Spring Security SAML2 multiple IDPs configuration

Question

I am trying to configure multiple idps via RelyingPartyRegistrationRepository using spring security 5.3 This is my application.yaml config

spring:
  security:
    saml2:
      relyingparty:
        registration:
          idpokta:
            identityprovider:
              entity-id: http://<url>
              sso-url: https://<url>
              verification:
                credentials:
                  - certificate-location: "classpath:saml/okta.cert"
              signing:
                credentials:
                  certificate: |
                    -----BEGIN CERTIFICATE-----
                    MIIDpDCC...
                    -----END CERTIFICATE-----
                  private-key: |
                    -----BEGIN PRIVATE KEY-----
                    MIIEvQIBA....

                    -----END PRIVATE KEY-----

          idponelogin:
            identityprovider:
              entity-id: https://<url>
              sso-url: https://<url>
              verification:
                credentials:
                  - certificate-location: "classpath:saml/onelogin.cert"
            signing:
              credentials:
                certificate: |
                  -----BEGIN CERTIFICATE-----
                  MIID/z...
                  -----END CERTIFICATE-----
                private-key: |
                  -----BEGIN PRIVATE KEY-----
                  MIpoi...

                  -----END PRIVATE KEY-----

my login controller is defined as follows:

@Controller
public class LoginController {
    private final RelyingPartyRegistrationRepository relyingParties;

    // ... 

   @GetMapping("/login")
  public void login(HttpServletRequest request, HttpServletResponse response) throws IOException {
    String registrationId = request.getParameter("idp");
    RelyingPartyRegistration relyingParty = this.relyingParties
            .findByRegistrationId(registrationId);
    if (relyingParty == null) {
      response.setStatus(401);
    } else {
      response.sendRedirect("/saml2/authenticate/" + registrationId);
    }
}

PROBLEM my relyingParty has the provider details but I think the fact that my assertionConsumerServiceUrl is defaulting to {baseUrl}/login/saml2/sso/{registrationId} and my localEntityIdTemplate = {baseUrl}/saml2/service-provider-metadata/{registrationId}` is causing it the problem. How do I add the sp info in my yaml file? or Am I doing this completely wrong?

Screenshot

ATrubka · Answer 1 · 2020-05-29T00:00:30.387

I've been trying to do the same thing. The API doesn't seem to be well thought through. If you try to use auto configuration spring boot feature the only way I found is to exclude this configuration

Saml2RelyingPartyRegistrationConfiguration

and provide your own class for that.

Since all of that is package local, you have to bring pretty much entire package

org.springframework.boot.autoconfigure.security.saml2

to your own application first disabling the one from spring altogether.

You will end up with

CustomRegistrationConfiguredCondition
CustomSaml2LoginConfiguration
CustomSaml2RelyingPartyAutoConfiguration
CustomSaml2RelyingPartyRegistrationConfiguration

at the very least. Make sure the references between the classes are updated too.

Now, you need to update the following method in the CustomSaml2RelyingPartyRegistrationConfiguration:

    private RelyingPartyRegistration asRegistration(String id, Registration properties) {
        RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId(id);
        builder.assertionConsumerServiceUrlTemplate(
                "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
        builder.idpWebSsoUrl(properties.getIdentityprovider().getSsoUrl());
        builder.remoteIdpEntityId(properties.getIdentityprovider().getEntityId());
        builder.localEntityIdTemplate("template_you_like");
        builder.credentials((credentials) -> credentials.addAll(asCredentials(properties)));
        return builder.build();
    }

Alternatively, you can also copy Saml2RelyingPartyProperties to your project and add all necessary fields there. This way you'll be able to set properties in yaml or properties file. Don't forget to use those values in asRegistration method mentioned above.

score 0 · Answer 2 · answered Nov 18 '20 at 11:38

From the screenshot you posted, it seems that assertionConsumerServiceUrl="{baseUrl}/login/saml2/sso/{registrationId}" at runtime (so the bindings are not working). In my experience, I had it working by replacing baseUrl and registrationId with the actual values (bypassing the placeholders).

E.g.: http://localhost:8080/login/saml2/sso/idpokta

The same goes for localEntityIdTemplate: http://localhost:8080/saml2/service-provider-metadata/idpokta

Spring Security SAML2 multiple IDPs configuration

2 Answers2