pateluday07 / saml-sso-and-slo-demo-idp-azure-sp-springboot Goto Github PK

This project is to demonstrate how we can implement Single Sign-On (SSO) and Single Logout (SLO), by taking advantage of these resources: 1. Azure AD (Active Directory) as IDP 2. Springboot as SP 3. SAML (Security Assertion Markup Language) as SSO & SLO METHOD

Java 83.25% CSS 1.87% HTML 14.88%

azure-idp saml spring-boot sso slo

saml-sso-and-slo-demo-idp-azure-sp-springboot's Introduction

saml-sso-and-slo-demo-idp-azure-sp-springboot

This project is to demonstrate the Spring Boot SAML integration with Azure IDP, so here this spring boot app behaves like SP (Service Provider) and the IDP will be the Azure.

Requirements To Run Applications

JDK 8 or later
IDE (Optional)

Dependencies And Tools Used To Build Applications

Git
JDK 8 or later
Maven
Spring Web
Spring Security
Spring SAML 2
Spring Test
Log4j2
Thymeleaf
IDE

Prerequisites

Before you start the application you must fulfill the following prerequisites.

Go to the Azure portal and create an account if you don't have one, here is the link Azure Portal
Create a new tenant in Azure Active Directory, if you have an existing one you can use it, here is the link that will help you to create a new tenant Create a tenant
Create a non-gallery enterprise application, here is the link that will help you to create one Create an application
If you are able to successfully create an enterprise application you will get the screen like this.
Now click on the second option Set up single sign-on, you can see this option in the above image, and then select SAML as a single sign-on method.
Now you will get the configuration page like this, I request you to stay on this page because here we will do some configuration.

Configuration

Azure IDP Configuration

Go to the previous configuration page and set the Identifier (Entity ID), you can set the value something like this com:uday:spring:sp, please replace the name "uday" with yours.
Now set the Reply URL (Assertion Consumer Service URL), this URL used by the Azure IDP to call the Service Provider, in our case the Service Provider is this application. So here you can set the Reply URL (Assertion Consumer Service URL) like this https://[your domain]/saml/SSO.
Now slightly scroll down the configuration page, and you will find the SAML Signing Certificate section, you can see this section in the below image, so from this section copy the App Federation Metadata Url and save it somewhere, we will use this URL later in our Spring Boot Service, and download the Certificate (Base64) and save it somewhere, we will use this certificate too in our service.
Now add users or group to this application, here is the link it will guide you for the same Add Users or Group And we are done with the Azure IDP configuration.

Spring Boot Service Provider (SP) Configuration

Now open the project in the IDE and go to the apllcation.yml file to do some mandatory configuration, here is the location of this file /saml-sso-and-slo-demo-idp-azure-sp-springboot/src/main/resources/application.yml.
Now set the following properties, with the properties value you have just configured in the Azure IDP.
```
service.provider.entity.id: value of [Identifier (Entity ID)]

idp.metedata.url: URL of [App Federation Metadata Url]
```
And we are done with application.yml file configuration.
If you remember we have downloaded the Certificate (Base64) from the Azure IDP, so change the name of this certificate to signature.cer and move the certificate to this location /saml-sso-and-slo-demo-idp-azure-sp-springboot/src/main/resources/saml/signature.cer

Note: first delete all the files available in this location

Now open the terminal in the same location and execute the following command.
```
keytool -importcert -alias adfssigning -keystore samlKeystore.jks -file signature.cer
```
it will ask you for the password once you execute the command use this nalle123 password for the same, and when it asks Trust this certificate? [no]: type y and your .jks file will be created.

Now execute the one more command in the same location. Here is the command.
```
keytool -genkeypair -alias apollo -keypass nalle123 -keyalg RSA -keysize 2048 -validity 10000 -keystore samlKeystore.jks
```
it will ask you for the password once you execute the command use this nalle123 password for the same. As well as it will ask you a bunch of questions just hit enter and you will be fine. When it asks Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: type y.

And here we are done with all the configuration and now we are ready to run this application. Enjoy!!

To run this project go to the /saml-sso-and-slo-demo-idp-azure-sp-springboot/src/main/java/com/spring/boot/security/saml/Application.java and run the Application.java class.

You have already added users in the IDP's application so you can use those users to log in to this service.

And we are done here, Thank You.

saml-sso-and-slo-demo-idp-azure-sp-springboot's People

Contributors

Stargazers

Watchers

saml-sso-and-slo-demo-idp-azure-sp-springboot's Issues

SSo time out issue saml/sso

Hi Uday,
Thank you for sharing the knowledge and sharing the code. I followed the instruction and able to run your code properly. But inactivity of the 2-hour request redirect to "http://localhost:8080/saml/SSO" ANd on the backend, I am getting this error:

authentication.CredentialsExpiredException: Authentication statement is too old to be used with value

I had tried some other sample codes as well but facing the same issue every time.

Can you please guide me on how to fix this problem?. All I want to re-log in user after the session is time out. I will really appreciate any help I can get. Thank you in advance.

Tests fail

From a clean copy of the repo, I enter some dummy values in application.yaml, then run:

mvn clean package

There are numerous test failures with IllegalArgumentException, such as:

Could not resolve placeholder 'service.provider.entity.id' in value "${service.provider.entity.id}"

I tried the following fixes:

copying src/main/resources to src/test/resources
adding the following clause to in pom.xml

${project.basedir}/src/test/resources
true

${project.basedir}/src/main/resources
true

but neither approach worked. Can you help?

AADSTS50011: The reply URL is not valid

Hey,

Where do I configure the reply URL in the application? As of now, we have configured the Reply URL as AD side and it works for localhost:8080 only.

The moment we deploy the app on the server and change the reply URL to https://servername/appname i keep getting the below error

In my application.properties this is all that I have specified

#SSO
service.provider.entity.id=AppName
idp.metedata.url=https://login.microsoftonline.com//federationmetadata/2007-06/federationmetadata.xml?appid=d0f386-7e70-49c1-b4f7-XXXXXXXX
saml.keystore.password= password
saml.private.key.alias= alias
saml.private.key.password: password
saml.keystore.file=classpath:/saml/dev/samlKeystore.jks

Spring boot version is 2.5.5

Thnks

Current authentication instance from security context is null

Hi, after I login successfully with SSO the application doesn't go forward to the landing page, but it loops on the discovery page because this instruction
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
returns always null.
Could you give me some ideas about what could be the cause of this behaviour ?
TIA
D.

Signature trust establishment failed for metadata entry

Hi Uday,
Thank you for sharing the knowledge and sharing the code. I followed the instruction and i am getting below error..
2021-07-21 15:32:45.494 ERROR 17584 --- [ main] o.o.s.m.p.SignatureValidationFilter : Signature trust establishment failed for metadata entry https://sts.windows.net/##################/
2021-07-21 15:32:45.495 ERROR 17584 --- [ main] .s.m.p.AbstractReloadingMetadataProvider : Error filtering metadata from https://login.microsoftonline.com/#########c9a/federationmetadata/2007-06/federationmetadata.xml?appid=#####################

org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
at org.opensaml.saml2.metadata.provider.SignatureValidationFilter.verifySignature(SignatureValidationFilter.java:327) ~[opensaml-2.6.6.jar:?]

I have giver correct
service.provider.entity.id:

idp.metedata.url:

In application YAML file

Login not working

@pateluday07

THank you for the sample but when login page opens and you submit valid credential not not even calling backend

Azure AD iDP for external applications

I have this question for you:

Is it possible to use Azure AD as iDP for external application coming from the Gallery or even configured manually when you use AD Connect with ADFS On-Premises?

To make if clear, we do not use Password Hashes or passthrough with SSO but Federated services with our AD Connect On-Premises (no user data stored in the cloud).

Thanks in advance,

Kind Regards,