SAML V2.0
SAML version 2.0 was approved as an OASIS Standard in March 2005. Approved Errata for SAML V2.0 was last produced by the SSTC on 1 May 2012. In addition to the normative errata document, the following non-normative "errata composite" documents have been provided that combine the prescribed corrections with the original specification text, illustrating the changes with margin change bars, struck-through original text, and highlighted new text.
What is SAML?
Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).
Identity Provider
Performs authentication and passes the user's identity and authorization level to the service provider. in this post we our Identity provider (IdP) realm was created on keycloak.
Service Provider
Trusts the identity provider and authorizes the given user to access the requested resource. in this post we our service provider was created on Spring boot and spring Security.
For more details I suggest you watch the Demystifying SAML Using Spring Security.
[Image]. SpringOne Platform
Downloading and installing Keycloak
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.1 start-dev
This will start Keycloak exposed on the local port 8080. It will also create an initial admin user with username admin and password admin.
Setting Up a keycloack server.
Open a browser http://localhost:8080 or http://127.0.0.1:8080 result this.
We can now proceed to the Administrative Console.
Creating a Realm
For default the console opens up Master realm, Let's navigate left corner Add realm button.
For this example I created realm IDP_REALM. we'll click the button create.
For check your SAML 2.0 Identity Provider Metadata Click on
Result this:
This URL we need later for configuration in Spring boot.
http://localhost:8080/realms/IDP_REALM/protocol/saml/descriptor
Creating a Client
Add a new client with the name spring-boot-keycloak with Client Protocol saml. click button save.
Only add next values and then click button save.
Client ID: spring-boot-keycloakClient Protocol: samlSignature Algorithm: RSA_SHA256SAML Signature Key Name: KEY_IDCanonicalization Method: EXCLUSIVEName ID Format : usernameRoot URL: http://localhost:8081Valid Redirect URIs: /saml/*Base URL: /
**Fine Grain SAML Endpoint Configuration***Assertion Consumer Service POST Binding URL: /saml/SSOLogout Service POST Binding URL: /saml/logout
Go to Tab Keys, Click on Export
Export SAML Key: Type next Key Password and Store Password -> store123This password we need later for configuration in Spring boot.
Download and save. Later replace file in Spring Boot resources/saml folder keystore.jks
Client ID: spring-boot-keycloak
Client Protocol: saml
Signature Algorithm: RSA_SHA256
SAML Signature Key Name: KEY_ID
Canonicalization Method: EXCLUSIVE
Name ID Format : username
Root URL: http://localhost:8081
Valid Redirect URIs: /saml/*
Base URL: /
**Fine Grain SAML Endpoint Configuration***
Assertion Consumer Service POST Binding URL: /saml/SSO
Logout Service POST Binding URL: /saml/logout
Go to Tab Keys, Click on Export
Export SAML Key: Type next Key Password and Store Password -> store123
This password we need later for configuration in Spring boot.
Download and save. Later replace file in Spring Boot resources/saml folder keystore.jks
Creating a Users
Creating a Spring Boot Application
We're integration SAML 2.0, Spring Boot, Security and keycloack.
- Configuration SAML 2.0, Spring Boot, Security and keycloack.
- Spring Controllers
We're integration SAML 2.0, Spring Boot, Security and keycloack.
- Configuration SAML 2.0, Spring Boot, Security and keycloack.
- Spring Controllers
Technology
- Spring Boot 2.7.3
- SAML 2.0
- Keycloak 18.0.1
- Thymeleaf
- Java 17 (Zulu)
- Docker
- Maven
- IntelliJ IDEA
- Spring Boot 2.7.3
- SAML 2.0
- Keycloak 18.0.1
- Thymeleaf
- Java 17 (Zulu)
- Docker
- Maven
- IntelliJ IDEA
Project Structure
Configuration Spring Boot Keycloak project
- Spring Initializr or Spring Suite Tool (STS).
- Maven
- Spring Initializr or Spring Suite Tool (STS).
- Maven
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.henry</groupId>
<artifactId>saml2-sso-springboot-keycloak</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>saml2-sso-springboot-keycloak</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.10.RELEASE</version>
</dependency>
</dependencies>
<repositories>
<repository>
<id>Shibboleth</id>
<name>Shibboleth</name>
<url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
</repository>
</repositories>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>3.1.0</version>
</plugin>
</plugins>
</build>
</project>
application.yml:
server:
port: 8081
servlet:
context-path: /
spring:
main:
allow-circular-references: true
keycloak:
client: spring-boot-keycloak
saml:
keystore:
path: classpath:/saml/keystore.jks
password: store123
alias: spring-boot-keycloak
url:
descriptor: http://localhost:8080/realms/IDP_REALM/protocol/saml/descriptor
Stereotypes
package com.henry.stereotypes;
import java.lang.annotation.Documented;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import java.lang.annotation.ElementType;
import java.lang.annotation.RetentionPolicy;
@Target(ElementType.PARAMETER)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CurrentUser {}
Authentication
package com.henry.authentication;
import java.security.Principal;
import com.henry.stereotypes.CurrentUser;
import org.springframework.core.MethodParameter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.support.WebArgumentResolver;
import org.springframework.web.bind.support.WebDataBinderFactory;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.method.support.ModelAndViewContainer;
@Component
public class CurrentUserHandlerMethodArgumentResolver implements
HandlerMethodArgumentResolver {
public boolean supportsParameter(MethodParameter methodParameter) {
return methodParameter.getParameterAnnotation(CurrentUser.class) != null
&& methodParameter.getParameterType().equals(User.class);
}
public Object resolveArgument(MethodParameter methodParameter,
ModelAndViewContainer mavContainer, NativeWebRequest webRequest,
WebDataBinderFactory binderFactory) throws Exception {
if (this.supportsParameter(methodParameter)) {
Principal principal = (Principal) webRequest.getUserPrincipal();
return (User) ((Authentication) principal).getPrincipal();
} else {
return WebArgumentResolver.UNRESOLVED;
}
}
}
package com.henry.authentication;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class MvcConfig implements WebMvcConfigurer {
@Autowired
CurrentUserHandlerMethodArgumentResolver currentUserHandlerMethodArgumentResolver;
@Override
public void addViewControllers(ViewControllerRegistry registry) {
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
if (!registry.hasMappingForPattern("/static/**")) {
registry.addResourceHandler("/static/**")
.addResourceLocations("/static/");
}
}
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers){
argumentResolvers.add(currentUserHandlerMethodArgumentResolver);
}
}
package com.henry.authentication;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.stereotype.Service;
@Service
public class SAMLUserDetailsServiceImpl implements SAMLUserDetailsService {
// Logger
private static final Logger LOG = LoggerFactory.getLogger(SAMLUserDetailsServiceImpl.class);
public Object loadUserBySAML(SAMLCredential credential)
throws UsernameNotFoundException {
// The method is supposed to identify local account of user referenced by
// data in the SAML assertion and return UserDetails object describing the user.
String userID = credential.getNameID().getValue();
LOG.info(userID + " is logged in");
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER");
authorities.add(authority);
// In a real scenario, this implementation has to locate user in a arbitrary
// dataStore based on information present in the SAMLCredential and
// returns such a date in a form of application specific UserDetails object.
return new User(userID, "<abc123>", true, true, true, true, authorities);
}
}
Config
package com.henry.config;
import com.henry.authentication.SAMLUserDetailsServiceImpl;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.Resource;
import org.springframework.security.saml.*;
import org.springframework.security.saml.context.SAMLContextProviderImpl;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.processor.*;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.*;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import java.util.*;
@Configuration
public class SamlSecurityConfig {
@Value("${saml.keystore.path}")
private String samlKeystorePath;
@Value("${saml.keystore.password}")
private String samlKeystorePassword;
@Value("${saml.keystore.alias}")
private String samlKeystoreAlias;
@Value("${saml.url.descriptor}")
private String samlUrlDescriptor;
@Autowired
private SAMLUserDetailsServiceImpl samlUserDetailsServiceImpl;
private MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager;
// Initialization of OpenSAML library
@Bean
public static SAMLBootstrap sAMLBootstrap() {
return new SAMLBootstrap();
}
// Initialization of the velocity engine
@Bean
public VelocityEngine velocityEngine() {
return VelocityFactory.getEngine();
}
@Bean(initMethod = "initialize")
public StaticBasicParserPool parserPool() {
return new StaticBasicParserPool();
}
@Bean
public HttpClient httpClient() {
this.multiThreadedHttpConnectionManager = new MultiThreadedHttpConnectionManager();
return new HttpClient(this.multiThreadedHttpConnectionManager);
}
@Bean
public SAMLAuthenticationProvider samlAuthenticationProvider() {
SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
samlAuthenticationProvider.setUserDetails(samlUserDetailsServiceImpl);
samlAuthenticationProvider.setForcePrincipalAsString(false);
return samlAuthenticationProvider;
}
// Provider of default SAML Context
@Bean
public SAMLContextProviderImpl contextProvider() {
return new SAMLContextProviderImpl();
}
// Logger for SAML messages and events
@Bean
public SAMLDefaultLogger samlLogger() {
return new SAMLDefaultLogger();
}
// SAML 2.0 WebSSO Assertion Consumer
@Bean
public WebSSOProfileConsumer webSSOprofileConsumer() {
return new WebSSOProfileConsumerImpl();
}
// SAML 2.0 Holder-of-Key Web SSO profile
@Bean
public WebSSOProfileConsumerHoKImpl hokWebSSOProfile() {
return new WebSSOProfileConsumerHoKImpl();
}
// SAML 2.0 Web SSO profile
@Bean
public WebSSOProfile webSSOprofile() {
return new WebSSOProfileImpl();
}
// SAML 2.0 Holder-of-Key WebSSO Assertion Consumer
@Bean
public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
return new WebSSOProfileConsumerHoKImpl();
}
// SAML 2.0 ECP profile
@Bean
public WebSSOProfileECPImpl ecpprofile() {
return new WebSSOProfileECPImpl();
}
@Bean
public SingleLogoutProfile logoutprofile() {
return new SingleLogoutProfileImpl();
}
// Central storage of cryptographic keys
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource(samlKeystorePath);
String storePass = samlKeystorePassword;
Map<String, String> passwords = new HashMap<String, String>();
passwords.put(samlKeystoreAlias, samlKeystorePassword);
String defaultKey = samlKeystoreAlias;
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
return webSSOProfileOptions;
}
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(false);
extendedMetadata.setSignMetadata(false);
return extendedMetadata;
}
/**
* Access metadata by URL.
* */
@Bean
@Qualifier("idp-keycloak")
public ExtendedMetadataDelegate keycloakExtendedMetadataProvider()
throws MetadataProviderException {
String idpSSOKeycloakMetadataURL = samlUrlDescriptor;
Timer timer = new Timer("saml-metadata");
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(
timer, httpClient(), idpSSOKeycloakMetadataURL);
httpMetadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate =
new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(true);
extendedMetadataDelegate.setMetadataRequireSignature(false);
return extendedMetadataDelegate;
}
/**
* Access metadata XML FILE.
* */
/*
@Bean
@Qualifier("idp-keycloak")
public ExtendedMetadataDelegate keycloakExtendedMetadataProvider() throws MetadataProviderException {
org.opensaml.util.resource.Resource resource = null;
try {
resource = new ClasspathResource("/saml/descriptor.xml");
} catch (ResourceException e) {
e.printStackTrace();
}
Timer timer = new Timer("saml-metadata");
ResourceBackedMetadataProvider provider = new ResourceBackedMetadataProvider(timer,resource);
provider.setParserPool(parserPool());
return new ExtendedMetadataDelegate(provider, extendedMetadata());
}
*/
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(keycloakExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/landing");
return successRedirectHandler;
}
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler failureHandler =
new SimpleUrlAuthenticationFailureHandler();
failureHandler.setUseForward(true);
failureHandler.setDefaultFailureUrl("/error");
return failureHandler;
}
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
successLogoutHandler.setDefaultTargetUrl("/");
return successLogoutHandler;
}
@Bean
public SecurityContextLogoutHandler logoutHandler() {
SecurityContextLogoutHandler logoutHandler =
new SecurityContextLogoutHandler();
logoutHandler.setInvalidateHttpSession(true);
logoutHandler.setClearAuthentication(true);
return logoutHandler;
}
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(),
logoutHandler());
}
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
return new SAMLLogoutFilter(successLogoutHandler(),
new LogoutHandler[]{logoutHandler()},
new LogoutHandler[]{logoutHandler()});
}
@Bean
public HTTPPostBinding httpPostBinding() {
return new HTTPPostBinding(parserPool(), velocityEngine());
}
@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
return new HTTPRedirectDeflateBinding(parserPool());
}
// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
final ArtifactResolutionProfileImpl artifactResolutionProfile =
new ArtifactResolutionProfileImpl(httpClient());
artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
return artifactResolutionProfile;
}
@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}
@Bean
public HTTPSOAP11Binding soapBinding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
return new HTTPPAOS11Binding(parserPool());
}
// Processor
@Bean
public SAMLProcessorImpl processor() {
Collection<SAMLBinding> bindings = new ArrayList<SAMLBinding>();
bindings.add(httpRedirectDeflateBinding());
bindings.add(httpPostBinding());
bindings.add(artifactBinding(parserPool(), velocityEngine()));
bindings.add(httpSOAP11Binding());
bindings.add(httpPAOS11Binding());
return new SAMLProcessorImpl(bindings);
}
}
package com.henry.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.saml.*;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.MetadataDisplayFilter;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataGeneratorFilter;
import org.springframework.security.saml.parser.ParserPoolHolder;
import org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.util.ArrayList;
import java.util.List;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Value("${keycloak.client}")
private String keycloakClient;
@Autowired
private SAMLEntryPoint samlEntryPoint;
@Autowired
private ExtendedMetadata extendedMetadata;
@Autowired
private SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler;
@Autowired
private SAMLLogoutProcessingFilter samlLogoutProcessingFilter;
@Autowired
private SimpleUrlAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private SAMLLogoutFilter samlLogoutFilter;
@Autowired
private SAMLAuthenticationProvider samlAuthenticationProvider;
@Autowired
private KeyManager keyManager;
@Bean(name = "parserPoolHolder")
public ParserPoolHolder parserPoolHolder() {
return new ParserPoolHolder();
}
// Setup TLS Socket Factory
@Bean
public TLSProtocolConfigurer tlsProtocolConfigurer() {
return new TLSProtocolConfigurer();
}
@Bean
public SAMLDiscovery samlIDPDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
return idpDiscovery;
}
@Bean
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setEntityId(keycloakClient);
metadataGenerator.setExtendedMetadata(extendedMetadata);
metadataGenerator.setIncludeDiscoveryExtension(false);
metadataGenerator.setKeyManager(keyManager);
return metadataGenerator;
}
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
return new MetadataDisplayFilter();
}
@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter(HttpSecurity http) throws Exception {
SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler);
samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManagerBean(http));
samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler);
return samlWebSSOHoKProcessingFilter;
}
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter(HttpSecurity http) throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManagerBean(http));
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler);
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler);
return samlWebSSOProcessingFilter;
}
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
@Bean
public FilterChainProxy samlFilter(HttpSecurity http) throws Exception {
List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
samlEntryPoint));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
samlLogoutFilter));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
metadataDisplayFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
samlWebSSOProcessingFilter(http)));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter(http)));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
samlIDPDiscovery()));
return new FilterChainProxy(chains);
}
@Bean
public AuthenticationManager authenticationManagerBean(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
authenticationManagerBuilder.authenticationProvider(samlAuthenticationProvider);
return authenticationManagerBuilder.build();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint);
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(http), BasicAuthenticationFilter.class)
.addFilterBefore(samlFilter(http), CsrfFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/saml/**").permitAll()
//.antMatchers("/css/**").permitAll()
//.antMatchers("/img/**").permitAll()
//.antMatchers("/js/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.disable(); // The logout procedure is already handled by SAML filters.
return http.build();
}
}
Controller
package com.henry.controller;
import com.henry.stereotypes.CurrentUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
@Controller
public class IndexController {
// Logger
private static final Logger LOG = LoggerFactory
.getLogger(IndexController.class);
@Autowired
private MetadataManager metadata;
@RequestMapping("/")
public String index(HttpServletRequest request, Model model) {
return "index";
}
@RequestMapping("/landing")
public String landing(@CurrentUser User user, Model model) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth == null)
LOG.debug("Current authentication instance from security context is null");
else
LOG.debug("Current authentication instance from security context: "
+ this.getClass().getSimpleName());
model.addAttribute("username", user.getUsername());
return "landing";
}
}
Replace keystore.jks with your keystore.
Note: There are two ways to access ExtendedMetadataDelegate: By Url or XML File in both cases you need to access by IDP_REALM was created on keycloak.
http://localhost:8080/realms/IDP_REALM/protocol/saml/descriptor
In this post we used a URL, however if you want to XML File then download from URL and save with the name descriptor.xml and it will replace the Spring boot resources. and uncomment the method in the class SamlSecurityConfig -> ExtendedMetadataDelegate, however just one method should be enabled.
Run & Test
Run Spring Boot application with command: mvn spring-boot:run. by console or IntelliJ etc.
Open a browser http://localhost:8081 result this.
Click on Login button, result this.
Set username user1 and password user1 , keycloak suggest to you to change the password,
In this example I set the same password.
And resul this.
Global logout back the login.
References:
https://stackoverflow.com/questions/71605941/spring-security-global-authenticationmanager-without-the-websecurityconfigurera
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
https://www.baeldung.com/spring-deprecated-websecurityconfigureradapter
https://github.com/eugenp/tutorials/tree/master/spring-security-modules/spring-security-saml
https://www.baeldung.com/spring-security-saml
https://blog.codecentric.de/en/2019/03/secure-spring-boot-app-saml-keycloak/
https://github.com/thomasdarimont/spring-boot-security-saml-sample
https://www.youtube.com/watch?v=SvppXbpv-5k
https://www.youtube.com/watch?v=PruyokKaJWw&t=586s
https://codetinkering.com/spring-security-saml2-service-provider-example/
https://codetinkering.com/saml2-spring-security-5-2-tutorial/
https://auth0.com/blog/how-saml-authentication-works/
https://github.com/fhanik/springone2018
https://www.youtube.com/watch?v=JBAKnJ9Obvw&t=21s
No comments:
Post a Comment