Quantcast
Channel: Spring Community Forums - SAML
Viewing all 52 articles
Browse latest View live

SAML extension integration with fediz IDP (sub-project of CXF)

November 20, 2012, 3:31 am
$
0
0
hi

we are struggling to build and integrate this extension with fediz IDP (which is part of CXF 2.6.1). which version of this SAML extension is stable and tested?

essentially we get the SAML token and process it, then we want the contents to be populated into the springframework.securityContext object. that way the SSO details will be available in both JSP and java code.

any help will be much appreciated

regards
Search

SAML extension integration with fediz IDP (sub-project of CXF)

November 20, 2012, 3:41 am
$
0
0
hi

we are struggling to build and integrate this extension with fediz IDP (which is part of CXF 2.6.1). which version of this SAML extension is stable and tested?

essentially we get the SAML token and process it, then we want the contents to be populated into the springframework.securityContext object. that way the SSO details will be available in both JSP and java code.

any help will be much appreciated

regards

Configure POST ProtocolBinding in SAML authentication request

December 5, 2012, 9:19 am
$
0
0
Hi everyone,

Spring Security SAML insists on requesting the Artifact binding in the SAML authentication request (ProtocolBinding attribute):

Code:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                AssertionConsumerServiceURL="http://sp.com/saml/SSO/alias/defaultAlias"
                Destination="https://idp.com/idp"
                ForceAuthn="false"
                ID="a4acj06d42fdc0d3494h859g3f7005c"
                IsPassive="false"
                IssueInstant="2012-12-05T17:07:18.271Z"
                ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                Version="2.0"
                >
How can I configure POST binding instead? Thanks for any answers!

-- Andreas

VMWare Horizon and Spring Security SAML app

December 11, 2012, 4:04 pm
$
0
0
Hi team, have anybody successfully integrated this application with VMWare Horizon?

I am trying to set it up but keep getting error in Horizon when adding metadata from spring-security-saml2-sample
"Requested action 'getSPAttrs' failed."

Any ideas or experience?

ArtifactResolutionService

December 13, 2012, 7:46 am
$
0
0
Hello.

i have this problem: the idp metadata has ArtifactResolutionService firewalled.
in metadata i see this xml:
Code:
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.xxxxx:10444/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>

                        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.xxxxx:10444/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
They tell me i can still make it work disabling soap and using a client based approch.

Now i have (after a user log in) an error on my tomcat: connection refused and so on.

what should i do to avoid using ArtifactResolutionService ?

thanks

Logout problems - SecurityContextHolder.getContext().getAuthenticati on() returns null

March 25, 2013, 1:30 pm
$
0
0
Hi,

I am running 1.0.0 RC1 and cannot get global or local logout to work.

1. Goto http://<server>:<port>/spring-security-saml2-sample/index.jsp
2. Get redirected to my IDP
3. Do login at IDP
4. I am redirected back to "http://<server>:<port>/spring-security-saml2-sample/index.jsp;jsessionid=69A8A4BDFCE9D12AE003CB2AFC69E 808"
On this page, I see:
User has been authenticated
...
and the links at the bottom:
Global Logout
Local Logout
5. Click on "Global Logout" link
6. I end up on http://<server>:<port>/spring-security-saml2-sample/logout.jsp
and see:
You have been logged out.
Back to index
7. When I click the "Back to index" link, I still see what I saw in step 4 -- like I was never logged out.
The only difference I can see is that the URL in the browser is now just (no jsessionid parameter):
"http://<server>:<port>/spring-security-saml2-sample/index.jsp"

When I remote debug into processLogout() method in SAMLLogoutFilter, on line 124:
Authentication auth = SecurityContextHolder.getContext().getAuthenticati on();

SecurityContextHolder.getContext().getAuthenticati on() returns null and is assigned to "auth"

Since the next line checks whether "auth" is null:
if (auth != null && isGlobalLogout(request, auth)) {

most of the logout code seems to be skipped.

If I try "Local logout", I see the same behavior.

Any information or hints on why I would be running into this condition or how to get logout to work would be greatly appreciated.

Data storage and multiple service provider instances for failover

April 2, 2013, 11:40 am
$
0
0
Hi,

I am investigating running two instances of the same SAML SP on two Tomcat nodes for load-balancing and failover purposes.

Does your implementation store data only against the session or does it store data in other locations?

I need to figure out whether configuring session replication between the two Tomcat nodes is sufficient or whether there are other data storage locations that I need to worry about.

Thanks.

SAML JDK requirement

April 3, 2013, 4:07 am
$
0
0
The documentation for the SAML extension states that JDK1.6+ is required. Is this statement correct and absolute or is there any hope of making it work with JDK1.5?

Or to formulate the question a bit differently :p - is introducing SAML extension an opportunity to upgrade to newer versions of JDK, WebLogic, Spring, and more or less my whole stack of dependencies?

-jarl
Search

Determine whether user logged in or not?

April 3, 2013, 10:04 pm
$
0
0
Hi everybody, I want to check if user logged successfuly or not? I just try to use a method like this:

Code:
        try {
                  boolean isAuthenticated = SecurityContextHolder.getContext().getAuthentication().isAuthenticated();
                  return isAuthenticated;
        } catch (Exception e) {
                  return false;
        }
But SecurityContextHolder.getContext().getAuthenticati on().isAuthenticated() always returns true. Any solution for this problem?

Thanks in advance.

configuring saml-sample (SP) to work with SafeNet (IdP)

April 8, 2013, 7:54 am
$
0
0
Hi,

I'm a bit new to SAML, so maybe there is something basic that I miss here.

I read the wiki page, and succeeded to operate the saml-example to work as SP in front of the SSOcircle (the IdP). Till here everything is fine.

However, I try now to make the saml-sample work in front of a "real world" IdP, such as SafeNet.
In the wiki, I saw how to configure the IdP metadata (3.2.2) - adding it in the XML. But how do I do so for SafeNet? how do I get their metadata XML file (if any)?
Do all IdP that support SAML provide somehow their metadata?
Maybe there is another way to configure the IdP?

Once I add the IdP metadata - I will have to upload my (the SP) metadata to SafeNet - this is something I've read about; but as I said, currently I am stuck in configuring the IdP metadata.

Hope someone can help me out here...

thanks!
Ohad

configuring saml-sample (SP) to work with Okta (IdP)

April 10, 2013, 3:16 am
$
0
0
Some details:
Okta (acting as the IDP) supports 2 methods of authentication:
In IDP initiated the flow is:
User goes to Okta and from their framework gets to the SP.
In SP initiated the flow is:
User goes to the target SP first. SP redirects the user to the configured Login URL ( Okta’s generated app instance url) sending the SAMLRequest. Okta handles the SAML request, generates the SAML response, and the SP receives the SAMLResponse and verifies that it is correct.

When I configure my SP (spring-saml-sample) in the Okta system, I need to supply some data on my SP, such as "post back URL", "recipient" and "audience restriction".
Can someone help me and explain to me what these fields are and what are the correct values that are relevant to spring-saml-sample? where I take the values from?

thanks
ohad

IDP and SP metadata refresh

April 10, 2013, 8:16 pm
$
0
0
Is it necessary to perform SP and IDP metadata refresh? I read the SP and IDP metadata from 2 files which do not change. How can I configure the Extension not to perform metadata refresh?

Thanks,
Mark

Check login

April 11, 2013, 8:13 pm
$
0
0
I have a context for the single sign on like this:

A) User login on SP. After that user logout from SP and user will be logged out automatically in IDP. This case is OK.

B) If user login on IDP, after that user access SP and user will be logged in on SP. But then if user loggout from IDP, how can SP recognize? I need a method to check if user logged out from IDP or not?

Thanks.

Error Endpoint mismatch from fronting Tomcat with Apache

April 18, 2013, 12:38 am
$
0
0
Hi,

I have a web app running in Tomcat which is behind Apache. I set in Apache configuration that any requests to "http://xxx.cbu.uib.no/yyy" will be forwarded to "http://test.abcd.uib.no:7070" which is my web app.

The problem is: when IDP using HTTP-POST sends response back to the wep app, this error is thrown

ERROR o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'http://xxx.cbu.uib.no/yyy/saml/SSO/alias/defaultAlias' did not match the recipient endpoint 'http://test.abcd.uib.no:7070//saml/SSO/alias/defaultAlias'

I think it is because my setup (Tomcat is behind Apache).

I would like to ask if anyone has the same setup and how to get rid of this problem?

Best,
patch

RelayState in URL

April 26, 2013, 9:39 pm
$
0
0
When my web app send SAML request to IDP. I see the URL does not contain RelayState field.

I just find a solution for this problem on this link https://jira.springsource.org/browse/SES-50. But when I change the bean successRedirectHandler to
Code:
<bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"><property name="defaultTargetUrl" value="/" /></bean>
. It still does not work. Please, help me identify the problem.
Search

SAML SSO with Swing Client, webapp SP and IdP using spring-security-saml2-core

May 1, 2013, 11:43 am
$
0
0
My project is currently uses spring-security as follows:

  • Has a webapp service provider (SP)
  • SP uses LDAP as IdP username / password as auth tokens
  • Has a Swing based fat client (FC) that accesses SP using SOAP/HTTP
  • Has a REST client (RC) access the SP using HTTP
  • FC and RC both authenticate with SP via WSS using spring-security and basic authentication


I would to enhance my project to support SAML2 SSO using spring-security-saml2-core and an external IdP such as ssocircle.com or onelogin.com but I am not sure if it is possible and if so how. Specifically I have the following questions:

  • How to handle the Swing based fat client (FC) in the SSO scenario? How does it change to support SAML2 SSO?
  • What would be the authentication mechanism between FC and SP? Would it still be WSS using spring-security?


TIA for any high level advice on how to support SAML2 SSO in my scenario.

Easiest IDP to provide out-of-box with SAML2 SP

May 2, 2013, 7:43 am
$
0
0
I am migrating a webapp that currently uses spring-security with basic authentication to use SAML2 SSO.

By default the project provides the embedded LDAP server provided by spring-security-samples-ldap. It allows deployments to replace this LDAP with another LDAP server of their choice.

As the project migrates to use SAML2 SSO as its default authentication mechanism, what would be the easiest SAML2 IDP that can be embedded with the project as the default IDP out-of-the-box.

Thanks for your help.

SAMLAuthenticationToken cannot be "authenticated" - why?

May 2, 2013, 8:25 am
$
0
0
something that I probably miss, and maybe someone can spill some light.

I saw that the SAMLAuthenticationProvider creates a new authentication token of type ExpiringUsernameAuthenticationToken. In my implementation, I created another type instead, something that extends SAMLAuthenticationToken (maybe I should not do so?).
After I get the SAML-Response, I try to get to a protected resource in my SP. But I see that spring keeps blocking me, meaning I cannot get to that specific URL.
SO I checked a bit and saw that the SAMLAuthenticationToken object that is created is not "authenticated", meaning the "authenticated" flag is set to false. So I tried to set it to true, by calling setAuthenticated(true). Then I figured out that the implementation there throws IllegalArgumentException. the docs say "This object can never be authenticated, call with true result in exception."

Can anyone explain why this is the impl? why this token cannot be "authenticated"?

1.0 rc3

May 5, 2013, 12:44 pm
$
0
0
Hi Vlad,

Are there plans to release RC3 and 1.0 soon? I am curious about the release plans.

Thanks,
Ian

ERROR JKSKeyManager:120 - Error initializing key store

May 8, 2013, 7:30 am
$
0
0
After successfully building, deploying and playing with the spring-security-saml2-sample I am trying to replicate it in my webapp. I am using a copy of the same JKS keystore as the one in spring-security-saml2-sample. Oddly when my app loads in Glassfish 3.2.2.2 web server I get the following exception:

Code:
INFO: 10:14:40,948 ERROR JKSKeyManager:120 - Error initializing key store
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1214)
        at org.springframework.security.saml.key.JKSKeyManager.initialize(JKSKeyManager.java:117)
        at org.springframework.security.saml.key.JKSKeyManager.<init>(JKSKeyManager.java:79)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
        at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:148)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121)
Some notes and observations follow...

1. The keystore shows no diffs with the one in spring-security-saml2-sample (as expected)

2. If I try "keytool -list" command on my keystore it works fine and dumps the certs in it.

3. I am using spring-framework modules from 3.2.2.RELEASE and spring-security 3.1.4.RELEASE. Can any one say with certainty that these works with spring-security-saml2-core? UPDATE: Tried with 3.1.2.RELEASE version of spring core and spring security. Nothing changed and I am still getting the same error.

4. The spring-security-saml2-sample works just fine and does not see the same error

5. I am using JDK 1.7.0_21

I am unable to debug this in Netbeans 7.3 IDE further because I am still unable to build spring core from git source due to a build issue discussed elsewhere.

Any suggestions on what I could try? Thanks.
Viewing all 52 articles
Browse latest View live
Search