Spring Security SAML module



Similar documents
Spring Security SAML Extension

PicketLink Federation User Guide 1.0.0

Spring Security SAML Extension

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

SAML Authentication within Secret Server

Using SAML for Single Sign-On in the SOA Software Platform

SAML v1.1 for.net Developer Guide

It is I, SAML. Ana Mandić Development Five Minutes Ltd

ADMINISTERING ADOBE LIVECYCLE MOSAIC 9.5

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Keycloak SAML Client Adapter Reference Guide

SAP NetWeaver AS Java

IBM WebSphere Application Server

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Esigate Module Documentation

SAML Single-Sign-On (SSO)

ArpViewer Manual Version Datum

Secure the Web: OpenSSO

Configuring EPM System for SAML2-based Federation Services SSO

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

SAML Authentication Quick Start Guide

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Configuring. Moodle. Chapter 82

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

OpenSSO: Cross Domain Single Sign On

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

PHP Integration Kit. Version User Guide

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

CA Nimsoft Service Desk

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Integrating EJBCA and OpenSSO

Authentication Methods

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

The Compatible One Application and Platform Service 1 (COAPS) API User Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Weblogic as a Service Provider for CERN Web Applications: APEX & Java EE

McAfee Cloud Identity Manager

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

1 How to install CQ5 with an Application Server

How To Use Saml 2.0 Single Sign On With Qualysguard

Crawl Proxy Installation and Configuration Guide

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Angel Dichev RIG, SAP Labs

skype ID: store.belvg US phone number:

Get Success in Passing Your Certification Exam at first attempt!

SAML-Based SSO Solution

Alfresco Share SAML. 2. Assert user is an IDP user (solution for the Security concern mentioned in v1.0)

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

CTSU SSO (Java) Installation and Integration Guide

Introduction to Directory Services

PowerLink for Blackboard Vista and Campus Edition Install Guide

Getting Started with AD/LDAP SSO

Running and Testing Java EE Applications in Embedded Mode with JupEEter Framework

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

This section includes troubleshooting topics about single sign-on (SSO) issues.

SAML Security Option White Paper

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

SAML SSO Configuration

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Copyright Pivotal Software Inc, of 10

JBoss SOAP Web Services User Guide. Version: M5

Integration of Shibboleth and (Web) Applications

JVA-122. Secure Java Web Development

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Sonatype CLM for Maven. Sonatype CLM for Maven

NetIQ Identity Manager Setup Guide

JVA-561. Developing SOAP Web Services in Java

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Test Automation Integration with Test Management QAComplete

SAML Authentication with BlackShield Cloud

Install guide for Websphere 7.0

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

StreamServe Persuasion SP5 StreamStudio

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Software Design Document SAMLv2 IDP Proxying

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

From centralized to single sign on

OIOSAML 2.0 Toolkits Test results May 2009

Transcription:

Spring Security SAML module Author: Vladimir Schäfer E-mail: vladimir.schafer@gmail.com Copyright 2009 The package contains the implementation of SAML v2.0 support for Spring Security framework. Following features are available: SP and IDP initialized WebSSO profile of the SAML v2 protocol stack HTTP-POST and HTTP-Redirect bindings Automatic generation of SP metadata User selection of IDP to federate with Multiple IDPs in the circle of trust with metadata loading from filesystem or URL Custom loading/storing of user data using UserDetails interface Fully configurable using Spring context Sample pre-configured web application Internal processing of the SAML messages, marshalling and unmarshalling is handled by OpenSAML (http://www.opensaml.org/). 1.1 Prerequisites The library is written in Java 1.5 and uses Maven as build system. For the run of the library any Java EE 5 application server or container with support for Java Servlets 2.4 should be sufficient. Make sure that the XML parsing libraries used at the server are compatible with OpenSAML (https://spaces.internet2.edu/display/opensaml/ostwousrmanjavainstall). The sample web application uses JSTL 1.2 library which must be present at the application server. 1.2 Compilation To compile modules type mvn package. All dependencies are located in http://shibboleth.internet2.edu/downloads/maven2/ and http://repo1.maven.org/maven2/ repositories.

2 1.3 IDP server Library should be able to authenticate users against any SAML 2.0 compatible Identity Provider. Currently the NameIDs urn:oasis:names:tc:saml:1.1:nameid-format:emailaddress, urn:oasis:names:tc:saml:1.1:nameid-format:x509subjectname, urn:oasis:names:tc:saml:1.1:nameid-format:unspecified, urn:oasis:names:tc:saml:2.0:nameid-format:persistent and urn:oasis:names:tc:saml:2.0:nameid-format:transient are stated as supported in the generated metadata. The implementations may use NameIDs in the UserDetails implementation. Application programmers can utilize various NameIDs with custom processing code by implementing and plugging SAMLUserDetailsService interface. The library respects WantAuthnRequestsSigned attribute in IDP metadata and signs the AuthNRequests only if this property is true. 1.4 Application design Library consists of two parts: saml2-shared contains all the common classes and must be present in all projects saml2-webapp sample web application containing recommended Spring configuration and jsp files presenting correct use of the library Key components of the library are SAMLEntryPoint and SAMLProcessingFilter. SAMLEntryPoint Implements AuthenticationEntryPoint and SpringSecurityFilter interfaces and can be invoked either directly by access to a monitored URL or by ExceptionTranslationFilter upon AuthenticationException being thrown while accessing an application URL. Entry point can function in one of the two modes of IDP discovery: a. A default IDP has been configured which is then always used b. User is allowed to select IDP from the list of configured ones; entry point then redirects user to the selection page. When the IDP discovery process has finished the AuthNRequest SAML message is sent to the IDP using either HTTP-POST or HTTP-Redirect binding and the request is stored in the cache for subsequent matching with the response. SAMLProcessingFilter A SAML response created by the IDP is sent to the URL monitored by this filter. Processing filter parses the SAML message, wraps it into SAMLAuthenticationToken and invokes the SAMLAuthenticationProvider. By default the processing filter expects calls at /saml/sso.

3 SAMLAuthenticationProvider Performs validation using WebSSOProfileConsumer class. In case the assertion is present in the response and is valid the UsernamePasswordAuthenticationToken is returned and stored. The UsernamePasswordAuthenticationToken contains following information: Name: value of the Subject in the SAML response Credential: SAMLCredential object (containing NameID, assertion used to authenticate the user and name of IDP who performed the authentication). GrantedAuthority: are currently not implemented, in future could be loaded from SAML attributes Optionally the authentication provider invokes custom SAMLUserDetailsService which can load/store information about the user. For example urn:oasis:names:tc:saml:2.0:nameidformat:persistent NameID could be stored to custom datastore for future user matching. Details about SAML processing can be found in the implementation. The SAML Single log-out profile is currently not supported, invocation of logout filter at /saml/logout context will only destroy the local session. 1.5 Configuration Application is fully configurable using Spring context. At the moment no custom namespaces are implemented, but may be added in the future. Sample configuration is located in the saml2- webapp/src/main/resources/security/securitycontext.xml, all bean names used in the following text are referring to this document. Keystores The library requires one JKS keystore with at least one private key. There is a sample JKS bundled in the webapp module, information about creation of custom one can be found at http://wiki.eclipse.org/generating_a_private_key_and_a_keystore. 1) Configure keystore bean: Set path to the key store Set password used to open the keystore 2) Configure keyresolver bean: For each used key in the keystore set a map entry: <entry key="keyalias" value="privatekeypassword" /> 3) Configure webssoprofile bean: Set keyalias of the key you want to use for encryption/signing as constructor argument with index 2

4 Metadata First step in enabling SAML Single Sign-On is exchange of SAML metadata. This process is specific for each IDP. For configuration of Spring SAML please have the IDP metadata file ready beforehand. Metadata of the hosted SP will be generated automatically after deployment. All configured IDPs are considered to be members of a single circle of trust. To configure metadata: 1) Prepare metadata of the IDP you want to federate with in a file or URL 2) Modify the metadata bean in configuration file: a. In case you have metadata in a file use the org.opensaml.saml2.metadata.provider.filesystemmetadataprovider class b. In case you have metadata as URL use the org.opensaml.saml2.metadata.provider.httpmetadataprovider. c. Delete other unused metadata configurations 3) Optionally set the defaultidp property to the value of entityid attribute of one of the configured IDPs. In case the defaultidp value is set and custom selection of IDP is disabled user will be automatically forwarded to this IDP upon invocation of entrypoint. In case only one IDP is configured this value can be removed completely. In case the SP metadata generator is disabled, there must be exactly one metadata document describing values of the hosted service provider. Metadata generator The metadata for the hosted SP (our deployed application) can be generated automatically. Beans metadatafilter and metadatagenerator are responsible for this task. By default the SP metadata can be accessed at: protocol://server:port/appcontext/saml/metadata The generated XML contains one assertion consumer with HTTP-POST support. The generated metadata must be uploaded to the IDPs circle of trust. In case the metadata generator is not needed (hand configured SP metadata is present in the metadata bean) both metadatafilter and metadatagenerator can be removed from the configuration. User IDP selection In case the idpselectionpath property of samlentrypoint bean is set the EntryPoint will present user with an IDP selection view instead of directly sending a SAML request. The selected IDP is sent with a GET request including parameter login=true and idp=entityid to the filter URL of samlentrypoint, which then issues the SAML request to the selected IDP. Please consult WEB-INF/security/idpSelection.jsp for an example or customization.

5 Custom user data loading In order to enable custom processing of user after login create a class implementing SAMLUserDetailsService interface and a bean in the Spring configuration. Reference to the bean must be added to the samlauthenticationprovider bean as userdetails property and will be called after each successful authentication attempt. Custom paths By default all the components have default paths: /saml/sso processing filter /saml/metadata metadata generator /saml/logout logout filter /saml/login entry point All paths can be changed in the Spring context configuration file. 1.6 Sample application The bundled web application demonstrates usage of the library. Please follow the above mentioned configuration steps before deployment. In particular the keystore must be set, metadata list can be left empty in case you only want to generate the SP metadata. For execution of single sign-on at least one IDP must be configured. The JSTL 1.2 is used in the application; you can get the JSTL jar at https://mavenrepository.dev.java.net/repository/jstl/jars/ or more info at http://www.mularien.com/blog/2008/02/19/tutorial-how-to-set-up-tomcat-6-to-workwith-jstl-12/ The sample configuration uses user IDP selection, so upon access to the root context you will be presented with the list of configured IDPs to select from and login button will redirect you to the IDP. After login at the IDP assertion will be sent back and user logged in. 1.7 Tested environment The library has been tested against OpenSSO and Weblogic 10 as IDPs. Application has been successfully deployed and used on JBoss 4.2.2 GA, Tomcat 6.0.18 and Weblogic 10.1. Weblogic requires updates to the XML parsing libraries in order to work with OpenSAML.

6 1.8 Future development and problems At the moment the application is in the progress of extensive unit testing, although no bugs are known right now it may change soon Currently the most wanted feature seems to be the single logout support the simplified configuration with a custom namespace would also be nice. cache of sent SAML requests needs a cleaning thread the SAMLCredential is currently not serializable but should be there s never enough documentation, some more should be written

7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information