Re-enable SAML 2.0 samples with Okta IdP
Closes gh-55
This commit is contained in:
@@ -24,7 +24,7 @@ dependencies {
|
||||
implementation 'org.springframework.security:spring-security-saml2-service-provider'
|
||||
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
|
||||
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit'
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
testImplementation 'org.springframework.security:spring-security-test'
|
||||
}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -27,7 +27,7 @@ public class IndexController {
|
||||
|
||||
@GetMapping("/")
|
||||
public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
|
||||
String emailAddress = principal.getFirstAttribute("emailAddress");
|
||||
String emailAddress = principal.getFirstAttribute("email");
|
||||
model.addAttribute("emailAddress", emailAddress);
|
||||
model.addAttribute("userAttributes", principal.getAttributes());
|
||||
return "index";
|
||||
|
||||
@@ -16,13 +16,26 @@
|
||||
|
||||
package example;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.RSAPrivateKey;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
|
||||
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
|
||||
@@ -39,7 +52,7 @@ public class SecurityConfiguration {
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.saml2Login((saml2) -> saml2.loginProcessingUrl("/login/saml2/sso"))
|
||||
.saml2Login(Customizer.withDefaults())
|
||||
.saml2Logout(Customizer.withDefaults());
|
||||
// @formatter:on
|
||||
|
||||
@@ -49,7 +62,7 @@ public class SecurityConfiguration {
|
||||
@Bean
|
||||
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(
|
||||
RelyingPartyRegistrationRepository registrations) {
|
||||
return new DefaultRelyingPartyRegistrationResolver((id) -> registrations.findByRegistrationId("metadata"));
|
||||
return new DefaultRelyingPartyRegistrationResolver((id) -> registrations.findByRegistrationId("two"));
|
||||
}
|
||||
|
||||
@Bean
|
||||
@@ -65,4 +78,29 @@ public class SecurityConfiguration {
|
||||
return filter;
|
||||
}
|
||||
|
||||
@Bean
|
||||
RelyingPartyRegistrationRepository repository(
|
||||
@Value("classpath:credentials/rp-private.key") RSAPrivateKey privateKey) {
|
||||
RelyingPartyRegistration two = RelyingPartyRegistrations
|
||||
.fromMetadataLocation("https://dev-05937739.okta.com/app/exk4842vmapcMkohr5d7/sso/saml/metadata")
|
||||
.registrationId("two")
|
||||
.signingX509Credentials(
|
||||
(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
|
||||
.singleLogoutServiceLocation(
|
||||
"https://dev-05937739.okta.com/app/dev-05937739_springsecuritysaml2idptwo_1/exk4842vmapcMkohr5d7/slo/saml")
|
||||
.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
|
||||
.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
|
||||
return new InMemoryRelyingPartyRegistrationRepository(two);
|
||||
}
|
||||
|
||||
X509Certificate relyingPartyCertificate() {
|
||||
Resource resource = new ClassPathResource("credentials/rp-certificate.crt");
|
||||
try (InputStream is = resource.getInputStream()) {
|
||||
return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new UnsupportedOperationException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,17 +1,2 @@
|
||||
spring:
|
||||
security:
|
||||
saml2:
|
||||
relyingparty:
|
||||
registration:
|
||||
metadata:
|
||||
entity-id: "{baseUrl}/saml2/metadata"
|
||||
acs.location: "{baseUrl}/login/saml2/sso"
|
||||
signing.credentials:
|
||||
- private-key-location: classpath:credentials/rp-private.key
|
||||
certificate-location: classpath:credentials/rp-certificate.crt
|
||||
identityprovider:
|
||||
metadata-uri: https://simplesamlphp.apps.pcfone.io/saml2/idp/metadata.php
|
||||
|
||||
|
||||
logging.level:
|
||||
org.springframework.security: TRACE
|
||||
|
||||
@@ -36,11 +36,6 @@
|
||||
</button>
|
||||
</form>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
|
||||
AP-initiated Logout
|
||||
</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<main role="main" class="container">
|
||||
|
||||
@@ -24,7 +24,7 @@ dependencies {
|
||||
implementation 'org.springframework.security:spring-security-saml2-service-provider'
|
||||
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
|
||||
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit'
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
testImplementation 'org.springframework.security:spring-security-test'
|
||||
testImplementation 'org.awaitility:awaitility:4.2.0'
|
||||
|
||||
@@ -27,7 +27,7 @@ public class IndexController {
|
||||
|
||||
@GetMapping("/")
|
||||
public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
|
||||
String emailAddress = principal.getFirstAttribute("emailAddress");
|
||||
String emailAddress = principal.getFirstAttribute("email");
|
||||
model.addAttribute("emailAddress", emailAddress);
|
||||
model.addAttribute("userAttributes", principal.getAttributes());
|
||||
return "index";
|
||||
|
||||
@@ -16,13 +16,26 @@
|
||||
|
||||
package example;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.RSAPrivateKey;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
|
||||
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
|
||||
@@ -59,4 +72,38 @@ public class SecurityConfiguration {
|
||||
return filter;
|
||||
}
|
||||
|
||||
@Bean
|
||||
RelyingPartyRegistrationRepository repository(
|
||||
@Value("classpath:credentials/rp-private.key") RSAPrivateKey privateKey) {
|
||||
RelyingPartyRegistration one = RelyingPartyRegistrations
|
||||
.fromMetadataLocation("https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata")
|
||||
.registrationId("one")
|
||||
.signingX509Credentials(
|
||||
(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
|
||||
.singleLogoutServiceLocation(
|
||||
"https://dev-05937739.okta.com/app/dev-05937739_springgsecuritysaml2idp_1/exk46xofd8NZvFCpS5d7/slo/saml")
|
||||
.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
|
||||
.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
|
||||
RelyingPartyRegistration two = RelyingPartyRegistrations
|
||||
.fromMetadataLocation("https://dev-05937739.okta.com/app/exk4842vmapcMkohr5d7/sso/saml/metadata")
|
||||
.registrationId("two")
|
||||
.signingX509Credentials(
|
||||
(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
|
||||
.singleLogoutServiceLocation(
|
||||
"https://dev-05937739.okta.com/app/dev-05937739_springsecuritysaml2idptwo_1/exk4842vmapcMkohr5d7/slo/saml")
|
||||
.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
|
||||
.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
|
||||
return new InMemoryRelyingPartyRegistrationRepository(one, two);
|
||||
}
|
||||
|
||||
X509Certificate relyingPartyCertificate() {
|
||||
Resource resource = new ClassPathResource("credentials/rp-certificate.crt");
|
||||
try (InputStream is = resource.getInputStream()) {
|
||||
return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new UnsupportedOperationException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,20 +1,2 @@
|
||||
spring:
|
||||
security:
|
||||
saml2:
|
||||
relyingparty:
|
||||
registration:
|
||||
one:
|
||||
signing.credentials: &rp-metadata
|
||||
- private-key-location: classpath:credentials/rp-private.key
|
||||
certificate-location: classpath:credentials/rp-certificate.crt
|
||||
identityprovider:
|
||||
metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
|
||||
two:
|
||||
signing.credentials: *rp-metadata
|
||||
decryption.credentials: *rp-metadata
|
||||
identityprovider:
|
||||
metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
|
||||
|
||||
|
||||
logging.level:
|
||||
org.springframework.security: TRACE
|
||||
|
||||
@@ -36,11 +36,6 @@
|
||||
</button>
|
||||
</form>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
|
||||
AP-initiated Logout
|
||||
</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<main role="main" class="container">
|
||||
|
||||
@@ -24,7 +24,7 @@ dependencies {
|
||||
implementation 'org.springframework.security:spring-security-saml2-service-provider'
|
||||
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
|
||||
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit'
|
||||
testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
testImplementation 'org.springframework.security:spring-security-test'
|
||||
}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -27,7 +27,7 @@ public class IndexController {
|
||||
|
||||
@GetMapping("/")
|
||||
public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
|
||||
String emailAddress = principal.getFirstAttribute("emailAddress");
|
||||
String emailAddress = principal.getFirstAttribute("email");
|
||||
model.addAttribute("emailAddress", emailAddress);
|
||||
model.addAttribute("userAttributes", principal.getAttributes());
|
||||
return "index";
|
||||
|
||||
@@ -8,7 +8,7 @@ spring:
|
||||
- private-key-location: classpath:credentials/rp-private.key
|
||||
certificate-location: classpath:credentials/rp-certificate.crt
|
||||
identityprovider:
|
||||
metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
|
||||
metadata-uri: https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata
|
||||
|
||||
logging.level:
|
||||
org.springframework.security: TRACE
|
||||
|
||||
@@ -36,11 +36,6 @@
|
||||
</button>
|
||||
</form>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
|
||||
AP-initiated Logout
|
||||
</a>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<main role="main" class="container">
|
||||
|
||||
Reference in New Issue
Block a user