Spring Security is a feature rich framework for handling security concerns in a web application. As standard, it has little support for SAML. However, SAML is now supported as an extension project – Spring Security SAML.
SAML
SAML (Security Assertion Markup Language) is an open standard that supports federated user login. That is, a user may authenticate to an Identity Provider (IdP) and then access an independent Service Provider (SP) without having to re-establish their identity. In practice, this usually means that a user provides their username and password to an application on one domain (the IdP) and can then single sign on (SSO) to the to an application on a different domain (the SP) without having to re-enter the username and password. Crucially, the SP is never even aware of the user’s password. So long as the SP trusts the IdP and the IdP trusts the user then the SP can trust the user too. SAML is the data format that allows this trust to be established and the user’s identity to be securely established on the SP.
Sample app
Spring Security SAML comes with an excellent sample app which can be set up in just a few minutes. After downloading the package from spring-security-saml on GitHub, the sample app can be run just by modifying a couple of files and deploying to Tomcat. The quick start guide will get you as far as setting up the sample app to SSO with SSO Circle, a public free identity provider. In this case, the sample app serves as the SP and SSO Circle serves as the IdP.
When the sample app is running, it serves not only to demonstrate the code, but to assist with generation of metadata required by the Identity Provider (IdP). This is a necessary step to establish the trust relationship between the SP and the IdP.
Building into an existing app
Building Spring Security SAML into an existing Spring Security application is also fairly straightfoward. As a demonstration, I’ve added it to the legendary Spanners demo app. Download version 2.5 to see this in action.
For the most part, the spring-security-context.xml file is just a copy of the securityContext.xml file taken from the Spring Security SAML sample app. I’ve made a few changes to configure SAML the way I want and to configure the Spanners app security correctly.
IdP Discovery and selection
The SAMLDiscovery bean is responsible for choosing one of the configured IdPs to log in against:
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/>
</bean>
The idpSelectionPath property defines a page that lets the user choose which IdP to login against. The Spanners demo app federates against Circle SSO only so there’s no point in showing this page. The SAMLDiscovery bean will automatically return the default IdP if no idpSelectionPath property is set:
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<!-- Do not show the IdP selection page. Always use the default IdP. There's only one configured anyway. -->
<!--<property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/> -->
</bean>
SAMLUserDetailsService
The SAMLUserDetailsService is similar to the Spring Security UserDetailsService interface. Annoyingly though, it’s a separate interface, not a sub interface. This means that any implementation of UserDetailsService that you already have will have to be reimplemented for SAML (I’m sure that a wrapper implementation of SAMLUserDetailsService that bridges to a UserDetailsService wouldn’t be too hard to make).
The SAMLUserDetailsService is optional. If it’s not provided, you’ll get an instance of OpenSAML NameIDImpl as your principal. This is a little fiddly to work with and is likely to cause cause issues if you’re converting an existing Spring Security project. Spring Security usually uses an implementation of UserDetails as the principal.
I’d recommend creating an implementation of SAMLUserDetailsService that returns a UserDetails object. I created a trivial implementation that grants every logged in user a standard set of roles:
public class SimpleSAMLUserDetailsService implements SAMLUserDetailsService {
public static final String DUMMY_PASSWORD = "DUMMY_PASSWORD";
private List<String> roles;
public void setRoles(List<String> roles) {
this.roles = roles;
}
public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
String username = credential.getNameID().getValue();
Collection<GrantedAuthority> gas = new ArrayList<GrantedAuthority>();
for (String role : roles) {
gas.add(new SimpleGrantedAuthority(role));
}
return new User(username, DUMMY_PASSWORD, gas);
}
}
IdP / Metadata
The easiest way to configure the necessary metadata to establish trust with an IdP is to use the metadata display screen in the Spring Security SAML sample app. You could of course build these features into your own app too but you may not want to include this feature in a production application. For the Spanners app, I used the SAML sample app to set up all required metadata and then just copied the configuration for Spanners. I’ve removed the metadata display filter from the final application.
Security Annotations
Finally, I’ve configured method level security annotations as described in Protecting Service Methods with Spring Security Annotations.
Project status
At time of writing, this project is still sitting at RC (Release Candidate) status and it’s been over a year since the last RC release. However, there is still recent activity on the project and a recent forum post indicates that a GA (General Availability) release looks imminent.
Hi Stuart
How to use SSO on multiple spring security web applications without SAML ?
Briefly…
We have one web application (spring security) which takes care of the user login mechanism. And then we have many other web applications (spring security) which are accessed through hyperlinks in the first application. How to achieve SSO in this scenario without SAML? Please clarify.
Many thanks
Jay
Jay
There are a couple of other ways SSO can be done.
If everything’s on the same virtual host you could consider the Tomcat SSO valve (assuming you’re using Tomcat). But you’d need Tomcat to manage your logins. You can make this work with Spring Security but I’m not sure that’s what you want.
At the other end of the difficulty scale, you could use an enterprise level framework such as IBM Tivoli Access Manager / WebSEAL. This takes SSO outside of your application entirely. It’s mighty powerful but very heavy and expensive.
The only other solution I’ve used is CAS. It does integrate with Spring security but I found it a little difficult when I last used it about 5 years ago. Something better may have come along since then but I’m afraid I couldn’t advise on that.
Hi Stuart,
I’m trying to integrate Spring SAML into my application. I’m using the sample securityContext as well. When I run the application, I’m getting an IncompatibleClassChangeError: Implementing class error. The stacktrace isn’t very informative for me and I have no idea where it’s bombing out. Any chance you ran into this error when you were setting up your integration with the Spanners app?
Thanks
Sorry, I never ran into that issue. It seems to be a compile time issue, possibly related to an incompatibility in a library used by the Spanners app. Without more info though, I couldn’t even guess which one.
Hi Stuart,
My project already implemented as IDP initiated SSO with spring, and wanted to convert as SP initiated SSO, could you please tell me what are the changes i need to do in spring.
Thanks
Hi Stuart,
Thank you for the article.
According to my understanding Spring Security SAML extension implements SP only.
It does not implement IDP.
Will be happy for your confirmation.
Thanks for your help,
Michael
Hi Stuart,
I have an application called service portal(SP) developed using spring security and mvc framework. SP application connects to LDAP for authentication. if the user authentication is success,user will be navigated to homepage where multiple links are provided for external applications… When the user clicks on the application link, user should successfully navigated to the respective application without challenging login page.
Can you please share some example for the above use case.
Thank you,
Hi Stuart,
Can you please let me know the best and simple approach to accomplish the below scenario..
->I have created a portal application(spring security 3) which takes care of ldap authentication and retrieve user roles from LDAP
Portal application provides link to other spring based applications running on the same server and domain. Now i need to by-pass the login page of the external applications ie, if the user is successfully authenticated in portal application, user should able to navigate to other application link without login again….
Regards,
snhp
Reply to Jayakumar:
One way to do this would be to modify the hyperlinks in the portal application to include the identity of the logged in user and post that identity to each target application when the user clicks the link. You should ensure that the posted string is cryptographically signed, e.g. by HMAC and that is has a timestamp to prevent replays.
On the receiving side, you could write an identity filter to interpret the posted string, validate the message and instantiate a user principal object in the target application session.
Of course, that is pretty well what SAML would do, so it is arguable that you would not be getting much benefit.
I have followed above instructions to integrate spring saml in my spring-security enable web application. I am able to redirect to IDP server for authentication but I want this application with multi-tenacy. This application need to be deploy on AWS for SaaS so that it can be accessed by multiple client. Now I am facing challenge to enable this application for normal user login using j_spring_security and Oauth as well as SAML.
Please suggest me some approach to cover above scenario.
Hi bro
good work but i need some help to integrate SAML
actully i have a product running for multiple company i need SAML base authentication
for one company and all other will be authentication by local DAO base authentication
and my product is in a single war file which is running on company bases.
need help
Thanks in advance
I want to run Spring SAML2.0 in Jboss 7.1. What I need to configure in JBoss
Hello Stuart – Do you know how we can get SAMLAssertion from SAMLResponse using OpenSAML library ? Any testing / sample program will be much helpful.
Thank you.
Stacy
Hi,
I want to integrate Spring Security SAML extension with my existing Java based application.
Note : My Application is Java based and NOT spring based
Could you please let know Integration Steps ?
Ta
Hello, why don’t you developed the code for the spring mvc and WSO2 IDP?
hi Stuart,
I have read the documentation of spring SAML as you mentioned above. However, my case is that my app is a consumer of the web service from the SP. but i have to go thru IDP for SSO before i can access the web service. I was told that i can use Spring Security to do this. but i could not find any sample code out there that did this. Any suggestion? I would really be very grateful for your inputs.
thanks,
Arnarn
hello,
thanks for your help.
first sorry for my bad English.
i try to run “mvn install” command for build this project and i get error to find javax.activation:activation:jar:1.0.2
what should i do?
thanks for your reply
Hi forough
Yes, I find I have exactly the same problem if I try to build that now.
It appears that this old version of javax.activation no longer exists at either http://download.java.net/maven/2 or the Maven central repo.
I’ve found it here though:http://mirrors.ibiblio.org/pub/mirrors/maven/mule/dependencies/
I’d suggest that you add this location to your repositories section in the project’s parent pom.xml file, just under the Spring milestone repo.
<repository>
<id>ibiblio</id>
<name>Alternative repo for old javax.activation version</name>
<url>http://mirrors.ibiblio.org/pub/mirrors/maven/mule/dependencies/</url>
</repository>
That got it working for me – hope it helps you too!
hi,
sry but still i have error in “mvn tomcat7:run”
cannot creat jdbc driver of class ‘ ‘ for connect URL ‘null’
and some errors like:
hibernate.properties not found !!
can you help me?
Great post Stuart,
I’m just in the process of trying to integrate SAML into an existing Spring based application where I use token based authentication via the Spring Security Rest plugin.
Have you ever attempted to use REST based authentication with SAML? Do you have any suggestions at all?
Cheers,
Mani
Sorry Mani, I’ve never used the REST based authentication.
Hi Stuart,
I have some old java applications using Strut1 and would like to apply Spring Saml SP on top of these applications. Please advice on the best way to do this?.
Thanks,
Ben.
Hi Ben! Spring security (and the Spring Security SAML extension) should work just fine alongside Struts. Indeed, Spring Security and Struts 2 were used in the Spanners demo app up to version 2.6. It’s been a while since I’ve used Struts 1, but I’d expect your solution to be similar.
Hope that helps and good luck!
Hi,
My application is deployed in cloud, we used spring boot to build a jar and the same is deployed in the heroku cloud. Now we are planning to have a siteminder IDP for SSO. Is the spring security SAML provided above usefull for cloud base applications? and As spring boot is 100 % annotations is there any sample reference for speing security SAML with only annotations.
Thanks in advance,
Kiran
Hi Kiran
I see no reason why the Spring Security SAML project wouldn’t work with a cloud based application. SAML is an industry standard and so should be fine regardless of where you choose to deploy your app.
I’m not aware of annotations for Spring Security SAML. I don’t think they’re suited to annotations due to the complexity of configuration. However, a Spring Boot application can import old-fashioned XML based config using the @ImportResource annotation. See the Spring Boot docs or the RootConfig class in the latest version of the Spanners app for an example.
I recently released this Spring Boot plugin that drastically reduces the boiler plate of configuring Spring Security SAML. Please see it here: https://github.com/ulisesbocchio/spring-boot-security-saml
That’s very nice Uli! Out of the box, the Spring Security SAML does the job but needs a lot or work just to get started. Your plugin looks like it simplifies things considerably. The YAML config in particular looks really clean. Next time I’m working with SAML, I’ll be sure to give this a go. Many thanks for letting me know!
I want to use Spring security SAML from my existing j2ee application. Appreciate if I can get sample java (class) code that makes idPInitiated SSO to Identity provider?
I have make a SAML With ADFS service that is working fine. Can you help me that how to configure with my java web application with SAML ADFS
from which version of spring this SAML security support was there ?
Karthik
This extension was developed against Spring / Spring Security 3.1.2.
Hi,
I provide the authentication to a group using jsp – credential.getAttributeAsString(“attributeName”) and credential.getAttributeAsStringArray(“attributeName”). Now want to provide authentication for a particular role using UserDetailsService for group members which are comma serperated.
Hi
I’ll point you at Spring Security’s GrantedAuthority class. Sounds like you want your implementation of UserDetailsService load your UserDetails and set one or more GrantedAuthoritys on it. I’m not sure exactly what your implementation will look like, but take a look at the code for the Spring Security JdbcDaoImpl as a good example of a UserDetailsService implementation.
Hi,
I used metadata to get the group claim ( soap xml), using it we have to provide access to the particular members present in the group . So I am using jsp to write it. But I need to write it using GrantedAuthority in form of java code. I am not using any dao class. Its only contain controller, Validator and form class.So have idea just share it.
Thanks.
Hi Stuart,
Venkat here, I can able to integrate SAML with Service Provider Metadata. Also, I can see the SSOCirlce login authentication after hitting the specified url. But, after successful login in SSOCircle, the service provider return url index.jsp/saml/sso struck without processing to next steps.
Could you please suggest how to resolve this.
Many thanks
Venkat
Hi,
what’s the best way to use sso in spring security project ?
by using CAS server or SAML
Thanks for your post
I have an application that is integrated with spring security seperated to two application.I want to get single sign on(SSO) with lowest cost and it compatible with spring security.Because of my infrastructure,I wont use oauth in first stage.I want to know if i can use saml
SAML would be an option but you’d need to set up an IdP (Identity Provider) to handle the login. A number of solutions exist including free / open source ones. See SAML Open Source Implementations or Spring Security SAML: Integrating Identity Providers for some examples.
Sounds like you’re trying to get going quickly so this might be a bit heavy for what you need. Other options worth investigating are CAS or Tomcat Container based SSO.
Hi Stuart,
I am trying to integrate SAML in an application using Spring security. The application is already acting as an SP for an existing IDP provider which is implemented using okta. Now I have to integrate another IDP (which is ADFS) for a different SP. Can I configure this using the same spring-security XML ? If yes, how to do that? Please suggest.
Hi Sourav. Are you looking to integrate multiple IdP with your application? As I understand it this should be possible, though I’ve never done it myself. If you look at the online demo, it starts with an IdP selection page – currently with only one IdP available. I’d suggest that you start from there to see how you’d add another IdP to your application.
I am trying to integrate pingidentity with the spring saml sample app. after getting the redirect to idp, logging on ok, getting a good saml assertion, I get an endless loop back in the sample app with an access denied error in the spring-security stack. I am about to go back to debug spring security, but if you have any tips, would be awesome. as you can see in this spring sec log, all looks ok with ping, the role voter is ok, then the authenticated user voter fails. and why do I end up with anonymousUser after a good ping authentication? seems some user principle needs to be mapped from ping to spring, yes?
2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 DEBUG HttpSessionStorage:93 – Storing message a2iiedhi69h081391e3biag591i7a2f to session FVAX79n-fxixNnIApUrrLe2V
2017-09-18 09:48:00 DEBUG HttpSessionStorage:93 – Storing message a2iiedhi69h081391e3biag591i7a2f to session FVAX79n-fxixNnIApUrrLe2V
2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 INFO SAMLDefaultLogger:127 – AuthNRequest;SUCCESS;10.69.208.181;app1;pingidentity;;;
2017-09-18 09:48:00 INFO SAMLDefaultLogger:127 – AuthNRequest;SUCCESS;10.69.208.181;app1;pingidentity;;;
2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 DEBUG SecurityContextPersistenceFilter:97 – SecurityContextHolder now cleared, as request processing completed
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/favicon.ico’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/images/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/css/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/logout.jsp’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/web/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 1 of 8 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionSecurityContextRepository:139 – HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionSecurityContextRepository:85 – No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2f3ea906. A new one will be created.
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 2 of 8 in additional filter chain; firing Filter: ‘FilterChainProxy’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/login/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/logout/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/metadata/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/sso/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/ssohok/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/singlelogout/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/discovery/**’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:180 – /index.jsp has no matching filters
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 3 of 8 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:309 – pathInfo: both null (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:309 – queryString: both null (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – requestURI: arg1=/app1/; arg2=/app1/ (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – serverPort: arg1=8443; arg2=8443 (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – requestURL: arg1=https://ew7uipwm07.integration.uniqa.at:8443/app1/; arg2=https://ew7uipwm07.integration.uniqa.at:8443/app1/ (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – scheme: arg1=https; arg2=https (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – serverName: arg1=ew7uipwm07.integration.uniqa.at; arg2=ew7uipwm07.integration.uniqa.at (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – contextPath: arg1=/app1; arg2=/app1 (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionRequestCache:62 – Removing DefaultSavedRequest from session if present
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 4 of 8 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 5 of 8 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AnonymousAuthenticationFilter:102 – Populated SecurityContextHolder with anonymous token: ‘org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.69.208.181; SessionId: FVAX79n-fxixNnIApUrrLe2V; Granted Authorities: ROLE_ANONYMOUS’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 6 of 8 in additional filter chain; firing Filter: ‘SessionManagementFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 7 of 8 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 8 of 8 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterSecurityInterceptor:194 – Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterSecurityInterceptor:310 – Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 10.69.208.181; SessionId: FVAX79n-fxixNnIApUrrLe2V; Granted Authorities: ROLE_ANONYMOUS
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AffirmativeBased:65 – Voter: org.springframework.security.access.vote.RoleVoter@18d957ee, returned: 0
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AffirmativeBased:65 – Voter: org.springframework.security.access.vote.AuthenticatedVoter@651bd700, returned: -1
2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG ExceptionTranslationFilter:165 – Access is denied (user is anonymous); redirecting to authentication entry point
2017-09-18 09:48:01 INFO stdout:71 – org.springframework.security.access.AccessDeniedException: Access is denied
2017-09-18 09:48:01 INFO stdout:71 – at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
Hi all is it possible to have sp initiated as well as idp initiated SSO for a service provider
Yes, it is! SP initiated is a slightly more complicated flow as you have to go from your SP application, to the IdP login page and then back to the SP application.
Both SP and IdP initiated SSO are covered in the Quick Start guide: https://docs.spring.io/spring-security-saml/docs/1.0.2.RELEASE/reference/html/chapter-quick-start.html#quick-start-testing
Hi Stuart,
Thanks a lot for your post regarding the IdP Discovery and selection, it helped me to get my SP end points redirected to IDP as you said if we do not mentioned anything then the default configured IdP will be considered and the request will be redirected to the the same IdP. Its really great for me.
Hi Stuart,
Can I set this up as a service for an application in the cloud. I have a static site in AWS S3 that I want to setup with idPinit SSO. I was thinking of setting up a Spring SAML app to be the interface to authenticate and handle the POST assertion and once authenticated, redirect to the web application. Is this a viable solution. TIA
Hi Stuart,
I have my one sp application from which I would like to configure multiple metadata url of same idp.
It means I would like to make my application multi tenant application.
So is there any way to make metadata url dynamic using spring Boot ? As my application can access by multiple tenants using same idp & SP. So need some help on making dynamic metadata url at the time of initialization.
Also is it possible to fetch metadata url as per my login user from db?
Please let me know ASAP.
Thanks