ADFS with spring saml

[bishnu-zwayam]

Hi vdenotaris, First of all THANK YOU VERY MUCH your saml implementation helped me a lot.

I want to use ADFS as my IdP. I got the IdP metdata. Now how to use that like you did for SSOCircle?

Any help would be appreciated.

[vdenotaris]

Hi,

The solution has been personally tested with AD FS and it works fine.

You just need to define your own ExtendedMetadataDelegate bean implementation in the same way I did with SSOCircle:

@Bean
@Qualifier("contoso-idp")
public ExtendedMetadataDelegate contosoADFSExtendedMetadataProvider() throws MetadataProviderException {
    String idpMetadataURL = "https://ADFS.Contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
    HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(), idpMetadataURL);
    httpMetadataProvider.setParserPool(parserPool());
    ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata());

    // setup your extendedMetadataDelegate options.

    backgroundTaskTimer.purge();
    return extendedMetadataDelegate;
}

And then add it as metadata provider:

@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    providers.add(contosoADFSExtendedMetadataProvider());
    return new CachingMetadataManager(providers);
}

Do not forget to add server certificates inside your keystore.

Note: This solution is meant to be used just as starting reference in implementing a SAML 2.0 Service Provider in Spring Boot. No public support will be provided for custom configurations.

Cheers, V.

[bishnu-zwayam]

Hi vdenotaris, Thank you.

I did not get "Do not forget to add server certificates inside your keystore". Server certificate is kind of what SSL certificate? and If it is how to add that?

@Qualifier("contoso-idp") is it necessary and This name is based on what? I can see that the name is kinda picked from the idpmetadataurl.

[vdenotaris]

A digital certificate is needed in order to define a trust relationship between and Identity Provider and a Service Provider in a SAML-based AuthN scenario. For more info, please refer to the protocol specifications.

A bean qualifier can be arbitrarily defined in Spring.

There may be a situation when you create more than one bean of the same type and want to wire only one of them with a property. In such cases, you can use the @Qualifier annotation along with @Autowired to remove the confusion by specifying which exact bean will be wired.

[bishnu-zwayam]

Hi vdenotaris,

I am confused with this samlkeystore.jks. For SSOCircle IdP you used one samlkeystore.jks and update-certificate.sh, how did u get that or it is automatically generated. The metadata.xml interchange is not enough to build trust between SP and IdP?

Now For ADFS IdP I got the metadata.xml, I thought that is enough for the trust and I will use https. But I am now confused with samlkeystore.jks and update-certificate.sh from where to get it.

how did you implement this: public KeyManager keyManager() { DefaultResourceLoader loader = new DefaultResourceLoader(); Resource storeFile = loader .getResource("classpath:/saml/samlKeystore.jks"); String storePass = "nalle123"; Map<String, String> passwords = new HashMap<String, String>(); passwords.put("apollo", "nalle123"); String defaultKey = "apollo"; return new JKSKeyManager(storeFile, storePass, passwords, defaultKey); }

Please help.

And why we use @qualifier I am aware of it. But I was asking about the name that we are inside @Qualifier(name). This name is based on what or it can be anything I know it will be based on the IdP but how to set that?