spring-attic / spring-security-saml-dsl Goto Github PK

From @rwinch:

If you are able, you can ensure to use group of org.springframework.security.extensions and artifact of spring-security-saml2-dsl

Reference: jeanbza/git-java-okta-dsl#11
From @rwinch:

Currently the project has a compile dependency on spring-boot projects. Ideally it would only have a dependency on spring-security-saml and spring-security

To be more generic (since it could be used with any SAML provider)

Hi Team,

I followed all the step mentioned but when i run my application and hit https://localhost:8443/ then browser popped up asking Authentication but when i put my Okata userName and password it is not authenticating, not sure what is the problem.
I have below points:

1. Why my browser popping up with authentication rather than redirecting it to the Okata server.
2. what should be the userName and password for this popping authentication.

Wondering how we can configure proxy in the SAML configuration in this ? I currently don't see any option to configure it.

We have a couple of use cases where I work for customizing a couple of things in our SAML implementation, that the saml-dsl doesn't currently provide.

1. We need to be able to plug in our own AuthenticationProvider to the SAML login process.

2. One of our clients doesn't support SHA1 hashes of the SAML metadata, so we need to use rsa256.

3. We need to be able to change the maxAuthenticationAge of a saml login to a different value.

I've implemented all three of these features in my fork of the code, but I don't think it is ready for a pull request because I don't have any tests for it yet. If I am ever able to put in good tests for the changes, I'll submit a pull request, but if it helps speed things along, feel free to grab the changes from my code.

Spinnaker currently runs Spring Security 3.2, where this method is not available.

Not sure what I'm missing but org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter does not have saml() method as far as I can tell so I end up with compilation error when trying to plug in this code:

http.authorizeRequests()
	.antMatchers("/saml/**").permitAll()
	.anyRequest().authenticated()
	.and()
	.apply(saml())

esapi v.2.1.0.1 contains CVE-2013-5960
spring-security-saml2-core already has a new v.1.0.10.RELEASE that uses esapi v.2.2.0.0

line 21 - https://github.com/spring-projects/spring-security-saml-dsl/blob/master/build.gradle
line 8 - https://github.com/spring-projects/spring-security-saml-dsl/blob/master/core/build.gradle

Or it could be used with other SAML Identity providers like Shibboleth IDP?

1. Provide possibility to customize the AuthenticationSuccessHandler
Allow to change the default SavedRequestAwareAuthenticationSuccessHandler (fixes #50)

2. Provide possibility to customize the AuthenticationFailureHandler
Allow to change the default SimpleUrlAuthenticationFailureHandler (fixes #50)

3. Provide possibility to customize the LogoutSuccessHandler
Allow to change the default SimpleUrlLogoutSuccessHandler

4. Provide the ApplicationEventPublisher in order to publish Authenitcation Events

1. Set a ApplicationEventPublisher in the SAMLProcessingFilter in order to publish an InteractiveAuthenticationSuccessEvent (fixes #36)

2. Set a AuthenticationEventPublisher to the AuthenticationManager (aka the ProviderManager) in order to publish AuthenticationSuccess and AuthenticationFailure events. Usefull if spring-boot-actuator is on the classpath with AuditEvents beeing enabled (see: org.springframework.boot.actuate.security.AuthenticationAuditListener.java) (fixes #50)

5. Provide a possibility to set a custom EntryPoint for XMLHttpRequest
Nowdays many applications are using Javascript to comunicate with the backend. If the session has expired or hasn't been created yet it doesn't make sense to return them a 302 to the idp-login page since javascript doesn't have a chance to detect that and receives the HTML-login page. Provide a mechanism to return a different result if we detect that it was a javascript triggered HTTP-Request. Most javascript-frameworks send the header flag: X-Requested-With: XMLHttpRequest to detect that. (see: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). Similar how it is done in org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer.java

6. Provide a way to customize the RequestedAuthnContexts
We need to be able to customize the WebSSOProfileOptions to set the authnContexts so that the SP can control the authentication mechanism.

7. Provide a way to exclude the credentials from being stored in SAMLAuthenticationProvider
When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. Setting this value to true can be very useful if someone serializes the session to redis (using spring-session) since the xml-elements of the assertion can't be serialized. (fixes #42 )

8. SingleLogout and CSRF Problem
Currently the AntPathRequestMatcher only considers the 'SSO' saml assertion consumer but not the 'SingleLogout" endpoint. Thus a HTTP-Post is rejected if CSRF is enabled

I'll be working on a PR that fixes the mentioned issues

HI, I was trying to set-up SAML support ( using guide in https://developer.okta.com/blog/2017/03/16/spring-boot-saml ) in my Spring Boot sample (IdP is IBM TFIM) and was struggling due to SAMLContextProvider being null when calling /saml/metadata endpoint.
I managed to work around by setting manager, keyManager and contextProvider properties of MetadataDisplayFilter object passed to:

chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
			new MetadataDisplayFilter()));

Is this a correct approach or I missed something in my app configuration?

Per spring-security-SAML

When creating the app I see screens the same way you are describing in OAUTH blog post, specifically I don't see "Configure SAML" anywhere and there's no "My Applications" link on the toolbar. Can you please comment?

contextProvider at MetadateDisplayFileter class is null. I see other pull request that fix the bug, but it isn't fixed in any release yet. ¿Anyone knows when it is going to be released?

We're attempting to use spring-security-saml-dsl with a Redis session store in our Spring Boot app, and are running into the following exception during the SAML handshake. It appears the NameIDImpl class is not serializable, and the session repository classes are expecting it to be.

For reference, we are using Spring Boot v1.5.4.RELEASE and the org.springframework.session:spring-session-data-redis v1.3.1.RELEASE library.

Is this a known issue and are there any workarounds? Thanks!

2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT org.springframework.data.redis.serializer.SerializationException: Cannot serialize; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:93)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.data.redis.core.AbstractOperations.rawHashValue(AbstractOperations.java:171)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.data.redis.core.DefaultHashOperations.putAll(DefaultHashOperations.java:129)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.data.redis.core.DefaultBoundHashOperations.putAll(DefaultBoundHashOperations.java:86)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.data.redis.RedisOperationsSessionRepository$RedisSession.saveDelta(RedisOperationsSessionRepository.java:778)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.data.redis.RedisOperationsSessionRepository$RedisSession.access$000(RedisOperationsSessionRepository.java:670)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.data.redis.RedisOperationsSessionRepository.save(RedisOperationsSessionRepository.java:388)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.data.redis.RedisOperationsSessionRepository.save(RedisOperationsSessionRepository.java:245)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.commitSession(SessionRepositoryFilter.java:245)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.access$100(SessionRepositoryFilter.java:217)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:170)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.cloudfoundry.router.ClientCertificateMapper.doFilter(ClientCertificateMapper.java:77)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.lang.Thread.run(Thread.java:748)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:68)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:35)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:91)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	... 41 common frames omitted
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT Caused by: java.io.NotSerializableException: org.opensaml.saml2.core.impl.NameIDImpl
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:46)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:63)
2017-10-30T13:40:40.14-0700 [APP/PROC/WEB/0]OUT 	... 43 common frames omitted

• Along with a README that appropriately describes the steps to setup okta.
• This should be under samples/

See: https://developers.google.com/google-apps/sso/saml_reference_implementation

I'm developing SPA with SAML. I have followed this https://www.sylvainlemoine.com/2018/03/29/spring-security-saml2.0-websso-with-angular-client/. Many of the configurations are provided in this saml-dsl library. But I am not sure how to pass relayState configuration and RelayStateSuccessHandler..?

Is there any extension point available for this?

as the SAMLProcessingFilter is created by code in SAMLConfigurer and not as an "@bean" the post processors aren't setting the ApplicationEventPublisher (in the AbstractAuthenticationProcessingFilter which SAMLProcessingFilter extends). This means that the 'successfulAuthentication' method isn't triggering 'InteractiveAuthenticationSuccessEvent' events

The releases have to be hunted in obscure repositories (Maven central isn't updated in years) and even there, the JARs are empty since 1.0.2. I would have thought it's abandonware but I see recent commits... (no, this kind of problems we users cannot fix with a pull request)

Hi there,

I built 2 different version of this demo, one exactly as described in the blog post. The spring boot app starts with no error however when I try to access https://localhost:8443 I get the following error in logs and I never get the login page

Caused by: org.xml.sax.SAXParseException: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
	at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) ~[xercesImpl-2.10.0.jar:na]
	at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) ~[na:1.8.0_112]
	at org.opensaml.xml.parse.StaticBasicParserPool$DocumentBuilderProxy.parse(StaticBasicParserPool.java:673) ~[xmltooling-1.4.1.jar:na]
	at org.opensaml.xml.parse.StaticBasicParserPool.parse(StaticBasicParserPool.java:234) ~[xmltooling-1.4.1.jar:na]

Any idea what is going on here?

Thanks,
Bo

The current example app does not show logout functionality. Please add (or simply explain in this issue) an example that shows how to configure the DSL for logout. I tried adding logout functionality as follows:

protected void configure(HttpSecurity http) throws Exception {
	http
		.authorizeRequests()
			.antMatchers("/saml/**").permitAll()
			.anyRequest().authenticated()
			.and()
		.apply(saml())
			.serviceProvider()
				.keyStore()
					.storeFilePath("saml/keystore.jks")
					.password("secret")
					.keyname("spring")
					.keyPassword("secret")
					.and()
				.protocol("https")
				.hostname("localhost:8443")
				.basePath("/")
				.and()
			.identityProvider()
				.metadataFilePath(metadataUrl)
			.and()
				.logout()
				.defaultTargetUrl("/");
}

But this does not compile:

:samples/spring-security-saml-dsl-sample:compileJava
/Users/mraible/dev/spring-security-saml-dsl/samples/spring-security-saml-dsl-
sample/src/main/java/com/example/SecurityConfiguration.java:41: error: cannot find symbol
					.logout()
					^
  symbol:   method logout()
  location: class SAMLConfigurer
1 error
:samples/spring-security-saml-dsl-sample:compileJava FAILED

The base of the hierarchy should include identityProvider and serviceProvider to to separate the to ensure separation of those two configs is clear.

For example:

http
    ...
    .apply(okta())
        .idp() // could be .identityProvider() instead (not sure which is better)
            .metadataUrl("...")
            .and()
        .sp() // could be .serviceProvider() instead (not sure which is better)
           .keystore(...)

Hi,

in the current version it seems not to be possible to load a metadata file embedded in a JAR, like a packaged Spring Boot application. I get this exception:

java.io.FileNotFoundException: class path resource [saml/idp-meta.xml] cannot be resolved to absolute file path because it does not reside in the file system: jar:file:/test/test.jar!/WEB-INF/classes!/saml/idp-meta.xml

For me it looks like the FilesystemMetadataProvider being used requires a File handle and getting a File handle from a JAR is not possible. Instead, an InputStream should be used.

Can anyone confirm this?

Thanks,
Thorsten

I have the following use case I'm trying to implement:

We have a Service Provider, and we want our clients to be able to use it using their Identity Provider. This means we'll need to have more than one Identity Provider. I have an implementation that works, but I'm not sure if the approach is what you'd have in mind to solve the problem, which is why I haven't done a pull request for it. The full code is in the multi-idp branch of my fork, but the basics work like this:

First, I made the SAMLConfigurer's identityProvider a list. Then I made the SAMLConfigurer's identityProvider() method create a new instance of IdentityProvider and add it to that list.

Next, I made some modifications to how the metadata gets created so it works with multiple IDPs.

Finally, I added the following method to SAMLConfigurer to delegate some of the configuration to the class doing the security configuration:

    public SAMLConfigurer delegateConfig(Function<SAMLConfigurer, SAMLConfigurer> delegate) {
        return delegate.apply(this);
    }

It looks a little weird, but I couldn't create an IdentityProvider outside the SAMLConfigurer, and the delegate lets me use the dsl in helper methods like the one I use to iterate over our supported IDPS, doing the following for each one:

	samlConfigurer
		.identityProvider()
			.metadataFilePath("file://" + f.getAbsolutePath())
			.metadataTrustCheckEnabled(false);

I can then do this in my WebSecurityConfigurerAdapter implementation:

	.http(saml())
		.apply(saml())
			.serviceProvider()
				.keyStore()
					.storeFilePath(samlProperties.getKeystore())
					.password(samlProperties.getKeystorePassword())
					.keyname(samlProperties.getDefaultKey())
					.keyPassword(samlProperties.getDefaultKeyPassword())
					.and()
				.protocol("http")
				.hostname("localhost:8080")
				.basePath("/")
				.and()
			.delegateConfig(this::idpHelper)

What do you think?

We should call it saml rather than okta

We r looking forwarding to some features on master branch..
BUT it seems that this repo haven't updated its tags for a long time..?

Reference: jeanbza/git-java-okta-dsl#9

After successful authentication plugin redirect flow to dashboard page, but after that every request get redirect to okta(IDP) for authentication. is this correct?
Please tell me how do I handle the logout functionality.

I am developing the Rest API .

IDP would be ADFS.

I believe most of this library is IdP-agnostic, right?

How to attach custom success and failure handler whenever login happens ? I don't see any options / method to customize nor any AuthenticationSuccessEvent is triggered.

--my bad

Hi,

In a project of mine I need to use a special strategy to retrieve stored SAML messages (via SAMLMessageStorage) that doesn't involve HttpSession.
Usually that would be pretty straightforward - just provide a custom implementation of SAMLMessageStorageFactory, but I couldn't find a method in the configurer for that.

Since the SAMLContextProvider implenetation used in the configuration contains a method for setting the storageFactory, it can set it from a (new) property of the ServiceProvider bean/config, e.g.:
contextProvider.setStorageFactory(serviceProvider.storageFactory);

Specifically the login one, but I can image wanting to customize the others as well.

Here is where they are hard coded:
https://github.com/spring-projects/spring-security-saml-dsl/blob/master/spring-security-saml-dsl/src/main/java/org/springframework/security/extensions/saml2/config/SAMLConfigurer.java#L252

Spring Security SAML sets forcePrincipalAsString is default true. SAML dsl made it forcibly false. Any reason for this. Can it be configurable?

Couple of oddities:

• spring-security-saml-dsl/src/test/java/resources/application-test.yml has okta: metadata: path: http://example.com/okta/metadata.xml. I assume this is something that the user has to update himself? Let's call this out in the README.md and provide some guidance on where this value should come from
• spring-security-saml-dsl/src/test/java/resources/credentials.example.yml notes that you need to enter username and password, and the README.md mentions that you need to fill these in, but these values neither correspond to anything in the DSL nor does the README.md describe where the values should be coming from

Hi,

I'd like to use the latest commit to inject a custom WebSSOProfileConsumer but it seems that Artifactory fails to publish the snapshot to the repository (error code 401 - Unauthorized), could you please check that?

Thanks for all the good work! 👍

• Along with a README that appropriately describes the steps to setup okta.
• This should be under samples/

I currently see 3 pieces of key information pulled out of the metadata.xml file:

1. entityID
2. x509 certificate
3. redirect SSO URL

I'd like to be able to specify these directly, rather than mess with an HTTP or file-based way.