@EnableSAMLSSO from a Configuration class

[yihfenglow]

Hi,

First of all, a big thank you for open sourcing this project. It has been incredibly helpful.

I was wondering if we are meant to use @EnableSAMLSSO annotation on an @Configuration class, rather than in the Spring Boot Application class?

The reason why I think this would be beneficial is that we can then use the Spring @Profile annotation to by-pass SAML and fall back to basic HTTP authentication in a local development environment.

The README file seems to indicate that this is possible. However, when I move the @EnableSAMLSSO annotation from the Application class to a configuration, it always fails with:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.security.config.annotation.AlreadyBuiltException: This object has already been built

[ulisesbocchio]

Interesting, I've never tried that, if you would've asked before telling me it doesn't work I would have bet it did. Let me dig on that... You can certainly try the WebSecurityConfigurerAdapter approach with the SAMLConfigurerBean bean that's explained in the README. That version is meant to be used with other security configurations, so you can certainly mix basic and SAML that way.

[ulisesbocchio]

I this example, move the @EnableSAMLSSO annotation from next to @SpringBootApplication to next to the @Configuration annotation on MyServiceProviderConfig and everything works the same. Not sure how it didn't work but please feel free to reopen with a sample configuration that I can reproduce.

[yihfenglow]

Hi Ulises,

Thanks for the response.

I was actually using the WebSecurityConfigererAdapter, and attaching the @EnableSAMLSSO annotation on that class and that was what was throwing the error. I'm not sure if you would be able to reproduce this, it could just be down to some other dependency I have on my classpath that is interfering.

I tried it with ServiceProviderConfigurerAdapter and it seems to have worked.

Thanks again!

[worldsayshi]

Heads up for anyone else looking for guidance: From what I can tell @ulisesbocchio's comment above is aimed at this version of the example.