44 Comments

  • Jayakumar Jayaraman
    September 3, 2014 - 4:42 pm | Permalink

    Hi Stuart

    How to use SSO on multiple spring security web applications without SAML ?

    Briefly…
    We have one web application (spring security) which takes care of the user login mechanism. And then we have many other web applications (spring security) which are accessed through hyperlinks in the first application. How to achieve SSO in this scenario without SAML? Please clarify.

    Many thanks
    Jay

  • September 3, 2014 - 6:59 pm | Permalink

    Jay
    There are a couple of other ways SSO can be done.

    If everything’s on the same virtual host you could consider the Tomcat SSO valve (assuming you’re using Tomcat). But you’d need Tomcat to manage your logins. You can make this work with Spring Security but I’m not sure that’s what you want.

    At the other end of the difficulty scale, you could use an enterprise level framework such as IBM Tivoli Access Manager / WebSEAL. This takes SSO outside of your application entirely. It’s mighty powerful but very heavy and expensive.

    The only other solution I’ve used is CAS. It does integrate with Spring security but I found it a little difficult when I last used it about 5 years ago. Something better may have come along since then but I’m afraid I couldn’t advise on that.

  • NuAlphaMan
    October 15, 2014 - 7:05 pm | Permalink

    Hi Stuart,

    I’m trying to integrate Spring SAML into my application. I’m using the sample securityContext as well. When I run the application, I’m getting an IncompatibleClassChangeError: Implementing class error. The stacktrace isn’t very informative for me and I have no idea where it’s bombing out. Any chance you ran into this error when you were setting up your integration with the Spanners app?

    Thanks

  • November 2, 2014 - 7:02 pm | Permalink

    Sorry, I never ran into that issue. It seems to be a compile time issue, possibly related to an incompatibility in a library used by the Spanners app. Without more info though, I couldn’t even guess which one.

  • Babu
    December 22, 2014 - 11:48 pm | Permalink

    Hi Stuart,

    My project already implemented as IDP initiated SSO with spring, and wanted to convert as SP initiated SSO, could you please tell me what are the changes i need to do in spring.

    Thanks

  • Michael
    December 25, 2014 - 6:14 am | Permalink

    Hi Stuart,
    Thank you for the article.
    According to my understanding Spring Security SAML extension implements SP only.
    It does not implement IDP.
    Will be happy for your confirmation.
    Thanks for your help,
    Michael

  • snhp
    January 30, 2015 - 10:38 pm | Permalink

    Hi Stuart,

    I have an application called service portal(SP) developed using spring security and mvc framework. SP application connects to LDAP for authentication. if the user authentication is success,user will be navigated to homepage where multiple links are provided for external applications… When the user clicks on the application link, user should successfully navigated to the respective application without challenging login page.

    Can you please share some example for the above use case.

    Thank you,

  • snhp
    February 4, 2015 - 8:00 pm | Permalink

    Hi Stuart,

    Can you please let me know the best and simple approach to accomplish the below scenario..

    ->I have created a portal application(spring security 3) which takes care of ldap authentication and retrieve user roles from LDAP
    Portal application provides link to other spring based applications running on the same server and domain. Now i need to by-pass the login page of the external applications ie, if the user is successfully authenticated in portal application, user should able to navigate to other application link without login again….

    Regards,
    snhp

  • Michael Glasson
    March 16, 2015 - 1:35 am | Permalink

    Reply to Jayakumar:

    One way to do this would be to modify the hyperlinks in the portal application to include the identity of the logged in user and post that identity to each target application when the user clicks the link. You should ensure that the posted string is cryptographically signed, e.g. by HMAC and that is has a timestamp to prevent replays.

    On the receiving side, you could write an identity filter to interpret the posted string, validate the message and instantiate a user principal object in the target application session.

    Of course, that is pretty well what SAML would do, so it is arguable that you would not be getting much benefit.

  • Manoj Pathak
    March 16, 2015 - 7:04 pm | Permalink

    I have followed above instructions to integrate spring saml in my spring-security enable web application. I am able to redirect to IDP server for authentication but I want this application with multi-tenacy. This application need to be deploy on AWS for SaaS so that it can be accessed by multiple client. Now I am facing challenge to enable this application for normal user login using j_spring_security and Oauth as well as SAML.

    Please suggest me some approach to cover above scenario.

  • April 2, 2015 - 8:06 am | Permalink

    Hi bro
    good work but i need some help to integrate SAML
    actully i have a product running for multiple company i need SAML base authentication
    for one company and all other will be authentication by local DAO base authentication
    and my product is in a single war file which is running on company bases.
    need help
    Thanks in advance

  • Praveen
    April 8, 2015 - 12:19 am | Permalink

    I want to run Spring SAML2.0 in Jboss 7.1. What I need to configure in JBoss

  • stacy
    April 13, 2015 - 8:22 pm | Permalink

    Hello Stuart – Do you know how we can get SAMLAssertion from SAMLResponse using OpenSAML library ? Any testing / sample program will be much helpful.

    Thank you.
    Stacy

  • Ash
    May 27, 2015 - 4:06 pm | Permalink

    Hi,
    I want to integrate Spring Security SAML extension with my existing Java based application.
    Note : My Application is Java based and NOT spring based

    Could you please let know Integration Steps ?

    Ta

  • user
    June 18, 2015 - 9:40 pm | Permalink

    Hello, why don’t you developed the code for the spring mvc and WSO2 IDP?

  • arnarn
    June 25, 2015 - 8:39 pm | Permalink

    hi Stuart,
    I have read the documentation of spring SAML as you mentioned above. However, my case is that my app is a consumer of the web service from the SP. but i have to go thru IDP for SSO before i can access the web service. I was told that i can use Spring Security to do this. but i could not find any sample code out there that did this. Any suggestion? I would really be very grateful for your inputs.

    thanks,
    Arnarn

  • forough
    August 3, 2015 - 1:50 pm | Permalink

    hello,
    thanks for your help.
    first sorry for my bad English.
    i try to run “mvn install” command for build this project and i get error to find javax.activation:activation:jar:1.0.2

    what should i do?
    thanks for your reply

  • August 3, 2015 - 4:26 pm | Permalink

    Hi forough

    Yes, I find I have exactly the same problem if I try to build that now.

    It appears that this old version of javax.activation no longer exists at either http://download.java.net/maven/2 or the Maven central repo.

    I’ve found it here though:http://mirrors.ibiblio.org/pub/mirrors/maven/mule/dependencies/

    I’d suggest that you add this location to your repositories section in the project’s parent pom.xml file, just under the Spring milestone repo.

    <repository>
    <id>ibiblio</id>
    <name>Alternative repo for old javax.activation version</name>
    <url>http://mirrors.ibiblio.org/pub/mirrors/maven/mule/dependencies/</url>
    </repository>

    That got it working for me – hope it helps you too!

  • forough
    August 6, 2015 - 7:19 am | Permalink

    hi,
    sry but still i have error in “mvn tomcat7:run”
    cannot creat jdbc driver of class ‘ ‘ for connect URL ‘null’
    and some errors like:
    hibernate.properties not found !!
    can you help me?

  • Mani
    September 11, 2015 - 1:42 am | Permalink

    Great post Stuart,

    I’m just in the process of trying to integrate SAML into an existing Spring based application where I use token based authentication via the Spring Security Rest plugin.

    Have you ever attempted to use REST based authentication with SAML? Do you have any suggestions at all?

    Cheers,

    Mani

  • February 20, 2016 - 12:34 am | Permalink

    Hi Stuart,

    I have some old java applications using Strut1 and would like to apply Spring Saml SP on top of these applications. Please advice on the best way to do this?.

    Thanks,
    Ben.

    • February 20, 2016 - 8:45 pm | Permalink

      Hi Ben! Spring security (and the Spring Security SAML extension) should work just fine alongside Struts. Indeed, Spring Security and Struts 2 were used in the Spanners demo app up to version 2.6. It’s been a while since I’ve used Struts 1, but I’d expect your solution to be similar.
      Hope that helps and good luck!

  • kiran
    May 4, 2016 - 5:07 am | Permalink

    Hi,

    My application is deployed in cloud, we used spring boot to build a jar and the same is deployed in the heroku cloud. Now we are planning to have a siteminder IDP for SSO. Is the spring security SAML provided above usefull for cloud base applications? and As spring boot is 100 % annotations is there any sample reference for speing security SAML with only annotations.

    Thanks in advance,
    Kiran

    • May 4, 2016 - 9:35 pm | Permalink

      Hi Kiran
      I see no reason why the Spring Security SAML project wouldn’t work with a cloud based application. SAML is an industry standard and so should be fine regardless of where you choose to deploy your app.

      I’m not aware of annotations for Spring Security SAML. I don’t think they’re suited to annotations due to the complexity of configuration. However, a Spring Boot application can import old-fashioned XML based config using the @ImportResource annotation. See the Spring Boot docs or the RootConfig class in the latest version of the Spanners app for an example.

  • May 23, 2016 - 3:57 am | Permalink

    I recently released this Spring Boot plugin that drastically reduces the boiler plate of configuring Spring Security SAML. Please see it here: https://github.com/ulisesbocchio/spring-boot-security-saml

    • May 24, 2016 - 8:27 pm | Permalink

      That’s very nice Uli! Out of the box, the Spring Security SAML does the job but needs a lot or work just to get started. Your plugin looks like it simplifies things considerably. The YAML config in particular looks really clean. Next time I’m working with SAML, I’ll be sure to give this a go. Many thanks for letting me know!

  • Avinash
    July 27, 2016 - 6:16 pm | Permalink

    I want to use Spring security SAML from my existing j2ee application. Appreciate if I can get sample java (class) code that makes idPInitiated SSO to Identity provider?

  • ravikumar
    July 29, 2016 - 8:47 pm | Permalink

    I have make a SAML With ADFS service that is working fine. Can you help me that how to configure with my java web application with SAML ADFS

  • karthik
    August 23, 2016 - 6:39 pm | Permalink

    from which version of spring this SAML security support was there ?

  • EagerToLearn
    September 2, 2016 - 11:35 am | Permalink

    Hi,

    I provide the authentication to a group using jsp – credential.getAttributeAsString(“attributeName”) and credential.getAttributeAsStringArray(“attributeName”). Now want to provide authentication for a particular role using UserDetailsService for group members which are comma serperated.

    • September 2, 2016 - 7:52 pm | Permalink

      Hi
      I’ll point you at Spring Security’s GrantedAuthority class. Sounds like you want your implementation of UserDetailsService load your UserDetails and set one or more GrantedAuthoritys on it. I’m not sure exactly what your implementation will look like, but take a look at the code for the Spring Security JdbcDaoImpl as a good example of a UserDetailsService implementation.

  • EagerToLearn
    September 7, 2016 - 3:49 pm | Permalink

    Hi,
    I used metadata to get the group claim ( soap xml), using it we have to provide access to the particular members present in the group . So I am using jsp to write it. But I need to write it using GrantedAuthority in form of java code. I am not using any dao class. Its only contain controller, Validator and form class.So have idea just share it.

    Thanks.

  • Venkat
    December 7, 2016 - 2:36 am | Permalink

    Hi Stuart,

    Venkat here, I can able to integrate SAML with Service Provider Metadata. Also, I can see the SSOCirlce login authentication after hitting the specified url. But, after successful login in SSOCircle, the service provider return url index.jsp/saml/sso struck without processing to next steps.

    Could you please suggest how to resolve this.

    Many thanks
    Venkat

  • December 13, 2016 - 4:44 pm | Permalink

    Hi,
    what’s the best way to use sso in spring security project ?
    by using CAS server or SAML

  • reza ramezani matin
    June 15, 2017 - 6:57 am | Permalink

    Thanks for your post
    I have an application that is integrated with spring security seperated to two application.I want to get single sign on(SSO) with lowest cost and it compatible with spring security.Because of my infrastructure,I wont use oauth in first stage.I want to know if i can use saml

  • Sourav Ghosh
    July 18, 2017 - 2:20 pm | Permalink

    Hi Stuart,

    I am trying to integrate SAML in an application using Spring security. The application is already acting as an SP for an existing IDP provider which is implemented using okta. Now I have to integrate another IDP (which is ADFS) for a different SP. Can I configure this using the same spring-security XML ? If yes, how to do that? Please suggest.

    • July 18, 2017 - 10:29 pm | Permalink

      Hi Sourav. Are you looking to integrate multiple IdP with your application? As I understand it this should be possible, though I’ve never done it myself. If you look at the online demo, it starts with an IdP selection page – currently with only one IdP available. I’d suggest that you start from there to see how you’d add another IdP to your application.

  • tom
    September 18, 2017 - 8:01 am | Permalink

    I am trying to integrate pingidentity with the spring saml sample app. after getting the redirect to idp, logging on ok, getting a good saml assertion, I get an endless loop back in the sample app with an access denied error in the spring-security stack. I am about to go back to debug spring security, but if you have any tips, would be awesome. as you can see in this spring sec log, all looks ok with ping, the role voter is ok, then the authenticated user voter fails. and why do I end up with anonymousUser after a good ping authentication? seems some user principle needs to be mapped from ping to spring, yes?

    2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 DEBUG HttpSessionStorage:93 – Storing message a2iiedhi69h081391e3biag591i7a2f to session FVAX79n-fxixNnIApUrrLe2V

    2017-09-18 09:48:00 DEBUG HttpSessionStorage:93 – Storing message a2iiedhi69h081391e3biag591i7a2f to session FVAX79n-fxixNnIApUrrLe2V
    2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 INFO SAMLDefaultLogger:127 – AuthNRequest;SUCCESS;10.69.208.181;app1;pingidentity;;;

    2017-09-18 09:48:00 INFO SAMLDefaultLogger:127 – AuthNRequest;SUCCESS;10.69.208.181;app1;pingidentity;;;
    2017-09-18 09:48:00 INFO stdout:71 – 2017-09-18 09:48:00 DEBUG SecurityContextPersistenceFilter:97 – SecurityContextHolder now cleared, as request processing completed

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/favicon.ico’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/images/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/css/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/logout.jsp’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/web/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 1 of 8 in additional filter chain; firing Filter: ‘SecurityContextPersistenceFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionSecurityContextRepository:139 – HttpSession returned null object for SPRING_SECURITY_CONTEXT

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionSecurityContextRepository:85 – No SecurityContext was available from the HttpSession: [email protected] A new one will be created.

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 2 of 8 in additional filter chain; firing Filter: ‘FilterChainProxy’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/login/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/logout/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/metadata/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/sso/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/ssohok/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/singlelogout/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AntPathRequestMatcher:103 – Checking match of request : ‘/index.jsp’; against ‘/saml/discovery/**’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:180 – /index.jsp has no matching filters

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 3 of 8 in additional filter chain; firing Filter: ‘RequestCacheAwareFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:309 – pathInfo: both null (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:309 – queryString: both null (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – requestURI: arg1=/app1/; arg2=/app1/ (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – serverPort: arg1=8443; arg2=8443 (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – requestURL: arg1=https://ew7uipwm07.integration.uniqa.at:8443/app1/; arg2=https://ew7uipwm07.integration.uniqa.at:8443/app1/ (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – scheme: arg1=https; arg2=https (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – serverName: arg1=ew7uipwm07.integration.uniqa.at; arg2=ew7uipwm07.integration.uniqa.at (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – contextPath: arg1=/app1; arg2=/app1 (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG DefaultSavedRequest:325 – servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG HttpSessionRequestCache:62 – Removing DefaultSavedRequest from session if present

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 4 of 8 in additional filter chain; firing Filter: ‘SecurityContextHolderAwareRequestFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 5 of 8 in additional filter chain; firing Filter: ‘AnonymousAuthenticationFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AnonymousAuthenticationFilter:102 – Populated SecurityContextHolder with anonymous token: ‘org.sprin[email protected]905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]0: RemoteIpAddress: 10.69.208.181; SessionId: FVAX79n-fxixNnIApUrrLe2V; Granted Authorities: ROLE_ANONYMOUS’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 6 of 8 in additional filter chain; firing Filter: ‘SessionManagementFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 7 of 8 in additional filter chain; firing Filter: ‘ExceptionTranslationFilter’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterChainProxy:337 – /index.jsp at position 8 of 8 in additional filter chain; firing Filter: ‘FilterSecurityInterceptor’

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterSecurityInterceptor:194 – Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG FilterSecurityInterceptor:310 – Previously Authenticated: org.sprin[email protected]905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]0: RemoteIpAddress: 10.69.208.181; SessionId: FVAX79n-fxixNnIApUrrLe2V; Granted Authorities: ROLE_ANONYMOUS

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AffirmativeBased:65 – Voter: [email protected], returned: 0

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG AffirmativeBased:65 – Voter: [email protected]d700, returned: -1

    2017-09-18 09:48:01 INFO stdout:71 – 2017-09-18 09:48:01 DEBUG ExceptionTranslationFilter:165 – Access is denied (user is anonymous); redirecting to authentication entry point

    2017-09-18 09:48:01 INFO stdout:71 – org.springframework.security.access.AccessDeniedException: Access is denied

    2017-09-18 09:48:01 INFO stdout:71 – at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)

  • Pavan Kalyan
    November 29, 2017 - 1:39 pm | Permalink

    Hi all is it possible to have sp initiated as well as idp initiated SSO for a service provider

  • Surendra
    February 15, 2018 - 1:14 pm | Permalink

    Hi Stuart,
    Thanks a lot for your post regarding the IdP Discovery and selection, it helped me to get my SP end points redirected to IDP as you said if we do not mentioned anything then the default configured IdP will be considered and the request will be redirected to the the same IdP. Its really great for me.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *