alokkusingh / saml Goto Github PK

SAML Identity Provider and Service Provider implementation using Spring Security

Java 92.92% HTML 7.08%

saml saml-idp saml-identity-provider saml-service-provider saml-sp-single-sign-on saml-authentication spring-boot spring-security java rsa-key-pair

saml's Introduction

SAML - Identity Provider and Service Provider Services

Meta Data

IdP and SPS both the services provide SAML meta data interface to negotiate the service.

1. IdP Meta Data API

This meta data API can be integrated with SPS to get service negotiation.

http://localhost:8081/alok-idp/saml/idp/metadata

2. SPS Meta Data API

This meta data API can be integrated with IdP to get service negotiation.

http://localhost:8082/hello-sp/saml/sp/metadata

Supported SAML Flows

1. SPS Flow

SAML authentication initiated by IdP.

SPS - SPS sends SAML Request to IdP
IdP authenticate the user and responds with SAML Response

Usecase:

2. IdP Flow

SAML authentication initiated by SPS.

IdP - IdP directly sends SAML Response to SPS. No SAML Request generated.

Usecase:

Signle Sign-on - if we want to embed a secure web page provided by guest application (will act as SPS service) as iFrame to the web page provided by host application (will act as IdP service). The Guest server validates the user credentials as part of login process and the same time generates SAML Response for guest application. When loading guest application web page to the Web page (as iFrame) the SAML Reponse shall be sent to guest application. Guest application shall use SAML Response to Authenticate/Authorize user without asking additinal credentials from user. Seamless single sign-on takes place.

IdP and SPS RSA Keys and Certificate

Both the services sign and encrypt Metadata/SAML Request/SAML Response.

1. IdP RSA Private Key and Cert Generation

1.1 Generate Private Key and CSR Request

openssl req -new -newkey rsa:4096 -nodes -keyout IdP_pkcs8.key -out IdP.csr

Note: no pwd

1.2 To pkcs1

openssl rsa -in IdP_pkcs8.key -out IdP_pkcs1.key

1.3 Sign Certificate

openssl x509 -req -CA rootCA_Alok.crt -CAkey rootCA_Alok.key -in IdP.csr -out IdP.crt -days 365 -CAcreateserial

2. SPS RSA Private Key and Cert Generation

2.1 Generate Private Key and CSR Request

openssl req -new -newkey rsa:4096 -nodes -keyout saml_spcs_pkcs8.key -out saml_spcs.csr

Note: no pwd

2.2 To pkcs1

openssl rsa -in saml_spcs_pkcs8.key -out saml_spcs_pkcs1.key

2.3 Sign Certificate

openssl x509 -req -CA rootCA_Alok.crt -CAkey rootCA_Alok.key -in saml_spcs.csr -out saml_spcs.crt -days 365 -CAcreateserial

saml's People

Contributors

Stargazers

Watchers

saml's Issues

IdP is not providing attributes in SAML assertion

IdP is not providing attributes in saml assertion see below:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:8082/hello-sp/saml/sp/SSO/alias/hello-sp" ID="RP0e30bcca-e1e5-4d8c-a25c-33f331d97a45" IssueInstant="2020-07-29T07:19:15.663Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">alok-idp</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#RP0e30bcca-e1e5-4d8c-a25c-33f331d97a45"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>JAlfohUWrmTnnDUehUMRxVJMXy78/yG5zbzn/B/uSKg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> w2yhdvgzRQ+zpN/sAVBAoAhnJksWfNOgJy6T2R6jLZRhchkZfcCtOu1Iz+A5soatPeXBwjWpznQF 1jI4S1vPq357sy2H2GnORaMMrc70RvChsSVWNMWYy9eWXdUJ5+zfzeuC/kXW2KrPyXWwoOT6XGG8 fvqx+s6s+aK0G6dRJo5m1qdV6YMWAj0ieg8Su3FMDMrPLp+mqKbpnEVMgCFcmdkqukuVqN6mVE/V oQ/VwSBCq8f+KbLyQSig+DJFj81rb8hn11JUgqEmVzX1sv0RxuJMjzqnt6eUcffBtYO9wzXifuRs ZlKMK3PDS8dRWzlytVHazRZ2qnK6WLcL6l0cbPaLiH5Ma6pfHAES1ul9w3Zfy+f6efTidSLPJOMh l+rBWBh2lPR5tDjCeRUOMWOzaZ5dVROaaTrFw/YS3aNy/o0LlOri9ev81MoYzcMkcBlwlpza3pnB +GzmSbCUXLcXiGygwTYyiO1yoK8C2Wgp5autC3i1dpU9/Tiq1TX78va0+J1w12ChZPWeUW+F6uW9 ugcVjhkW4wn7tGS3P9YYYYFD7wpatXXRY0ZRzmtmmUI05m3IgjykFZhdZZhHa5Q3FnFiE67AED3U mPIvC3l00LwsjFUl49aNYZiPtVLZJ62es9SFwsTLcuLPzjd7ZBpRKrOrxVbIxh3WsmUuqW+Adpw= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFITCCAwkCCQCk7pxWtNaMMzANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDDAthbG9ra3VzaW5n aDAeFw0yMDA3MjgxMjE3MzlaFw0yMTA3MjgxMjE3MzlaMIGOMQswCQYDVQQGEwJJTjESMBAGA1UE CAwJS2VybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDTALBgNVBAoMBEFsb2sxDTALBgNVBAsM BEhvbWUxETAPBgNVBAMMCGFsb2tfaWRwMSYwJAYJKoZIhvcNAQkBFhdhbG9rLmt1LnNpbmdoQGdt YWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxlExcunQkmQXQe1eXDL5z7 R75MoSaz5sCJXeEZ+VCBjJkfkCSPQB+gB1ulKVHa7QGv3R3S8nT7LPt1txYtkIA7bPRE/n2BMnDY 6/qq6Vchl+wb11OzUIrx6T4Oa92zEDBx5Fl7AuIgYGKk4xM01tpwJkqyhWnD0UiyZWA4+/l/mup5 2n0S8BtMAEuLXiGm556hhXxxssX0rQRQSq7JxdtpFlkZJIxbaw/+qH4vH6KALKZtKY+I34f1sX05 ZJwggfgINIIHEH6Bmr43s+OOv9NON/dc8HRYToOCrtGpRGTKesXhp7J6JG7HffQA9qi2TiZb0T3w GZs11LZQb0zKtYwxTkSsjWvTs+/ACztv4gBFU9QAjFbKl0GmtdTmVpKU62SDK1/l5cno61WLQfF0 HJoMCEaQonMXecjWWcaRRBRB41nrY+x+z4fCo4kvObAryn5FCUQ0Clb8VWGrz4UOYilF2MyDdDcj M1E8p/ARw12E9KXsVs+xp2YS3asVfrQjst6zatyCTbiOVq5ciCQvPP3JduAy9dIxxhlbTFOS5Hco Z2FgWxoWk7Mt5yU1Ow5lEhvZcW5CZI7LAGpF6x8b6n539QM+LTIA7LdzD07ebtfUP7kcrELtJB4G 0gA3mjgVEX2WWP9/rOX0oFRZ4wARkeJtjOWNmJa+5PWc16t/V0w/AgMBAAEwDQYJKoZIhvcNAQEF BQADggIBAB+plM8G29+9ueDwg1/l/J9Tu9ilvUClOGiLEV8Wj0SjFwCtCd6EP3NZJxCbPwoiWPFA KvdJyA6KheDZreGcDvpzLI4NREeuOU1hX3QJ2Cku0VCx4nbJhdXU9f02otHtxNBT+qp+sJxlordU JaXySZ/Ja6BQ7ydcycDykKcaNgk+YG6FSi+F82oCa06N/KldHHukUpQ/v42UFOM42Q0LHIpohIfz 3qOh4QfAwcjscohSISvAlPPYa5e6GtSwvlNoIZndoaF0VNssJbEEf95MMU3zejVbkwY5Pf/GNRHC +Zx72bvOFBceHvIGCX5RnmDvpiuOizlPS4MQqfBjzMXDk62TlRoTB1ZY6cg2KaTvbGe3VekAtzQ8 QfB6OO4Yw4sr+OqjsByO1chHf4q//77Z85t56P1FLuBjpFXKxq2EAtPyonZq4VtXgdTrH5MrM8vF lhlW1YDGtVtigIGaTSvuFOc+yO3OKH4RZ4E0IY+OHbbWQfgxM/yM9QqxcUSby06SPsqH6A7zUtoT pPlyBvs5BS5Icb8Bg1p61fETZzGFBO662psy/m4/wfiGQ/jIMcuek4CCX/pPmQMA6raE8YucAYjA khROt+4mNAdmI9MTa+qFqqMIRd6gZOXp6HT88y3ZiztSKo0+U2huOM7Si/TqozyybuEujlth0eUC asmi6WCl</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="A6932d0f0-9b61-4cae-89df-6b2930b9316a" IssueInstant="2020-07-29T07:19:15.607Z" Version="2.0" > <saml2:Issuer>alok-idp</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#A6932d0f0-9b61-4cae-89df-6b2930b9316a"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>449sLbUvbU5FMZ5CEL+aq5MnfvZ6n7SRM4eeM089TJI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> VHFXAFDCa+dA3DmJHgefKo8OI1BqiW29Jgyefuni58doJ0kthbTVGdOLjGUeY6qGlKYyVflo4pjK L/rb4R5OI2imJPPrm/x7WIQkp+19GUKkMWrFsli+guXZft4PLOgZex2tYxwho6RYAAoOMf0f7W+v DSDU8QlsXxvONWDNbdSPtQMqUzKcVrJPyfFI36RxIF6f0Y8X8LI7hN4/t+qL3MWJTUuy0yACi/uO 0Cn0E4PRTEyZduDvzntQXuGmkh/KmdzdUWvMqf3pZvQJe0LecaYO6wUAyT7Zfq/FHrKZDfEwzEvl x7GEtmXNeFF7F/NQUE22m1gRHJ/8uP74rOPCLFdYh3Y0dCBU8A+Z+jZE4qQd6bkpG1113sIogAGQ x0N+LYPZUVRUpDGmB4jQQpBkJuCqcx9HmYcoAu84pygRi+q9V2arulRV1P4ZibYdUcH8+aYFMxtT r/tPKewzx/+TXYzPxOvvA2M6e6wL6kdB1oiQ898zx5GTj8LyTECBEdrQ9NFuJJTfy+ZgDnbYn6ju eqp7l9lJU+oGc/iHUfKOEmcV0j61dwGKtN5izrvsHdlnwP+uYpSrJbIIxwDPHBDmcxh4rJt96KoD B5bn7LpomOzgXMrA7DA4iNFet9vGiiN6A1LH8RixSA33qwamvPhMu7JKJdar1MiOFlYhOWASix0= </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFITCCAwkCCQCk7pxWtNaMMzANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDDAthbG9ra3VzaW5n aDAeFw0yMDA3MjgxMjE3MzlaFw0yMTA3MjgxMjE3MzlaMIGOMQswCQYDVQQGEwJJTjESMBAGA1UE CAwJS2VybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDTALBgNVBAoMBEFsb2sxDTALBgNVBAsM BEhvbWUxETAPBgNVBAMMCGFsb2tfaWRwMSYwJAYJKoZIhvcNAQkBFhdhbG9rLmt1LnNpbmdoQGdt YWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxlExcunQkmQXQe1eXDL5z7 R75MoSaz5sCJXeEZ+VCBjJkfkCSPQB+gB1ulKVHa7QGv3R3S8nT7LPt1txYtkIA7bPRE/n2BMnDY 6/qq6Vchl+wb11OzUIrx6T4Oa92zEDBx5Fl7AuIgYGKk4xM01tpwJkqyhWnD0UiyZWA4+/l/mup5 2n0S8BtMAEuLXiGm556hhXxxssX0rQRQSq7JxdtpFlkZJIxbaw/+qH4vH6KALKZtKY+I34f1sX05 ZJwggfgINIIHEH6Bmr43s+OOv9NON/dc8HRYToOCrtGpRGTKesXhp7J6JG7HffQA9qi2TiZb0T3w GZs11LZQb0zKtYwxTkSsjWvTs+/ACztv4gBFU9QAjFbKl0GmtdTmVpKU62SDK1/l5cno61WLQfF0 HJoMCEaQonMXecjWWcaRRBRB41nrY+x+z4fCo4kvObAryn5FCUQ0Clb8VWGrz4UOYilF2MyDdDcj M1E8p/ARw12E9KXsVs+xp2YS3asVfrQjst6zatyCTbiOVq5ciCQvPP3JduAy9dIxxhlbTFOS5Hco Z2FgWxoWk7Mt5yU1Ow5lEhvZcW5CZI7LAGpF6x8b6n539QM+LTIA7LdzD07ebtfUP7kcrELtJB4G 0gA3mjgVEX2WWP9/rOX0oFRZ4wARkeJtjOWNmJa+5PWc16t/V0w/AgMBAAEwDQYJKoZIhvcNAQEF BQADggIBAB+plM8G29+9ueDwg1/l/J9Tu9ilvUClOGiLEV8Wj0SjFwCtCd6EP3NZJxCbPwoiWPFA KvdJyA6KheDZreGcDvpzLI4NREeuOU1hX3QJ2Cku0VCx4nbJhdXU9f02otHtxNBT+qp+sJxlordU JaXySZ/Ja6BQ7ydcycDykKcaNgk+YG6FSi+F82oCa06N/KldHHukUpQ/v42UFOM42Q0LHIpohIfz 3qOh4QfAwcjscohSISvAlPPYa5e6GtSwvlNoIZndoaF0VNssJbEEf95MMU3zejVbkwY5Pf/GNRHC +Zx72bvOFBceHvIGCX5RnmDvpiuOizlPS4MQqfBjzMXDk62TlRoTB1ZY6cg2KaTvbGe3VekAtzQ8 QfB6OO4Yw4sr+OqjsByO1chHf4q//77Z85t56P1FLuBjpFXKxq2EAtPyonZq4VtXgdTrH5MrM8vF lhlW1YDGtVtigIGaTSvuFOc+yO3OKH4RZ4E0IY+OHbbWQfgxM/yM9QqxcUSby06SPsqH6A7zUtoT pPlyBvs5BS5Icb8Bg1p61fETZzGFBO662psy/m4/wfiGQ/jIMcuek4CCX/pPmQMA6raE8YucAYjA khROt+4mNAdmI9MTa+qFqqMIRd6gZOXp6HT88y3ZiztSKo0+U2huOM7Si/TqozyybuEujlth0eUC asmi6WCl</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="hello-sp" >alok.ku.singh@email</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2020-07-29T07:21:15.607Z" Recipient="http://localhost:8082/hello-sp/saml/sp/SSO/alias/hello-sp" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2020-07-29T07:18:15.607Z" NotOnOrAfter="2020-07-29T07:21:15.607Z" > <saml2:AudienceRestriction> <saml2:Audience>hello-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2020-07-29T07:19:15.607Z" SessionIndex="IDXf67d586b-4cce-499e-b896-9000eb3043ec" SessionNotOnOrAfter="2020-07-29T07:49:15.607Z" > <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> **### <saml2:AttributeStatement/>** </saml2:Assertion> </saml2p:Response>

Question with deployment

Hi @alokkusingh ,

This is a very nice project. I have been trying to find an SAML2 SP in Java and yours meets my needs exactly.

However, I cannot find documentation on how to deploy the generated sp-1.0-SNAPSHOT.jar and idp-1.0-SNAPSHOT.jar to a web container. Would you please add the documentation on how to run them on an application server like Tomcat?

Thanks,
@luchua-bc

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble