candrews
commented
6 years ago You use the Spring Security configuration to indicate which URLs should be protected. For example, a WebSecurityConfigurerAdapter with this:
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("/saml/**") // csrf must be disabled for the saml endpoints
.and()
.apply(saml())
.and()
.authorizeRequests()
.antMatchers("/protected").authenticated()
.anyRequest().anonymous();
}you can protect /protected but let anything else through without requiring authentication.
ulisesbocchio
I'm still trying to grasp how SAML works and a lot of what goes into it, so forgive me if this question doesn't make sense.
It appears your
@EnableSAMLSSOannotation applies to a whole service and all related endpoints, but I don't see a way to isolate a specific endpoint in a service and not others. I am only interested in using SAML for a very specific endpoint in a specific API at the moment.Is this the wrong way to approach this problem with SAML? Should I make a "Service Provider" service that is separate from the API and endpoint I am trying to secure to make this more "reusable"? How?
The only way I see to accomplish this with granular endpoints across multiple APIs is to have a reverse proxy with a service in front of it to capture all incoming requests (the how of identifying what endpoints are secure, packaging a SAML request/redirects is still up in the air to me...)
Am I overcomplicating this? I don't see any other way to accomplish this from all I've been reading.
Ideally, I'd like to make my solution extend beyond Spring applications as well. I want to ensure I am allowing for a flexible architecture.