Spring Boot and SAML 2.0
Solution 1
I implemented a sample project in order to show how to integrate Spring Security SAML Extension with Spring Boot.
The source code is published on GitHub:
Solution 2
I recently released a spring boot plugin for this here. It is basically a wrapper around Spring Security SAML that allows for friendlier configuration through a DSL or config properties. Here's an example using the DSL:
@SpringBootApplication
@EnableSAMLSSO
public class SpringBootSecuritySAMLDemoApplication {
public static void main(String[] args) {
SpringApplication.run(SpringBootSecuritySAMLDemoApplication.class, args);
}
@Configuration
public static class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("index");
}
}
@Configuration
public static class MyServiceProviderConfig extends ServiceProviderConfigurerAdapter {
@Override
public void configure(ServiceProviderSecurityBuilder serviceProvider) throws Exception {
serviceProvider
.metadataGenerator()
.entityId("localhost-demo")
.and()
.sso()
.defaultSuccessURL("/home")
.idpSelectionPageURL("/idpselection")
.and()
.logout()
.defaultTargetURL("/")
.and()
.metadataManager()
.metadataLocations("classpath:/idp-ssocircle.xml")
.refreshCheckInterval(0)
.and()
.extendedMetadata()
.idpDiscoveryEnabled(true)
.and()
.keyManager()
.privateKeyDERLocation("classpath:/localhost.key.der")
.publicKeyPEMLocation("classpath:/localhost.cert");
}
}
}
That's basically all the code you need.
Solution 3
You'd have to do all the SAML stuff in XML (surprise, surprise). But the rest shouldn't get in the way, just standard Springy, Booty stuff, e.g.
@EnableAutoConfiguration
@Configuration
@ImportResource("my-crazy-ass-saml.xml")
public class Application implements WebMvcSecurityAdapter {
// set up security filter chain here
}
Solution 4
I tried @vdenotaris' solution, but does not seem to work with current spring-boot, and thus given up that approach.
So as an alternate solution I used shibboleth to do all the SAML stuff using the mod_shib2 module in apache httpd, and run tomcat using mod_jk (mod_proxy_ajp could also be used) behind the said apache instance. Tomcat receives all the required SAML attributes as request attributes, and I only have to store the idp and the user id in the regular user table to connect the internal authentication to the external (I need both SAML and password-based authentication).
vdenotaris
Program Manager at Google. Cloud Professional Architect and Security Engineer, IAM and PKI subject matter expert and Open Source enthusiast. Disclaimer: Comments and opinions are my own and not the views of my employer.
Updated on July 09, 2022Comments
-
vdenotaris almost 2 years
Is there a way to integrate SAML 2.0 in a Spring Boot-based application? I'd like to implement my own SP and communicate with a remote IdP.
-
vdenotaris about 10 yearsI'm currently trying to integrate this module with Spring Boot, but it isn't simple.
-
Stefan Rasmusson about 10 yearsWell SAML isn't a very simple protocol to work with, but I thing SAML Spring is your best bet. You could also use a thirdparty software like Shiboleth to do the SAML communication and you integrate your application with Shiboleth via a simpler API
-
vdenotaris about 10 yearsIntegrating Spring SAML in Spring Boot I've ad infinite loop of requests. I'm loading the setting by using the @ImportResource annotation.
-
vdenotaris about 9 yearsThe compatibility with the new version of Spring Boot is on my to-do list, but currently you should use the project as is.
-
P.Péter about 9 yearsUnfortunately that is not really an option as we have already a large project built on top of the current version of spring-boot; thus my above outlined solution. Other solution would be to use spring-saml in another servlet and authenticate using some improvised inter-servlet protocol. That would be even less nice. :(
-
Ashika Umanga Umagiliya about 7 yearscan this be used for Spring Boot based Rest API ?
-
Ashika Umanga Umagiliya about 7 yearsCan I use this to secure RestAPIs ? Can I assume security-token with this method as well ?
-
vdenotaris about 7 years@AshikaUmangaUmagiliya Not really, since this solution is based on the WAYF service. To enable SAML authentication in APIs, you should enable the ECP protocol, but it mainly supports SOAP web services.
-
sunder over 6 years@vdenotaris Can you please check the question stackoverflow.com/questions/48883432/…
-
sunder over 6 yearsCan you provide an update that do we need to pre configure an Idp's in a bean or can it take it change Idps at runtime based on user's input
-
Renaud Denis almost 6 yearsI think this answer should be accepted as the best answer, since it shows a more advanced integration with Spring Boot Autoconfiguration, and moreover, it's based on @vdenotaris' work. It's pretty amazing btw that the SAML extension of Spring Security is not yet officially integrated with Spring Boot.
-
Chris White over 5 yearsthe issue with this library is spring-security-saml2-core has a dependency on spring beans 4.x, so you're going to have issues with spring boot 2 (BootstrapException has been removed in 5.x)
-
Jolley71717 over 5 yearsWould this configuration work if you were also supporting an angularjs front end in the same application as the spring boot rest service? -
Andreas over 3 yearsJust in case anyone else is referencing this answer in 2020, apparently the Spring security team completely overhauled the SAML core library back in Oct 2019 with a major v2 release. This code base is still referencing the v1 implementation. I found a decent example of how to use the new implementation codetinkering.com/saml2-spring-security-5-2-tutorial . Hopefully this info saves someone else some confusion.
