4

We have decided to use Ping Federate to be our SSO solution. I have searched many examples but have not found a spring configuration that clearly describes how I need to set up my SP and/or IdP on the PingFederate side. I have not found a Spring document that describes what I need exactly to implement this.

Any help, much appreciated.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
hyperlite
  • 65
  • 2
  • 6

1 Answers1

4

Currently there's no step-by-step guide on establishing federation between Spring SAML and Ping, but the steps are very similar to what's described in the quick start guide of Spring SAML.

The best approach is to start with the sample application included inside Spring SAML, configure it to work with Ping and then transfer the configuration to your current Spring application.

The high level steps are:

  • deploy Spring SAML sample application
  • download its SP metadata from https://server:port/context/saml/metadata (just open browser to the URL and store all content it returns)
  • configure Ping by creating new "SP Connection", as part of the process you import metadata which you stored earlier, to start with you can use defaults on most of the settings
  • when done, export the IDP metadata from Ping using Administrative functions -> Metadata Export for the connection you created in the previous step
  • import the IDP metadata to your Spring SAML (examples are in the manual)

This establishes federation between the two and enables you to start authenticating your users through Ping.

The metadata configuration (bean metadata) should look as follows in your case:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:security/idp.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

Make sure to replace resources/security/idp.xml with metadata from PF. You can remove all unused instances of ExtendedMetadata beans (like the one for SSO Circle). The reason metadata bean can contain multiple "links" is that it can support many IDPs at the same time.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Thank you for the info, that clears a lot of what I was assuming up. I have tried the example from the quick start link you provided but I was receiving this error: No IDP was configured, please update included metadata with at least one IDP First, I just tried to configure my spring xml files to match something like the example. After this didn't work, I cloned the project and opened it in eclipse. I know Maven but Gradle. Should I configure a java app based off of the saml2-sample from this source repo? @vschafer https://github.com/spring-projects/spring-security-saml – hyperlite May 08 '14 at 15:54
  • 1
    The easiest way is to grap the latest dist.zip release from http://repo.spring.io/list/snapshot/org/springframework/security/extensions/spring-security-saml/1.0.0.RC3-SNAPSHOT/, it contains the sample application which can be used with maven, no gradle required. Have you included the SSO Circle's metadata as per instructions, or did you try with metadata from Ping? – Vladimír Schäfer May 08 '14 at 17:10
  • Are you referring to this part? @vschafer ` http://idp.ssocircle.com/idp- meta.xml ` – hyperlite May 08 '14 at 17:16
  • 1
    Yes. Is the system complaining about "no IDP was configured" with this part included? – Vladimír Schäfer May 08 '14 at 17:20
  • Sorry about that, I forgot I did get past that problem and I was forwarded to the idpSelection.jsp and from there was forwarded to the SSO Circle website to register a new username. Is this where I would change to point at a local copy of Metadata generated from PingFederate? – hyperlite May 08 '14 at 17:42
  • 1
    Yes, you'd use something like this: classpath:security/idp.xml – Vladimír Schäfer May 08 '14 at 17:43
  • Ok so after I create a new IdP on my Ping Federate server and export its metadata to be used there. I do not understand how my application will actually talk to the PingFederate server. Right now it is running locally on a Windows machine at the default port 9999. Do I need to somehow deploy this PF so that my application reaches it via a domain or IP? – hyperlite May 08 '14 at 17:47
  • 1
    The metadata contains information about how to reach the PF (it's a set of URLs with all the hosts, ports, ...). Importing the metadata to the SP (= your application) tells it how to communicate with the PF. Typically, communication between IDP and SP is done through user's web browser (using HTTP parameters and redirects), so you don't need to enable direct connection between IDP and SP, it's enough if user's browser can reach both. – Vladimír Schäfer May 08 '14 at 17:58
  • I successfully got the example project running. I downloaded the IdP metadata file from my PF server and replaced the resources/idp.xml file in the project and I received this error: Signature trust establishment failed for metadata entry SAMLID - Error filtering metadata from security/idp.xml The "metadata" bean in securityContext is also confusing me as it has a reference to the local file at security/idp.xml, and it is referencing "http://idp.ssocircle.com/idp-meta.xml". Do I need to change this to my PF server URL or is this needed at all? @vschafer – hyperlite May 08 '14 at 18:50
  • 1
    There's not much space in comments, I've updated the original answer to address your questions. The "Signature trust establishment" error can be avoided using property metadataTrustCheck=false, see above. – Vladimír Schäfer May 08 '14 at 19:14
  • And if you are satisfied with the answer, please accept it by clicking on the check mark beside the answer to toggle it from hollow to green. – Vladimír Schäfer May 09 '14 at 06:47
  • Not sure how I would configure the Select IdP screen to enter User and PW to become authenticated with the IdP.Would these be inserted into SAML being sent. Need to learn how to configure my IdP and SP with PF(I need to talk with them about this). After reading more into it after @Ian answered my question with this: http://stackoverflow.com/a/23546090/3302446 There may be an easier way with the Java toolkit. Unless you think that I am close enough with what I have so far to finish this solution in this manner because I want to still be able to use the Spring userdetails.User object with Roles. – hyperlite May 09 '14 at 17:28
  • 1
    With federated authentication you never enter any credentials at SP side. Authentication is always performed at IDP. I'm sure that Ping guys will be able to offer you adequate commercial solution for enabling your application to connect to PingFederate, like the Java toolkit. The implementation complexity of authentication itself won't differ much though and you might need to integrate their libraries to Spring Security. – Vladimír Schäfer May 09 '14 at 19:22
  • Not sure is you are still out there Vladimir, but if yes, here is a related question. Thanks! https://stackoverflow.com/questions/46275124/spring-security-saml-with-pingidentity-pingfederation – tom Sep 18 '17 at 08:50