Home Explore Help
Register Sign In
github
/
spring-security-samples
mirror of https://github.com/spring-projects/spring-security-samples
2
0
Fork 0
Files Issues 0 Wiki
Tree: b839068efb
Branches Tags
spring-security...
/
servlet
/
spring-boot
/
java
/
saml2
/
refreshable-metadata
/
README.adoc

README.adoc 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. = SAML 2.0 Refreshable Metadata
    2. 

  2. 

  3. This guide provides instructions on setting up this SAML 2.0 Login & Logout sample application.
    4. 

  4. It uses https://simplesamlphp.org/[SimpleSAMLphp] as its asserting party.
    5. 

  5. 

  6. The sample application uses Spring Boot and the `spring-security-saml2-service-provider`
    7. 

  7. module which is new in Spring Security 5.2.
    8. 

  8. 

  9. The https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[SAML 2.0 Logout feature] is new in Spring Security 5.6.
    10. 

  10. 

  11. == Run the Sample
    12. 

  12. 

  13. === Install Docker
    14. 

  14. 

  15. This sample requires Docker to run a local IdP.
    16. 

  16. As an alternative, you can point the sample at your own IdP by changing the `application.yml` here:
    17. 

  17. 

  18. [source,java]
    19. 

  19. ----
    20. 

  20. saml2:
    21. 

  21.   ap.metadata: {your-idp-metadata-endpoint}
    22. 

  22. ----
    23. 

  23. 

  24. === Start up the Sample Boot Application
    25. 

  25. ```
    26. 

  26.  ./gradlew :servlet:spring-boot:java:saml2:refreshable-metadata:bootRun
    27. 

  27. ```
    28. 

  28. 

  29. === Open a Browser
    30. 

  30. 

  31. http://localhost:8080/
    32. 

  32. 

  33. You will be redirected to the SimpleSAMLPHP instance.
    34. 

  34. 

  35. === Type in your credentials
    36. 

  36. 

  37. ```
    38. 

  38. User: user1
    39. 

  39. Password: user1pass
    40. 

  40. ```
    41. 

  41. 

  42. == Goals
    43. 

  43. 

  44. === SAML 2.0 Login
    45. 

  45. 

  46. `saml2Login()` provides a very simple implementation of a Service Provider that can receive a SAML 2.0 Response via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation.
    47. 

  47. 

  48. The following features are implemented in the MVP:
    49. 

  49. 

  50. 1. Receive and validate a SAML 2.0 Response containing an assertion, and create a corresponding authentication in Spring Security
    51. 

  51. 2. Send a SAML 2.0 AuthNRequest to an Identity Provider
    52. 

  52. 3. Provide a framework for components used in SAML 2.0 authentication that can be swapped by configuration
    53. 

  53. 4. Work against the Okta SAML 2.0 IDP reference implementation
    54. 

  54. 

  55. === SAML 2.0 Single Logout
    56. 

  56. 

  57. `saml2Logout()` supports RP- and AP-initiated SAML 2.0 Single Logout via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation.
    58. 

  58. 

  59. On this sample, the SAML 2.0 Logout is using the HTTP-POST binding.
    60. 

  60. 

  61. You can refer to the https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[reference documentation] for more details about the RP- and AP-initiated SAML 2.0 Logout.
    62. 

  62. 

  63. === Refreshable Asserting Party Metadata
    64. 

  64. 

  65. The application uses a custom implementation of `RelyingPartyRegistrationRepository` to achieve Asserting Party Metadata refresh feature.
    66. 

  66. This particular implementation relies on an OpenSAML component that refreshes the metadata.
    67. 

  67. 

  68. 

  69.