Spring Boot + Spring Security with SAML 2.0

Photo by Maxim Zhgulev on Unsplash
  • Spring Boot 2.4.2
  • Spring Security 5.4.2
  • Spring Security SAML2 Service Provider 5.4.2

What is SAML 2.0?

  • Identity Provider: abbreviated IdP is a system entity that creates, maintains, and manages identity information for principals (users) and also provides authentication services to relying applications within a federation or distributed network. Usually these systems are part of the IAM (Identity Access Management) world with WAM (Web Access Management) modules
  • Service Provider: Application that provides a service protected by SAML2 security

How SAML 2.0 works?

SAML 2.0 Web Browser SSO (SP Redirect Bind/ IdP POST Response)

Identity Provider Configuration (Okta)

Add Application
Create new Application
Create SAML Integration
SAML Integration
SAML Integration (2)
Assing users
Setup Instructions
SAML 2.0 configuration parameters

Spring Security SAML2

pom.xml
  1. spring-boot-starter-web
  2. spring-boot-starter-thymeleaf
  3. spring-boot-starter-security
  4. spring-security-saml2-service-provider
Application.java
@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
SecurityConfig.java
  • Enable SAML2 via the following snippet:
http.authorizeRequests(authorize -> 
authorize.antMatchers("/").permitAll().
anyRequest().authenticated()
).saml2Login();
  • Generation of the Service Provider metadata.xml file (of our application).
    The metadata.xml will be viewable and downloadable at:
    http://localhost:8080/saml2/service-provider-metadata/okta-saml
    This file is most often used as a contract between the Identity Provider and the Service Provider. The code that allows the generation is the following:
// add auto-generation of ServiceProvider Metadata
Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());http.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
  • The RelyingPartyRegistrationRepository bean useful for configuring parameters for SAML2. In this bean we are going to insert the values taken in the “Setup Instructions” page of the Okta provider (step explained a few paragraphs above). In detail, by viewing the image “SAML 2.0 configuration parameters”, we are going to insert the value at point 1 in singleSignOnServiceLocation, the value at point 2 in entityId and copy the content of the certificate at point 3 under the file in /src/main/resources/saml-certificate/okta.crt and insert the pointing into the verificationKey
application.yaml
  • The homepage, with a link to the protected page:
home.html
  • Our secure page, where we will print the user logged in via IdP:
hello.html

Authentication with SAML2

mvn spring-boot:run
homepage
IdP Login
pagina protetta

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrea Scanzani

IT Solution Architect and Project Leader (PMI-ACP®, PRINCE2®, TOGAF®, PSM®, ITIL®, IBM® ACE).