How to configuration of IDP metadata and SP metadata in Spring Security SAML sample?

Question

I want to deal with Spring Security SAML. For this, I start to explore Spring Security SAML. At the beginning, I create an account at SSOCircle. Than I configurated of IDP metadata and generation of SP metadata (4.2.2 and 4.2.3). At entityId I set:

 <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityId" value="http://idp.ssocircle.com"/>
        </bean>
    </constructor-arg>
 </bean>

When I start application, I have:

Error occurred:
Reason: Unable to do Single Sign On or Federation.

or

Error occurred:
Reason: Unable to get AuthnRequest.

How to configure Spring Security SAML?

Hi, i don't know about you. but one thing to clarify with you is about SAML integration with spring security. Have you done SAML integration? because i stuck on that from 5 days. i have two web portals and i wanna integrate them to SAML i.e single sign on. am using spring mvc . i want to get saml with spring security . can you please tell me about that. thanks in advance — , Feb 12 '15 at 05:40
@Mehbub, Unfortunately, I haven't a good news. I not understood Spring Security SAML too. — somebody, Feb 12 '15 at 07:32

score 16 · Answer 1 · answered Mar 16 '15 at 23:56

Follow the steps in the QuickStart chapter. Some differences to note:

Sign up at http://www.ssocircle.com/. You need to verify your email address.

The metadataGeneratorFilter section of sample/src/main/webapp/WEB-INF/securityContext.xml should look like this (Note: signMetadata property is commented out):

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="entityId" value="urn:test:YourName:YourCity"/>
  <!--<property name="signMetadata" value="false"/>-->
    </bean>
</constructor-arg>

Build and start the web server locally. Then download the metadata at http://localhost:8080/spring-security-saml2-sample/saml/metadata. Copy the contents to your clipboard.
Update the metadata of your new profile at https://idp.ssocircle.com/sso/hos/ManageSPMetadata.jsp.
Enter the FQDN of the service as "urn:test:YourName:YourCity". You need to enter unique values for Your Name and Your City. Paste in the metadata from above.
To Test:
1. Logout of SSO Circle Service.
2. Go to http://localhost:8080/spring-security-saml2-sample
3. You should be redirected to the SSO Circle login.
4. Login with your SSO Circle credentials.
5. You should be redirected to your local service provider page and authenticated.

Thanks buddy. I have no idea what I just did, but it at least seem to work, which is a progress compared to other SAML "solutions". — Martin Vysny, Jan 11 '17 at 07:12
I do not understand what to replace this with? "urn:test:YourName:YourCity" — Jose Martinez, Mar 23 '18 at 17:18

score 3 · Answer 2 · answered Feb 09 '15 at 16:40

3

The metadata generator filter generates metadata for your application (service provider). The entity id you're providing (http://idp.ssocircle.com) is already used by the SSO Circle, you should create a unique value which describes your application, e.g. urn:test:helsinki:myapp

Just like the manual says:

make sure to replace the entityId value with a string which is unique within the SSO Circle service (e.g. urn:test:yourname:yourcity)

answered Feb 09 '15 at 16:40

Vladimír Schäfer

15,375
2
51
71

Ok. I change `entityId` to, for example, `urn:test:helsinki:myapp`. But now, when I start application, I have error `Reason: The SAML Request is invalid.`. May be this `entityId` I should paste to something field at http://www.ssocircle.com/en/ ? – somebody Feb 10 '15 at 06:23
Have you exported metadata of your application to SSO Circle, after performing the entityID change? Please do follow the instructions in the manual step by step. – Vladimír Schäfer Feb 10 '15 at 07:46
I followed these steps: 1. change `metadata` bean 2. change `metadataGeneratorFilter` and set `entytiId` as `urn:test:helsinki:myapp` 3. start application. But everytime I have error: `Reason: The SAML Request is invalid.`. For this reason I can not get a metadata information. – somebody Feb 10 '15 at 08:48
So you get the error during deployment? Or when you open the application URL? Or when you click the login link? Please attach your Spring configuration XML. – Vladimír Schäfer Feb 10 '15 at 08:50
@VladimírSchäfer, I've read the docs about the changes to the metadata and metadataGeneratorFilter beans however was able to build the saml-spring sample, deploy it to Tomcat 8 and it worked right out of the box with no config changes on my part. I did, of course, create an account on ssocircle.com but other than that it worked. Did the sample app change to allow this and are the docs still in sync with the current version of the sample app? thanks – Jim Kennedy Nov 02 '16 at 19:55
@VladimírSchäfer would you help me on this [issue](https://stackoverflow.com/questions/45075566/unable-to-generate-saml-metadata-file) – Med Jul 14 '17 at 08:14

How to configuration of IDP metadata and SP metadata in Spring Security SAML sample?

2 Answers2

Linked