Summary
Springteam has provided spring-security-project with all required build files. Based on the spring-security-saml project, Single Sign On using OepnAM was demonstrated relatively easy. Shared here are the configuration changes required to demonstrate the SSO using OpenAM, and Spring-security-saml project.
Environment
The demonstration was done using OpenAM11.x deployed on Tomcat, and the web application from spring-security-saml projected deployed on Tomcat as shown below:
Integration Breakdown
Following are the various steps involved in the integration:
- spring-security-saml source code
- Configure IdP metadata
- Configure truststore
- Compile source code
- Generate SP’s metadata
- Register Remote Service Provider
- Validate Spring SAML secuirty
spring-security-saml source code
Source code is available on github. Url for the project is:
https://github.com/spring-projects/spring-security-saml. Download source code, and unzip the file to a directory of the user’s choice. Files of interest and, the configuration files which have to be modified are:
- spring-security-saml-master\sample\src\main\resources\metadata\idp.xml
- spring-security-saml-master\sample\src\main\resources\security\samlKeystore.jks
- spring-security-saml-master\sample\src\main\webapp\WEB-INF\securityContext.xml
Configure Identity Provider’s Metadata
Application’s configuration file is securityContext.xml as listed above. The source code contains a sample Identity Provider’s metadata file, idp.xml as listed above, and is configured in securityContext.xml as shown below:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
Either Spring configuration file securityContext.xml has to be modified to reflect the actual name of the Identity Provider’s metadata file, or replace idp.xml with the actual metadata of the Identity Provider.
As OpenAM is currently used as the Identity Provider, metadata retrieval from OpenAM only is mentioned. Identity Provider metadata can be downloaded from OpenAM’s url:
https://idp.saml.org/openam/saml2/jsp/exportmetadata.jsp?entityid=<Entity Id used for>
Configure Truststore
Similar to configuring Identity Provider’s metadata, application’s truststore is configured by securityContext.xml as shown below:
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
Truststore used by the application should be able to decrypt the encrypted response received from the Identity Provider, and requires that Identity Provider’s public certificate be added to the truststore. Either change the truststore location and password to reflect a new truststore containing Identity Provider’s public certificate as against the truststore provided within the downloaded code, or just add Identity Provider’s public certificate to samlKeyStore.jks as described above.
Compile Source code
Downloaded source code contains gradle build file, and mvn pom files for compilation. As of this writing compilation with gradle fails with the following messages:
FAILURE: Build failed with an exception.
* Where:
Build file '<path to downloaded file>\spring-security-saml-master\build.gradle' line: 22
* What went wrong:
A problem occurred evaluating root project 'spring-security-saml'.
> java.lang.String cannot be cast to org.gradle.api.artifacts.Configuration
While gradle build failed with exception, compilation with Maven resulted in a successful build, and a deployable war file spring-security-saml-master\sample\target\spring-security-saml2-sample.war. To shorten the length of the context root of the deployed application, rename the file to a name of user’s choice, say spring.war. Deploy the war file in a servlet container.
Generate Service Provider’s metadata
Metadata for the secured application can be downloaded from the unsecured url: http://sp.saml.org/<context root>/saml/metadata.
Register Remote Service Provider
Login to OpenAM’s admin console, and register remote service provider by using service provider’s metadata downloaded above.
Validate Spring SAML Security
By default the root directory of the web application is secured, and require authentication. Try to access the root directory of the application, http://sp.saml.org/<context root>/. A page requesting IdP selection is displayed. Select the IdP from the available options, and click on submit. The user would be redirected to the authentication page as configured on OpenAM. After providing valid credentials, the user is successfully authenticated on the Identity Provider, and the user is redirected to the default page of the application, index.jsp which lists various SAML attributes demonstrating SAML.
Spring SAML security validation was done using X509, Username and Password, and Basic Authentication modules supported by OpenAM.
Summary
Overall the integration experience was pleasant, and great appreciation goes to the spring team for the spring-security-saml project.
