search

ulisesbocchio / spring-boot-security-saml

spring-security-saml integration with Spring Boot
MIT License
158 stars 73 forks source link

Two SAML servers in one system. #47

Closed MartinR1993 closed 6 years ago

MartinR1993 commented 6 years ago

Hi ulises,

I have a spring boot system, now using only one SAML server for authentication. This is using authentication for almost all my endpoints (url). But now I want to have two SAML servers running on the same system, one for customer authorization and the new one for admin authorization. I have created and now running the new SAML server for admin and the certificates that's neccesary.

The two SAML servers are also working fine on thier own. But i can't figure out how to use both of them at the same time. I have now two IdP (SAML servers), the original for customer and the new for admin. And they should be connected to the same SP (using all url for Customer and only "/admin/**" for Admin). This is my configuration(this works with just one SAML server):

@Configuration
public class ServiceProviderConfig extends ServiceProviderConfigurerAdapter {

    //Customer
    //Value = sam
    @Value("${idpmetadatapath}")
    private String idpMetadataPath;

    //Value = classpath:/metadata_simplesaml.xml
    @Value("${sam.samlsp.customer.entity.id}")
    private String entityIdCustomer;

    //Value = https://localhost:443
    @Value("${sam.samlsp.base.url}")
    private String entityBaseUrl;

    //Admin
    //Value = classpath:/admin_metadata_simplesaml.xml
    @Value("${idpmetadata_admin.path}")
    private String idpMetadataPathAdmin;

    //Value = sam-admin
    @Value("${sam.samlsp.admin.entity.id}")
    private String entityIdAdmin;

    @Override
    public void configure(ServiceProviderBuilder serviceProvider) throws Exception {
        DSLSAMLContextProviderImpl contextProvider = new DSLSAMLContextProviderImpl();
        contextProvider.setStorageFactory(new EmptyStorageFactory());
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();

        WebSSOProfileOptions ssoOptions = new WebSSOProfileOptions();
        ssoOptions.setIncludeScoping(false);
        KeyStore ks;
        try (FileInputStream fis = new FileInputStream("./keystore.jks")) {
            ks = Try.of(() -> KeyStore.getInstance("JKS"))
                    .andThenTry(x -> x.load(fis, "password".toCharArray()))
                    .get();
        }
        KeyStore ksAdmin;
        try (FileInputStream fis = new FileInputStream("./admin_keystore.jks")) {
            ksAdmin = Try.of(() -> KeyStore.getInstance("JKS"))
                    .andThenTry(x -> x.load(fis, "password".toCharArray()))
                    .get();
        }

        serviceProvider
                    .samlContextProvider(contextProvider)
                    .metadataGenerator()
                    .entityId(entityIdCustomer)
                    .entityBaseURL(entityBaseUrl)
                .and()
                    .sso()
                    .profileOptions(ssoOptions)
                    .defaultSuccessURL("/profile")
                .and()
                    .logout()
                    .defaultTargetURL("/")
                .and()
                    .metadataManager()
                    .metadataLocations(idpMetadataPath)
                    .refreshCheckInterval(0)
                .and()
                    .extendedMetadata()
                    .signingAlgorithm("SHA-256")
                    .idpDiscoveryEnabled(false)
                .and()
                    .keyManager()
                    .keyStore(ks)
                    .keyPassword("saml", "password")
                    .defaultKey("saml")
                .and()
                    .http()
                    .csrf()
                    .ignoringAntMatchers("/saml/**")
                .and()
                    .authorizeRequests()
                    .antMatchers("/img/**")
                    .permitAll()
                    .antMatchers("/style/**")
                    .permitAll()
                .and();
    }
}

I have tried different solutions but nothing seems to work out for me. So i would like to ask if you can guide me in the right direction.

So how do I add another SAML server to the config, to authenticate only some urls ? Example: I want antMatches("/admin/**") and using SAML Admin authentication server.

Im using these specs: spring-boot-security-saml v. 1.13 java jdk 1.8

ulisesbocchio commented 6 years ago

If I understood correctly, you want 2 IDP configurations in the same app, one protecting a set of endpoints, the other one protecting another set of endpoints. This is in theory possible, but if you want real isolation, you would need 2 different security contexts, with their own security filter chain, etc. This would involve also isolation at the JSESSIONID level, requiring you to setup 2 cookies. That way it's literally like you're hitting two different applications. My two cents here is that is not worth it. Why have 2 IDPs in the first place to differentiate who's admin and who's not? It's much cleaner to use 1 IDP, and just have a role "ADMIN". Or, if you really need 2 IDPs because you keep the accounts separate, you can hook up 2 IDPs very easily, but again, on the same application, this way they share the same authentication object, and all you gotta do is assign a role ADMIN to the users from the admin IDP.

ulisesbocchio commented 6 years ago

closing due to no response