1

I need to declare 2 IDPs in spring-security-saml having the same entity id.

My webapp uses spring-security-saml. This webapp is accessible by 2 differents URLs behind a reverse proxy. The first URL is public, the second URL is filtered. So, I declared 2 SP (one for each URL). Everything was working properly with a single IDP (ADFS or Gsuite).

I also run the application properly with 2 SPs and 2 IDPs with an affinity SP1/IDP1 and SP2/IDP2 when IDP1 and IDP2 had a different entity ID.

Unfortunately by wanting to use Azure Active Directory, each SAML application in Azure results in its own IDP metadata with its own certificate, but with the same entity id.

So I need to declare 2 IDPs in spring-security-saml having the same entity id. Reading the code shows that it is not intended to work like this (the entity id is used as key).

Do you have an idea to work around this problem? Should Azure provide a unique entity id ?

Aurélien Drouard
  • 11
  • 1
  • 3
  • It looks like this is a duplicate question per the post here : https://stackoverflow.com/questions/26010813/spring-saml-extension-for-multiple-idps Does this SO Post have anything that doesn't answer your question in regards to utilizing multiple IDps with spring-security-saml? – Frank H Jul 02 '19 at 00:26

2 Answers2

0

I know it is too old but just found it but you can not use the same Entity ID per tenant for 2 different apps, so it makes sense that the apps have a different certificate even if they have same Entity ID because both apps are in different tenants

Ricardo Diaz Elizondo
  • 1
0

How it worked for me!! As Spring saml works only for unique IDP entityIds. So to make it unique for 2 different IDP having same entity Ids, I prexied one of it with alias as i know what is that alias is for. So now I have to hack entityID at certain places of initialization, validation during metadata loading AND in SAML response verification.

For metadata(one that has prefixed entity Id) loading to be successful especially one with signed metadata.. Created new child class MySAMLSignatureProfileValidator that overrides SAMLSignatureProfileValidator.validateReferenceURI. To use this I need to create another custom class SamlSignatureValidationFilter that extends MYSamlSignatureValidationFilter and initialise MySAMLSignatureProfileValidator in their constructor. Use this SamlSignatureValidationFilter when we add metadata to metadata manager like this.. metadataProvider.setMetadataFilter(new MYSamlSignatureValidationFilter(metadata.getTrustEngine(metadataProvider)));

And now add another custom class MYSAMLCachingMetadataManager to override initializeProviderFilters and remove the logic to setMetadataFilter as its already set as in above code.

Use MYSAMLCachingMetadataManager in your config for MetadataManager. This should take care of saml metadata loading.

Then coming to SAML Response that has the issuer as the original entityId, we need to add prefixed alias to the context here so that it verifies with our prefixed_entityId stored in metadatamanager entity list. In this case I added MySamlHttpPostDecoder that overrides HttpPostDecoder.extractResponseInfo to add alias to messageIssuer. And, MySamlWebSSOProfileConsumerImpl to overirde WebSSOProfileConsumerImpl.verifyIssuer to set issuer.getValue with alias. so later verification with stored entitId will match. Use this MySamlWebSSOProfileConsumerImpl and MySamlHttpPostDecoder in your config. To use MySamlHttpPostDecoder I need to add new class MySamlHTTPPostBinding(ParserPool parserPool, VelocityEngine velocityEngine, MessageDecoder decoder) that extends HTTPPostBinding and pass MySamlHttpPostDecoder for decoder.

Hope it works for you too!!!

Priya
  • 1
  • 1