SAML Login with SSOCircle
Spring Security 5.2 has introduced a new Saml2LoginConfigurer that can be used to configure SAML2 Login.
This will be covered in two parts -
Part 1 : SAML2 Login
Part 2 : SAML2 Login — Customization
In this article, we’ll explore how to create a simple spring boot application with saml2Login(). Next article will discuss further details for SAML2 login customization.
For simplicity, we’ll use SSOCircle as a public Identity Provider. This article is divided into following sections -
Set-up SSOCircle Identity Provider
Create Spring boot SAML Service Provider and Integrate with SSOCircle
Import Service Provider Metadata into SSOCircle
Try it out
Set-up SSOCircle Identity Provider
Following article contains step-by-step guide detailing how to set-up SSOCircle as IDP -
Create Spring boot SAML Service Provider and Integrate with SSOCircle
Now we need to set-up spring boot application as SAML2 service provider with saml2Login -
- Generate a spring boot project using Spring Initializr as follows -
Dependencies to add -
- Spring Web
- Spring Security
- Thymeleaf
Once project is generated and imported into IDE of choice. Add following spring-security-saml2-service-provider dependency -
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>Above dependency will help in auto-configuring SAML Relying Parties from application.yml using Saml2RelyingPartyProperties.
2. Create SamlSecurityConfiguration class extending WebSecurityConfigurerAdapter and add the functionality to enable saml2Login.
Above will protect all the application URLs and redirect user to SAML2 login for any access.
3. Update application.yml (in /src/main/resource) file as follows -
Other relevant java files (IndexController.java, index.html) can be copied from GitHub project.
Import Service Provider Metadata into SSOCircle
- Spring SAML2 security filter creates following by default for Service provider Metadata -
EntityID: http://localhost:8080/saml2/service-provider-metadata/{registrationId}
ACS (Assertion Consumer Service URL): http://localhost:8080/login/saml2/sso/{registrationId}
We are using ‘ssocircleex’ as registrationId. so corresponding values will be -
EntityID: http://localhost:8080/saml2/service-provider-metadata/ssocircleex
ACS: http://localhost:8080/login/saml2/sso/ssocircleex
2. Launch SSOCircle Metadata Creation Portal and paste the above values -
3. Copy the Metadata and go to Metadata Import Portal -
Service provider and Identity Provider Configuration is completed now.
Try It Now
GitHub Project Link — https://github.com/akashgupta2703/spring-boot-saml2-example/tree/master/saml2-application-1
- Go to http://localhost:8080
- It will redirect user to http://localhost:8080/saml2/authenticate/ssocircleex which will redirect user to following SSOCircle IDP login page -
3. Enter your credentials. Post validation, it will redirect user to SAML assertion consumer URL (http://localhost:8080/login/saml2/sso/ssocircleex) which will redirect to index page -
References -
https://docs.spring.io/spring-security/site/docs/5.2.2.RELEASE/reference/htmlsingle/#saml2
