I have my manager defined like this:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="myAuthenticationProvider" />
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
Now when I submit my login form with a username/passeord that is only in the SAML IDP, I can see from the logs that it calls myAuthenticationProvider, which then throws a BadCredentialsException, then nothing. I don't see any other exception, and not a peep out of the SAMLAuthenticationProvider.
I have read the documentation a few times, and it seems to indicate this can be done, but I don't see an example. Does anyone have an example of using SAML and BasicAuthentication?
I don't think you need to add an extra authentication provider for a new IDP. You just need to add a new ?? in your CachingMetadataManager Bean. In the securityContext.xml provided in the sample app:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- Example of classpath metadata with Extended Metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
</bean>
<!-- Example of HTTP metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">15000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- Example of file system metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">/usr/local/metadata/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
If you un-comment the second bean in the list, it will enable another IDP specified in the xml file provided at /usr/local/metadata/idp.xml. If you want to add the metadata of another IDP over http, just copy the one for ssocircle and make adjustments.
I've configured the included sample application and am able successfully perform both IdP and SP initiated SSO, and SP initiated SLO (using POST)
However, when sending an IdP initiated logout using Ping Federate, it fails saying that the logout response must be signed (however it succeeds in OpenAM). Looking through the SAML messages, the logout response isn't signed (it seems that Ping Federate is more strict than OpenAM), from what I understand, the response should always be signed.
4.4.3.4 Session Participant/Authority Issues to Identity
Provider
...
It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or
TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The
message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding,
if used, also provides for an alternate means of authenticating the response issuer when the artifact is
dereferenced.
The relevant part of my securityContext.xml is here..
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/moocow.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="sslHostnameVerification" value="default"/>
<property name="signMetadata" value="false"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="true"/>
<property name="requireLogoutResponseSigned" value="true"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
However, I don't believe any of this applies to the signing of the response to the IdP.
Associated metadata file...
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___localhost_8080_spring-security-saml2-sample" entityID="http://localhost:8080/spring-security-saml2-sample">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>Stripped out for legibility
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Am I missing something blindingly obvious here? Thanks.
John
Activemq's admin console, as standard, points to 0.0.0.0:8161.
I know I can change the port from 8161 in the jetty.xml config file.
Is it possible to change the URL from 0.0.0.0?
The answer was pretty obvious. In jetty.xml:
<bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<property name="port" value="8161" />
<property name="host" value="HOSTNAME" />
</bean>
i'm using tomcat 5.5, with a spring app, and i having memory leak problems.
so i'm trying to connect jmx in my spring app to monitoring the app, and try to find what is causing the memory leak, but i can't yet.
i add the Mbeanexporter in my aplicationContext.xml
<bean id="exporter" class="org.springframework.jmx.export.MBeanExporter">
<property name="beans">
<map>
<entry key="bean:name=catalogFacadeTarget1" value-ref="catalogFacadeTarget"/>
</map>
</property>
</bean>
and in the catalina.sh
export CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=8081
-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.managment.jmxremote.host=localhost
-Dcom.sun.management.jmxremote.authenticate=false"
i run jconsole, but there no have any of my bean.
i need some direction here, thank you for any advice!
Be sure to set lazy-init = false for your MBeanExporter to get picked up. Like so:
<bean id="exporter" class="org.springframework.jmx.export.MBeanExporter" lazy-init="false">
...
</bean>
That should do the trick.
I found this tutorial on google, maybe it could help you:
http://blog.markshead.com/1129/connecting-visual-vm-to-tomcat-7/