单点登录

Question

我正在尝试将SSO与Okta集成在我的应用程序中，我测试了一些示例，以了解okta如何与saml 2.0一起工作，如"spring-security-saml2-sample“它的工作方式，但我只想将SSO与Okta元数据一起使用，所以当我单击按钮”单点登录“时，我希望我的应用程序将在okta中进行身份验证。我管理的是点击并重定向到okta，但它仍然在我的登录视图中，我不知道如何实现我的Okta用户的身份验证。谢谢

Answer 1

您可以通过此链接使用Okta https://developer.okta.com/code/java/spring_security_saml.html设置Spring Security SAML

您需要在securityContext.xml中设置元数据url (例如"https://example.okta.com/app/exk8ft4xxxyyyy/sso/saml/metadata")。

<constructor-arg>
        <list>
            <!-- Example of file system metadata without Extended Metadata -->
            <!--
            <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">/usr/local/metadata/idp.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
            -->

            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                  <!-- URL containing the metadata -->
                  <constructor-arg>
                    <!-- This URL should look something like this: https://example.okta.com/app/abc0defghijK1lmN23o4/sso/saml/metadata -->
                    <value type="java.lang.String">https://example.okta.com/app/exk8ft4xxxyyyy/sso/saml/metadata</value>
                  </constructor-arg>
                  <!-- Timeout for metadata loading in ms -->
                  <constructor-arg>
                    <value type="int">5000</value>
                  </constructor-arg>
                  <property name="parserPool" ref="parserPool"/>
                </bean>
        </list>
    </constructor-arg>

Spring security saml将使用您在securityContext.xml中设置的元数据url读取IDP (Okta)信息。

Answer 2

谢谢你的帖子。我解释了我想做什么。所以我有我的loginView，其中我有两个按钮:一个用于普通登录用户和密码，另一个是使用或连接到我的应用程序的单点登录。我看了一些示例，如何读取okta在读取元数据后生成的metadata.xml，并重定向到okta并返回到我的应用程序，但我的loginView是成功的，现在我将如何成功进行身份验证，因为现在我只重定向到okta。我希望我说得很清楚。谢谢

import com.okta.saml.*;
import com.vaadin.server.*;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.opensaml.ws.security.SecurityPolicyException;

import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.util.List;
import java.util.Scanner;

public class TestVaadinServletService extends VaadinServletService {

    protected static final String SAML_REQUEST = "SAMLRequest";
    protected static final String SAML_RESPONSE = "SAMLResponse";
    protected static final String RELAY_STATE = "RelayState";
    private static final Logger LOGGER = Logger.getLogger(TestVaadinServletService.class);


    protected SAMLValidator validator;
    protected Configuration configuration;
    protected Application app;

    public TestVaadinServletService(VaadinServlet servlet, DeploymentConfiguration deploymentConfiguration) throws ServiceException {
        super(servlet, deploymentConfiguration);

        try {
            InputStream stream = getClass().getResourceAsStream("/valid-config");
            String file;
            try {
                file = convertStreamToString(stream);
            } finally {
                stream.close();
            }
            validator = new SAMLValidator();
            configuration = validator.getConfiguration(file);
            app = configuration.getApplication("http://www.okta.com/e***********t0h7");
            if (configuration.getDefaultEntityID() == null) {
                LOGGER.error("Default App has not been configured in configuration.");
            } else if (app == null) {
                LOGGER.error("Could not find default application in configuration : " + configuration.getDefaultEntityID());
            }
        } catch (Exception e) {
            LOGGER.error(e);
            e.printStackTrace();
        }
    }

    @Override
    protected List<RequestHandler> createRequestHandlers() {
        try {
            List<RequestHandler> requestHandlerList = super.createRequestHandlers();
            RequestHandler requestHandler = addHandlers();
            requestHandlerList.add(requestHandler);
            return requestHandlerList;
        } catch (ServiceException ex) {
            return null;
        }
    }


    private RequestHandler addHandlers() {
        RequestHandler requestHandler = new RequestHandler() {
            public boolean handleRequest(VaadinSession session, VaadinRequest request, VaadinResponse response) throws IOException {
                try {
                    if ("POST".equals(request.getMethod())) {
                        LOGGER.info("POST");
                        if (session.getAttribute("USER") == null) {
                            try {
                                String relay = request.getParameter(RELAY_STATE);
                                if (relay != null && !relay.isEmpty()) {
                                    try {
                                        String responseString = request.getParameter(SAML_RESPONSE);
                                        if (responseString == null) {
                                            throw new Exception("SAML parameter missing");
                                        }
                                        responseString = new String(org.apache.xml.security.utils.Base64.decode(responseString.getBytes("UTF-8")), Charset.forName("UTF-8"));
                                        LOGGER.info(responseString);

                                        SAMLResponse samlResponse = validator.getSAMLResponse(responseString, configuration);
                                        LOGGER.info("SAML authentication successful");
                                        request.setAttribute("user", samlResponse.getUserID());
                                    } catch (SecurityPolicyException e) {
                                        LOGGER.error("SAML authentication unsuccessful");
                                        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

                                    } catch (Exception e) {
                                        LOGGER.error(e.getMessage());
                                        e.printStackTrace();
                                        response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                                    }
                                }
                                String assertion = request.getParameter(SAML_RESPONSE);
                                if (assertion == null) {
                                    throw new Exception("SAMLResponse parameter missing");
                                }
                                assertion = new String(Base64.decodeBase64(assertion.getBytes("UTF-8")), Charset.forName("UTF-8"));
                                LOGGER.info(assertion);

                                SAMLResponse samlResponse = validator.getSAMLResponse(assertion, configuration);
                                LOGGER.info("SAML authentification successful");
                                session.setAttribute("user", samlResponse.getUserID());
                            } catch (SecurityPolicyException e) {
                                LOGGER.info("SAML authentification unsuccessful");
                                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                            } catch (Exception e) {
                                LOGGER.error(e);
                                e.printStackTrace();
                                response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                            }
                        }
                    } else if ("GET".equals(request.getMethod())) {
                        LOGGER.info("GET");
                        SAMLRequest samlRequest = validator.getSAMLRequest(app);
                        String encodedSAML = Base64.encodeBase64String(samlRequest.toString().getBytes());
                        String url = app.getAuthenticationURL();
                        url += "?" + SAML_REQUEST + "=" + URLEncoder.encode(encodedSAML, "UTF-8");
                        LOGGER.info("Redirecting to : " + url);
                        ((VaadinServletResponse) response).sendRedirect(url);
                        return true;
                    }
                } catch (Exception e) {
                    LOGGER.error(e);
                    e.printStackTrace();
                    response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                }
                return false;
            }
        };
        return requestHandler;
    }

    private static String convertStreamToString(InputStream stream) {
        java.util.Scanner s = new Scanner(stream, "UTF-8").useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";
    }