弹簧引导和Okta SAML2

Question

我喜欢使用spring-security-saml2 2-服务-提供者-从docs：https://docs.spring.io/spring-security/reference/5.6.0-RC1/servlet/saml2/index.html而不是spring-security-saml2 2核心-它看起来更少样板，但当我从Okta管理应用程序发送admin时，我得到了400个响应。通过调试，似乎

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        AbstractSaml2AuthenticationRequest authenticationRequest = this.authenticationRequestResolver.resolve(request);
        if (authenticationRequest == null) {
            filterChain.doFilter(request, response);..}

无法解析传入的请求，但我不确定它是否相关。我的yml配置：

 security:
    saml2:
      relyingparty:
        registration:
          okta:
            identityprovider:
              entity-id: http://www.okta.com/exk1juy5xrR5BsW44697
              verification.credentials:
                - certificate-location: "classpath:saml/okta.cert"
              singlesignon.url: https://trial-8410773.okta.com/app/trial-8410773_templatemanager_2/exk1juy5xrR5BsW44697/sso/saml
              singlesignon.sign-request: false
              assertingparty.metadata-uri: https://trial-8410773.okta.com/app/trial-8410773_templatemanager_2/exk1juy5xrR5BsW44697/sso/saml/metadata

我的Okta配置：

GENERAL
Single Sign On URLhttp://localhost:8080/api/v1/saml2/SSO
Requestable SSO URLsURLIndex
http://localhost:8080/api/v1/saml2/SSO0Recipient URLhttp://localhost:8080/api/v1/saml2/SSODestination URLhttp://localhost:8080/api/v1/saml2/SSOAudience Restrictionhttp://localhost:8080/saml/metadata

此外，我还为saml身份验证提供了端点：

@RequestMapping(SsoAuthenticationController.BASE_NAME)
public interface SsoAuthenticationController {

    final String BASE_NAME = "/v1/saml2/SSO";

    @GetMapping("/")
    public ResponseEntity<HttpStatus> index( Saml2AuthenticatedPrincipal principal) ;
}

实际安全配置：

http.cors()
        .and()
        .csrf()
        .disable()
        .authorizeRequests()
        .antMatchers(SECURITY_WHITELIST)
        .permitAll()
        .anyRequest()
        .authenticated()
        /*.and()
        .httpBasic()
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(authenticationEntryPoint).and().sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)*/
        .and()
        .saml2Login(Customizer.withDefaults());

下面是Saml拦截器用于google：https://pastebin.com/Be3NZe5B的日志

有什么想法吗？

Answer 1

最近，我用Okta创建了一个Spring 3+ SAML示例。希望这些指令能帮上忙。

使用start.spring.io创建一个Spring应用程序。选择下列选项：

• 项目：Gradle
• Spring：3.0.0 (快照)
• 依赖关系：Spring 、Spring Security、Thymeleaf

添加src/main/java/com/example/demo/HomeController.java以填充经过身份验证的用户信息。

package com.example.demo;

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class HomeController {

    @RequestMapping("/")
    public String home(@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal, Model model) {
        model.addAttribute("name", principal.getName());
        model.addAttribute("emailAddress", principal.getFirstAttribute("email"));
        model.addAttribute("userAttributes", principal.getAttributes());
        return "home";
    }

}

创建一个src/main/resources/templates/home.html文件来呈现用户的信息。

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity6">
<head>
    <title>Spring Boot and SAML</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head>
<body>

<h1>Welcome</h1>
<p>You are successfully logged in as <span sec:authentication="name"></span></p>
<p>Your email address is <span th:text="${emailAddress}"></span>.</p>
<p>Your authorities are <span sec:authentication="authorities"></span>.</p>
<h2>All Your Attributes</h2>
<dl th:each="userAttribute : ${userAttributes}">
    <dt th:text="${userAttribute.key}"></dt>
    <dd th:text="${userAttribute.value}"></dd>
</dl>

<form th:action="@{/logout}" method="post">
    <button id="logout" type="submit">Logout</button>
</form>

</body>
</html>

创建一个包含元数据URI的src/main/resources/application.yml文件。

spring:
  security:
    saml2:
      relyingparty:
        registration:
            assertingparty:
              metadata-uri: <your-metadata-uri>

然后，将build.gradle更改为使用thymeleaf-extras-springsecurity6而不是thymeleaf-extras-springsecurity5，并添加Security的依赖项：

implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
implementation 'org.springframework.security:spring-security-saml2-service-provider'

要从Okta获取元数据URI，请登录到您的帐户，然后转到Applications > Create App 。选择SAML2.0并单击Next。将应用程序命名为Spring Boot SAML，然后单击Next。

使用下列设置：

• 单点登录网址：http://localhost:8080/login/saml2/sso/okta
• 将此用于收件人URL和目标URL：✅(默认值)
• 受众URI：http://localhost:8080/saml2/service-provider-metadata/okta

然后单击Next。选择下列选项：

• 我是Okta的客户添加了一个内部应用程序
• 这是我们创建的内部应用程序。

选择Finish。

Okta将创建您的应用程序，您将被重定向到标签上的选项卡。向下滚动到SAML签名证书，并转到SHA-2 > Actions > View IdP元数据。您可以右键单击并复制此菜单项的链接或打开其URL.将结果链接复制到剪贴板。它应该如下所示：

https://dev-13337.okta.com/app/<random-characters>/sso/saml/metadata

转到应用程序的赋值选项卡，并将访问权分配给Everyone组。

将元数据URI粘贴到application.yml文件中。使用./gradlew bootRun启动应用程序，并在您喜欢的浏览器中打开http://localhost:8080。您应该重定向到登录。