- NetBeans 7.4
- Glassfish 3.1.2.2
- A PKCS#12 format cerificate for SAML requests signing
- Spring SAML Extension sample app downloaded (http://docs.spring.io/spring-security/site/extensions/saml/)
- Add the certificate in samlKeystore.jks (in resources\security)
- Open project in NetBeans
- Change the default securityContext.xml (will be used later):
- configure the newly added certificate in keyManagerBean as an entry in constructor parameters
- configure the metadataGeneratorBean constructor parameter:
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:myid:saml"/>
<property name="signMetadata" value="false"/>
<property name="bindingsSSO" >
<list>
<value>POST</value>
</list>
</property>
</bean>
- save the and NetBeans will deploy the war
- run the metadata generation page : https:// localhost.myserver.local:8181/spring-security-saml2-sample/saml/web/metadata; use the real FQDN so that metadata will be generated with actual values
- Click on the link "Generate new service provider metadata)
- Change the values of:
- Entity ID and Entity alias to same urn as the entityId previously configured (eg urn:myid:saml)
- SigningKey and EncriptionKey to the one added in samlKeystore.jks (localhostsaml in our sample)
- Sign Metadata: No
- Single sign-on bindings: unckeck Artifact and choose as default the POST one
- Enable IDP Discovery profile:: No
- Press Generate Metadata
- Copy The content of Metadata texta area andcopy the content in a newly created sp.xml, placed in resources\security
- In securityContext.xml add a constructor parameter for "metadata" bean:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:security/sp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="urn:myid:saml"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="localhostsaml"/>
<property name="encryptionKey" value="localhostsaml"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
Please notice that the ExtendedMetadata content is copy/pasted from metadata generation result (Configuration text area)
- Un comment and update the tag, values is actually the value of the alias (we have used the same value for Id and alias):
<property name="hostedSPName" value="urn:myid:saml"/>
- Be sure that the only uncommented tag for defaultIDPis the following:
<property name="defaultIDP " value="http://idp.ssocircle.com"/>
- Go to http://www.ssocircle.com/en/ and create an account
- After login go to Manage Metadata and create a new Service Provider:
- Provide the FDQN as the entityId (urm:myid:saml in our sample)
- Mark all attributes
- Paste the content of sp.xml in the metadata information text area
- Log out from ssocircle
- Run the application; you should be redirected to ssocircle and after entering usernam/password redirected back to index.jsp showing information received in SAML Response
No comments :
Post a Comment