Closed bishnu-zwayam closed 6 years ago
Hi,
The solution has been personally tested with AD FS and it works fine.
You just need to define your own ExtendedMetadataDelegate
bean implementation in the same way I did with SSOCircle:
@Bean
@Qualifier("contoso-idp")
public ExtendedMetadataDelegate contosoADFSExtendedMetadataProvider() throws MetadataProviderException {
String idpMetadataURL = "https://ADFS.Contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(this.backgroundTaskTimer, httpClient(), idpMetadataURL);
httpMetadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata());
// setup your extendedMetadataDelegate options.
backgroundTaskTimer.purge();
return extendedMetadataDelegate;
}
And then add it as metadata provider:
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(contosoADFSExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
Do not forget to add server certificates inside your keystore.
Note: This solution is meant to be used just as starting reference in implementing a SAML 2.0 Service Provider in Spring Boot. No public support will be provided for custom configurations.
Cheers, V.
Hi vdenotaris, Thank you.
I did not get "Do not forget to add server certificates inside your keystore". Server certificate is kind of what SSL certificate? and If it is how to add that?
@Qualifier("contoso-idp") is it necessary and This name is based on what? I can see that the name is kinda picked from the idpmetadataurl.
A digital certificate is needed in order to define a trust relationship between and Identity Provider and a Service Provider in a SAML-based AuthN scenario. For more info, please refer to the protocol specifications.
A bean qualifier can be arbitrarily defined in Spring.
There may be a situation when you create more than one bean of the same type and want to wire only one of them with a property. In such cases, you can use the @Qualifier annotation along with @Autowired to remove the confusion by specifying which exact bean will be wired.
Hi vdenotaris,
I am confused with this samlkeystore.jks. For SSOCircle IdP you used one samlkeystore.jks and update-certificate.sh, how did u get that or it is automatically generated. The metadata.xml interchange is not enough to build trust between SP and IdP?
Now For ADFS IdP I got the metadata.xml, I thought that is enough for the trust and I will use https. But I am now confused with samlkeystore.jks and update-certificate.sh from where to get it.
how did you implement this: public KeyManager keyManager() { DefaultResourceLoader loader = new DefaultResourceLoader(); Resource storeFile = loader .getResource("classpath:/saml/samlKeystore.jks"); String storePass = "nalle123"; Map<String, String> passwords = new HashMap<String, String>(); passwords.put("apollo", "nalle123"); String defaultKey = "apollo"; return new JKSKeyManager(storeFile, storePass, passwords, defaultKey); }
Please help.
And why we use @qualifier I am aware of it. But I was asking about the name that we are inside @Qualifier(name). This name is based on what or it can be anything I know it will be based on the IdP but how to set that?
Hi vdenotaris, First of all THANK YOU VERY MUCH your saml implementation helped me a lot.
I want to use ADFS as my IdP. I got the IdP metdata. Now how to use that like you did for SSOCircle?
Any help would be appreciated.