0

I need to integrate a Spring Boot backend (2.3.x) with SAML 2.0 authentication (for SSO purpose), implementing the Service Provider side, and then get the User object in the java backend with the various attributes valued by the Identity Provider (name , surname, roles etc ...) remote and already existing (IOM / OAM). The Spring Boot backend is deployed on JBoss EAP 7.3 (middleware), and for now, I'm following the official RedHat doc to use the PicketLink library. I have already added the "plugin" on JBoss and now I need to configure the SP on the server, but I'm not sure what parameters to enter. For this, I ask for support from those who have already met this need.

In practice, I need to achieve these two goals:

  1. configure my backend as a Service Provider to an existing Identity Provider (Oracle OIM / OAM)
  2. understand how to retrieve the metadata of the user object from the java backend, and then use them within the application (I specify that the frontend is not implemented with Spring, like Thymeleaf, but with Angular)

At the moment I'm trying to use PicketLink, but it's not mandatory; if you know of other solutions, that's fine.

Many thanks in advance!

Giampiero Poggi
  • 389
  • 1
  • 4
  • 13

1 Answers1

0

If you need just authentication thru SAML you can follow this tutorial: https://developer.okta.com/blog/2017/03/16/spring-boot-saml. If you need database + SAML authentication you can follow this tutorial for authentication with SAML (Okta provider) https://developer.okta.com/blog/2020/10/14/spring-security-saml-database-authentication.

Ionathan Ardelean
  • 33
  • 4
  • Thank you! So, can I use this guide, even if my IdP is not Okta? If I'm not mistaken, the important thing is that in the property "security.saml2.metadata-url" there is the metadata URL of my IdP (OIM), right? – Giampiero Poggi Jan 20 '21 at 11:00
  • I think you just change just what's inside the application.properties with your metadata URL, Single Sign-On URL, Audience URI ( your IDP data). SAML SSO should work in the same way. I forgot to tell you that these tutorials have a GitHub repository so you can clone them and try to use them with your IdP data. – Ionathan Ardelean Jan 20 '21 at 11:32
  • Great! Thanks a lot :) – Giampiero Poggi Jan 20 '21 at 13:25
  • Sorry, one last question: how can I retrieve the user object in java (with metadata, as username, roles etc...)? – Giampiero Poggi Jan 20 '21 at 15:24
  • public Object loadUserBySAML(SAMLCredential samlCredential) throws UsernameNotFoundException { String userName = credential.getNameID().getValue(); final String userEmail = samlCredential.getAttributeAsString("email"); } – Ionathan Ardelean Jan 20 '21 at 16:11
  • You can find this method in the class that implements SAMLUserDetailsService – Ionathan Ardelean Jan 20 '21 at 16:22
  • Using the first link, everything works fine. Now my problem is that FE is implemented in Angular though, and I can't do it with Thymeleaf (java). In this case, what can I do? Then login FE side (SAML integration), but also have the user object at BE. – Giampiero Poggi Jan 21 '21 at 09:24
  • We used Thymeleaf in our project. I don't know exactly how Spring Milestones and Spring Security SAML DSL work. Unfortunately, there is very little documentation about authentication with SAML. – Ionathan Ardelean Jan 22 '21 at 13:47