I've been watching the old Spring IO JIRA ticket SES-142, https://jira.spring.io/browse/SES-142, since July 2014. This JIRA ticket was a request to add support for the SAML2 AttributeQuery to the Spring SAML Security extension.
I just noticed today that the ticket was marked as completed and resolved, with no fix version, back on Feb 6. I don't see any related commits in the code, or any comments at all to the effect of "Won't be implemented".
Can someone from the Spring SAML Security team comment on the future, if any, of support for the AttributeQuery? Adding attributes to the SAML Assertion returned from a SAML authentication doesn't work for my project - we need the ability to issue a separate AttributeQuery to the IdP.
Thanks in advance.
Related
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
https://www.kb.cert.org/vuls/id/475445 has just been disclosed.
Is this impacting Spring Security SAML2?
I can't see the XML parser used on Spring Security SAML2 on the list of affected APIs.
Let us know.
I am the Spring Security project lead and I have verified that the exploit does not work against Spring Security SAML with the default settings. This was verified by a colleague as well.
If you change the default settings (set ignoreComments = false), your application becomes vulnerable.
Update: See https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability
We have a requirement that our MVC client application provides an SSO ability to multiple customers by logging to their own IDP.
But some of these gives SAML 1.1 which we are already supporting using the WSFederationAuthenticationModule and some of them recently are sending SAML 2.0 token which is causing our MVC application to fail.
Can I use WSFederationAuthenticationModule to support SAML 2.0 token also?
What are any other alternate suggestions?
The problem is that 1.1 enforces the full URI e.g.
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
whereas 1.2 allows just "emailaddress".
You can use GetOutputClaimsIdentity
and have something like:
outputIdentity.Claims.Add(new Claim(ClaimTypes.xxx, "rest of URI" + emailaddress));
I think i found the solution to my problem.
Extending the Saml2SecurityTokenHandler solved my problem. WsFedAuthenticationModule is able to successfully transform the saml2 token to saml 1.1 assertions.
I'm in the process of moving my application from Spring Security's CAS client to JASIG's Java CAS client. This was due to our security group adding some custom functionality to the JASIG version.
I've seen on JASIG's website the examples of how to configure the CAS client using Spring's configuration. I've used this example:
https://wiki.jasig.org/display/CASC/Using+the+CAS+Client+3.1+with+Spring+Security
I'm using STS and it complains about numerous lines being incorrect or deprecated. Also, when using the spring security CAS client I configured my roles as part of the <sec:http> block using intercept-url tags like this:
<sec:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_OPERATOR', 'ROLE_ADMINISTRATOR')" method="GET" />
However, in the example the roles are configured in the FilterSecurityInterceptor bean and while it uses the sec:intercept-url tags the expressions don't work.
I believe the issue is that the example is from an earlier version of spring security but I'm using a newer version.
Does anyone know of an updated version of the configuration for the above sample? I know I need to upgrade my config from what the example shows but I'm not a full time security guy, just a developer tasked with doing this move, so I don't live an breath this stuff every day. Any help would be greatly appreciated.
My env:
Spring Source Framework v3.2.2
Spring Security v3.1.4
JASIG CAS Client v3.2.1
-Richard Ward
Currently we have web app which uses spring Security for role based Authentication and Authorization.
Since we want to use SSO I see this example to integrate Spring with Openam https://wikis.forgerock.org/confluence/display/openam/OpenSSO+Spring+Security+%28Acegi%29+Integration
so it's like
My Web app (using spring to talk to openam) <===> IDP Proxy <====> IDP
But when I use the SAML tracer (The plugin for Firefox to track SAML requests/Responses) I don't see any SAML payloads between My web app and IDP proxy.
Is it that Spring is using SOAP request to talk to IDP proxy by picking urls from AMConfig.properties ?
I thought of using Fedlet but reading the saml response from Fedlet and integrating that with Spring Security is not feasible.
If Spring security3 doesn't use SAML2 is it a good idea to use spring framework to talk to openam ?
Any inputs ?
Thanks in advance
Ram
Ok folks we got our JSF2 web app working by integrating with Spring SAML extension and Spring Security along with open am.
Spring SAML extension is here - (https://github.com/SpringSource/spring-security-saml)
So now we are pulling all user roles from LDAP using Openam as IDP and the saml request and response is processed by spring saml extension. The role based access within application is controlled by Spring Security.
I would like to thank
Vladimir Schaefer - Author of Spring Saml ,
Stefan - from opensaml team,
Peter Major- from Openam # forge rock.
Wanted to add this note to let others know that the integration can be done to JSF app or any other web app and it uses Spring security SAML extension (which uses SAML 2.0 end to end) .
We finally have single sign on working finally.
I will put up an article on this shortly and will update this post.
I was able to add some more notes please see my articles on
generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
Thanks
Ram
I don't see any SAML payloads between My web app and IDP proxy
According to the page, the integration is very similar to a normal agent approach. This probably means that you app talks to OpenAM using SOAP and OpenAM talks to the IDP using SAML.
But when I use the SAML tracer (The plugin for Firefox to track SAML
requests/Responses) I don't see any SAML payloads between My web app
and IDP proxy. Is it that Spring is using SOAP request to talk to IDP
proxy by picking urls from AMConfig.properties ?
If things are working correctly you should see a SAML authentication request when you are forwarded to the IDP.
What you should do is probably start plowing through the OpenAM debug logs.
Especially the Federation log.
I thought of using Fedlet but reading the saml response from Fedlet
and integrating that with Spring Security is not feasible. If Spring
security3 doesn't use SAML2 is it a good idea to use spring framework
to talk to openam ? Any inputs ?
There is an spring extension that allows you to use SAML directly.
http://static.springsource.org/spring-security/site/extensions/saml/index.html
You could have a look at that.