Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 20 06:43
    ruoat commented #88
  • Aug 14 14:13
    ledjon commented #90
  • Aug 14 01:55
    Jaha96 commented #90
  • Aug 14 01:54
    Jaha96 commented #90
  • Aug 13 19:50
    ledjon commented #90
  • Aug 13 09:02
    Jaha96 commented #90
  • Aug 13 04:58
    Jaha96 commented #90
  • Aug 10 14:12
    ledjon commented #90
  • Aug 08 15:33
    Jaha96 commented #82
  • Aug 08 15:31
    Jaha96 commented #77
  • Aug 08 15:27
    Jaha96 commented #90
  • Jul 23 07:21
    rishisc opened #91
  • May 14 10:54
    tuomoa commented #88
  • May 12 06:08
    tuomoa commented #88
  • May 11 22:10
  • May 11 22:08

    ulisesbocchio on master

    Make it possible to configure s… (compare)

  • May 11 22:08
    ulisesbocchio closed #88
  • May 11 22:07
    ulisesbocchio commented #88
  • May 11 12:09
    tuomoa commented #88
Rithuik
@rithuiketz
?
image.png
José Carlos Mazella Junior
@juniormazella
@ulisesbocchio Hi there
I'm using a spring boot app with saml context authorization
With ulises framework =)
All of endpoints, when I call by ajax, without user inside security context is currently responding login page in body of response
Has anyone managed to leave this alone and an end point? /login for example
and in the others response only a just 403?
kalnida1
@kalnida1
hi, i'm trying to use saml 2.0 sso in spring boot app and i'm getting java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
i imported the certificate of the sso server using keytool and both keystore and alias are password protected
haven't found any reasonable answer on the net
can you help me, please?
Ulises Bocchio
@ulisesbocchio
@juniormazella you should check out how to respond based on content type/accept headers. That way you can responde 403 with a Json error when you get an Ajax call.
@kalnida1 sure, do you have a github repo that I can checkout?
George Haddad
@george-haddad
hello, I couldn't find anything in the docs about providing the passphrase for the private key. There is only this line of code and().keyManager().privateKeyDERLocation(...) is there a way to provide it with a passphrase?
George Haddad
@george-haddad

hey @ulisesbocchio I'm trying to test your repo app with getting SAML assertions that are signed and encrypted. I configured it with the idP's metadata and tried sending it a saml assertion, though I keep getting an error saying that the message is invalid

Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

I'm hoping you or someone else could give me some tips or point me in the right direction. I'm not sure if I am testing this correctly or if I need some extra configuration
org.opensaml.common.SAMLException: Unsupported request
    at org.springframework.security.saml.processor.SAMLProcessorImpl.getBinding(SAMLProcessorImpl.java:265)
    at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:102)
Ulises Bocchio
@ulisesbocchio
@george-haddad .keyManager().keyPassword()
@george-haddad did you upload your cert to the IDP? have you imported the IDP metadata?
George Haddad
@george-haddad

Yes, I have imported the idP's metadata via .and().metadataManager().metadataLocations("classpath:/metadata/idp-metadata.xml") and I I'm setting the keys like so

.and()
            .keyManager()
            .privateKeyDERLocation(System.getenv("PRIVATE_KEY_DER_LOCATION"))
            .publicKeyPEMLocation(System.getenv("PUBLIC_KEY_PEM_LOCATION"))

The locations are stored on the fs of the docker I am deploying to. I did try .keyPassword() but it didn't work as I assume it's looking for the key in a key store because it expects a keyname as well as a key password. Which for me it's the passphrase for the priavteKeyDER. Currently I am using linux scripts to decrypt the keys before the application is started.

Ulises Bocchio
@ulisesbocchio
Are the paths you’re providing in the form file:///path/to/cert ?
George Haddad
@george-haddad
yes
Ulises Bocchio
@ulisesbocchio
Can you upload your project to github for me to take a look?
George Haddad
@george-haddad
ah sorry, the paths are classpath:/keys/public.pem classpath not file://
Ulises Bocchio
@ulisesbocchio
That’s probably the problem. /keys/ is probably not in the classpath
George Haddad
@george-haddad
it is, but it's ok, I resolved my issue anyways
Ulises Bocchio
@ulisesbocchio
Care to comment what was the problem @george-haddad ?
kalnida1
@kalnida1

hi, i'm having a problem with implementing saml sso login, getting past the idp login, it says "authentication successful, redirecting to service" and on app side i'm getting: Incoming SAML message is invalid

org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

using self signed cert and it was used for generating metadata, which was then submitted to IDP
any clues on what have i done wrong?
Ulises Bocchio
@ulisesbocchio
Self cert should work. What IDP are you using?
kalnida1
@kalnida1
UbiSecure something
Ulises Bocchio
@ulisesbocchio
Did you import the proper IDP metadata with cert?
What signature is it using?
yellapusony229
@yellapusony229
Hello @ulisesbocchio
yellapusony229
@yellapusony229
Hello @ulisesbocchio , I am using spring-boot-security-saml dependency(1.7) to configure the binding properties in application.yml . But when I start the application it is giving class not found exception for saml logger. Using spring boot 2.2.6 version,spring-security-saml2-core 2.0.0.M31, will this be fine ? can you please guide what are all the compatible versions for this jar
thisiz_A
@arunsanna
@ulisesbocchio, I have a quick question, if my app is behind a Load Balancer which terminates SSL and sends unencrypted traffic to app. My IDP is configured to the https://, My LB will redirect all Http requests to https by default and terminates ssl. I am getting below error.
2020-08-05 15:52:04,142 192.168.220.69 /saml/SSO/alias/ssc [DEBUG] org.springframework.security.saml.SAMLProcessingFilter - Incoming SAML message is invalid org.opensaml.common.SAMLException: Unsupported request at org.springframework.security.saml.processor.SAMLProcessorImpl.getBinding(SAMLProcessorImpl.java:265) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80) [spring-security-saml2-core-1.0.3.RELEASE.jar:1.0.3.RELEASE] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) [spring-security-web-5.1.7.RELEASE.jar:5.1.7.RELEASE] at com.fortify.manager.web.security.auth.FmSamlProcessingFilter.doFilter(FmSamlProcessingFilter.java:29) [ssc-core-20.1.0.0169.jar:?] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.7.RELEASE.jar:5.1.7.RELEASE] at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE] at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:155) [spring-security-web-5.1.7.RELEASE.jar:5.1.7.RELEASE] at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.7.RELEASE.jar:5.1.7.RELEASE] at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE] at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
I am looking for more info, Please help!! Thanks :)
thisiz_A
@arunsanna
NVM figured out the issue
seanleblancicdtech
@seanleblancicdtech
Hello, I'm trying to figure out if we can add more than one service provider with spring saml. There seems to be hints of how to do this, but I'm having a hard time piecing this together
at start time, we do this....
(for background, this is in Grails and Groovy, using spring-security-saml2-core-1.0.2-RELEASE)
private registerServiceProviderMetadata() {
  List <String> samlDomains = getSamlDomains()      
  samlDomains.each { String samlDomain ->
     def spTemplate = new SimpleTemplateEngine().createTemplate(
             new ClassPathResource(grailsApplication.config.saml.metadata.sp.template).inputStream.text)
     def spMetadataFile = File.createTempFile("temp", ".tmp")
     spMetadataFile.deleteOnExit()
     spMetadataFile.write(spTemplate.make([domain: samlDomain]) as String)
     def metadataProvider = new FilesystemMetadataProvider(spMetadataFile)
     metadataProvider.parserPool = parserPool

     metadata.addMetadataProvider(metadataProvider)
     metadata.setHostedSPName(samlDomain)
     metadata.setRefreshRequired(true)
     metadata.refreshMetadata()
  }
   }
seanleblancicdtech
@seanleblancicdtech
the essential problem is that the last in the list "wins" due to metadata.setHostedSPName(samlDomain)
and the application will only act as a service provider for that domain name
it's not clear how to use this entityAlias

From docs: "Spring SAML contains limited support for multi-tenancy. It is possible to define configuration for multiple instances of local service providers, where each can have different URLs and security settings. System is differentiating between the service provider instances using entity alias which is a unique identifier within deployment of Spring SAML.

Entity alias is appended to URLs of SAML endpoints and used by Spring SAML to identify the correct instance. For example for local service provider with entity alias customer123 the standard URL scheme://server:port/contextPath/saml/login becomes scheme://server:port/contextPath/saml/login/alias/customer123.

The entity alias functionality can only be used together with pre-configured metadata (see Section 7.1.2, “Pre-configured metadata”). The entity alias is specified in the extended metadata of each of the configured service providers."