3

I'm trying to use Spring Security (5.3.3.RELEASE) to handle SAML2 authentication in a Spring Boot application. The Spring Boot app with be the SP and G Suite will be the IDP.

In my Maven pom.xml file I have:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-saml2-service-provider</artifactId>
        </dependency>

In my code I have:


@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        final String registrationId = "gsuite";
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
            final RelyingPartyRegistration googleRegistration) {

        return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {

        http
                .authorizeRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .saml2Login();
    }
}

The problem is that I need a signing key, but the line final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING); throws an exception because you have to pass a PrivateKey into that constructor in order to use it for the SIGNING type. However if I use that credential for verification, the app fails with an exception that a signing key is required.

G Suite only provides a metadata XML file (which Spring Security does not support) and a .pem file. I copied all the text in the .pem file into that String above to generate the X509 certificate.

In the docs for Spring Security SAML they show 2 certificates, but G Suite only provides 1. Am I supposed to generate a PrivateKey from the .pem file? If so, how?

Adam
  • 43,763
  • 16
  • 104
  • 144

1 Answers1

1

Got it to work!

The key is disabling signing.

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        // remote IDP entity ID
        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        // remote WebSSO Endpoint - Where to Send AuthNRequests to
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        // local registration ID
        final String registrationId = "gsuite";
        // local entity ID - autogenerated based on URL
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        // local SSO URL - autogenerated, endpoint to receive SAML Response objects
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        // local signing (and local decryption key and remote encryption certificate)
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }
Adam
  • 43,763
  • 16
  • 104
  • 144
  • Wait. Those are two different things. If you want to sign requests, you'll need a signing credential with a private key. You always need a verification credential to validate the AuthNResponse that comes from the IdP – Troveldom Jul 15 '20 at 17:31