4

I've successfully implemented SSO authentication using Spring-SAML extension. Primary requirement for us to support IDP-initiated SSO to our application. Well, by using the configurations from spring-security-saml2-sample even SP-initiated SSO flow also works for us.

Question: Is keystore is used in IDP-initiated SSO (if metadata has certificate)? If not used, I would like to get rid of keystore configurations from securityContext.xml.

Note: SP-initiated SSO and Global logout is not needed for us. We use Okta as IDP.

Ritesh
  • 7,472
  • 2
  • 39
  • 43
kotacc
  • 327
  • 2
  • 12

1 Answers1

5

This is a good feature request. I've opened https://jira.spring.io/browse/SES-160 for you and support is available in Spring SAML's trunk with the following documentation:

In case your application doesn't need to create digital signatures and/or decrypt incoming messages, it is possible to use an empty implementation of the keystore which doesn't require any JKS file - org.springframework.security.saml.key.EmptyKeyManager. This can be the case for example when using only IDP-Initialized single sign-on. Please note that when using the EmptyKeyManager some of Spring SAML features will be unavailable. This includes at least SP-initialized Single Sign-on, Single Logout, usage of additional keys in ExtendedMetadata and verification of metadata signatures. Use the following bean in order to initialize the EmptyKeyManager:

<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thanks @Vladimír. Glad you have added it as a feature. I presume this feature is only available in future release. To go with any previous Spring SAML releases, does it sound good to create our own **EmptyKeyManager** just like you did rather extend **JKSKeyManager**? – kotacc Feb 19 '15 at 16:31
  • Yes, you can backport it to previous versions by simply including the EmptyKeyManager class. In case you use MetadataController from the sample module, you will also need to change its dependency from JKSKeyManager to KeyManager. – Vladimír Schäfer Feb 20 '15 at 07:22