SAML Request without service provider certificate

Question

I implemented spring boot security saml example using https://github.com/oktadeveloper/okta-spring-boot-saml-example

It's working with Okta IdP.

But, I want to send SAML Request without service provider certificate to my own IdP.

Could you please help me to disable service provider certificate.

Please find below configure code:

@Override protected void configure(final HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/saml*").permitAll().anyRequest().authenticated().and().apply(saml())
            .serviceProvider().keyStore().storeFilePath(this.keyStoreFilePath).password(this.password)
            .keyname(this.keyAlias).keyPassword(this.password).and().protocol("https")
            .hostname(String.format("%s:%s", "localhost", this.port)).basePath("/").and().identityProvider()
            .metadataFilePath(this.metadataUrl);

}

Please find attached below sample SAMLrequest:

score 0 · Answer 1 · answered Oct 08 '19 at 06:07

0

But, I want to send SAML Request without service provider certificate to my own IdP.

The certificate is only sent when HTTP POST binding is binding used and the SAML AuthnRequest needs to be digitally signed.

Check the IdP meta data file and remove attribute WantAuthnRequestsSigned="true" from IDPSSODescriptor.

answered Oct 08 '19 at 06:07

Bernhard Thalmayr

2,674
1
11
7

No luck @Bernhard Thalmayr, I removed WantAuthnRequestsSigned="true" from IdP metadata file and I tried with WantAuthnRequestsSigned="false". But I m getting SAML AuthnRequest with signing certificate only. – Dama Ramesh Oct 09 '19 at 03:48
I m expecting some change to disable SP certificate from below code: `protected void configure(final HttpSecurity http) { http.authorizeRequests().antMatchers("/saml*").permitAll().anyRequest().authenticated().and().apply(saml()) .serviceProvider().keyStore().storeFilePath(this.keyStoreFilePath).password(this.password) .keyname(this.keyAlias).keyPassword(this.password).and().protocol("https") .hostname(String.format("%s:%s", "localhost", this.port)).basePath("/").and().identityProvider() .metadataFilePath(this.metadataUrl); }` – Dama Ramesh Oct 09 '19 at 03:53
Actually there is no code change needed, however if you remove the keying related calls, the SP won't be able to use a private key and hence can not sign the SAML AuthnRequest. If you have SAML SP meta data, then also check if the SPSSODescriptor does not have `AuthnRequestsSigned="true"` set. – Bernhard Thalmayr Oct 09 '19 at 06:18
I don't have any SP metadata, please check my attached SAMLRequest Image, I m expecting without signature. Is there any flag to disable while Generating SAMLRequest ? – Dama Ramesh Oct 09 '19 at 11:49
The image shows a decoded SAML AuthnRequest which is not digitally signed. Potentially you are using HTTP REDIRECT Binding, then the digital signature is provided via http request parameter `Signature` and the signature algorithm as http request parameter `SigAlg` ( as per SAML specification) – Bernhard Thalmayr Oct 09 '19 at 19:26

SAML Request without service provider certificate

1 Answers1