choonchernlim / spring-security-adfs-saml2 Goto Github PK

What is the best way to get this working with Spring oAuth2?

When I setup the basic configuration as you've described in the README, the application fails to start due to missing beans such as, SAMLAuthenticationProvider, MetadataManager, etc. Doesn't your library configure all the required beans it and the saml-extension library needs?

Hello ,

How we can invoke the endpoint /samel/login from backend , I don't want to use forms !

thanks,

Trying to upgrade the Spring Boot version of an application from 2.4 to 2.6, I found that the dependency for the ADFS connection actually suffers from some circular dependencies.

At first, I found that the

@Autowired
private SAMLAuthenticationProvider samlAuthenticationProvider;

field clashes with the

@Bean
public SAMLAuthenticationProvider samlAuthenticationProvider()

declaration. Yet, after removing the field and just using the bean configuration, Spring reported a dependency loop between samlEntryPoint and samlIDPDiscovery that I could not find a patch for.

These are obviously "resolved" by using the configuration

spring.main.allow-circular-references=true

Great library, works like a charm.

Just wanted to know how can I configure a specific behavior/response when a 401 status or
"AuthNResponse;FAILURE" is being sent from the server.

Note: setFailedLoginDefaultUrl didn't have any effect whatsoever, it just redirects to the ADFS login page.

Hello

First many thanks for publishing all these details about ADFS setup with SHA-256 signature support...because I really failed to get it work with SHA-1, probably I made a mistake somewhere in the sequence.

I have first generated my SP private key according to http://docs.spring.io/autorepo/docs/spring-security-saml/current/reference/htmlsingle/#configuration-key-management-private-keys

but when enabling metadata signature option to SHA-256, metadata generation then fails with

Caused by: org.apache.xml.security.signature.XMLSignatureException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
                at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:167) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:238) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:592) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.opensaml.xml.signature.Signer.signObject(Signer.java:77) ~[xmltooling-1.4.1.jar:?]
                ... 70 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.provider.DSAPrivateKey
                at java.security.Signature$Delegate.chooseProvider(Signature.java:1135) ~[?:1.8.0_111]
                at java.security.Signature$Delegate.engineInitSign(Signature.java:1176) ~[?:1.8.0_111]
                at java.security.Signature.initSign(Signature.java:527) ~[?:1.8.0_111]
                at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineInitSign(SignatureBaseRSA.java:165) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.apache.xml.security.algorithms.SignatureAlgorithm.initSign(SignatureAlgorithm.java:238) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.apache.xml.security.signature.XMLSignature.sign(XMLSignature.java:592) ~[xmlsec-1.5.6.jar:1.5.6]
                at org.opensaml.xml.signature.Signer.signObject(Signer.java:77) ~[xmltooling-1.4.1.jar:?]
                ... 70 more

So I guessed that my private key was not consistent with signature requirements and I generated a new one with additional keytool options -keyalg RSA -keysize 2048 -sigalg SHA256withRSA

May you please confirm that was the right thing to do, and maybe you generate your private key the same way ? If so please - please - add this important information in your README.md.

Again thanks for your blog entries and this setup sample project.
Regards
Yves

I love how easy you've made setting up AD FS for me! So I'd first like to say thanks!

It'd be great if this could handle multiple IDPs. I think all that would need be done is allow a dev to add multiple IDP server names and in metadata(), create multiple HTTPMetadataProviders with their own ExtendedMetadataDelegagte and add them all to the list passed to the CachingMetadataManager.

Thanks again!

Is it possible for this library to read the IDP's metadata XML file locally rather than over HTTPS?

Thanks,
Steven