vdenotaris / spring-boot-security-saml-sample Goto Github PK

hi @vdenotaris, I m new to SAML and trying to implement SAML authentication into my existing application. The current application has server and client relationship but it's using RESTFul interface and not meant to be used with browser although some REST GET request would work with the browser but the intend is to have client and server communicate over REST APIs. Here are some questions I m hoping you can help answered:

1. Does spring security saml extension work with REST application out of the box? If yes can you give me some guidance/examples?
2. If it doesn't work out of the box? What need to be done (in summary)?
3. Here are some issues I see with implementing SAML for REST APP:
   a) How do you deal with the redirect aspect of SAML where SP is supposed to redirect client to IDP?
   b) Since IDP seems to always present login form for client to authenticate, how would it be done with REST?
   b) Does the IDP suppose to provide REST API for client to call in order to authenticate?
   c) If IDP does need to provide APIs to client then does that mean my server/client SAML implementation is at the mercy of the IDP the end user would be using? I assumed each IDP would have their own APIs.
4. I am thinking for REST, client will request to be authenticated directly from IDP via REST API then IDP will authenticate client, generate a SAML token and send it directly to SP using the AssertionConsumerURL that's setup inside the SP metadata file. From there, SP would authenticate verify the SAML token and everything else will be similar to your example.
5. Is my assumption correct? Am I missing anything?

Add rich Java documentation in order to explain the whole source code.

Please help how to run behind proxy.

I'm getting below error

17:14:45.295 [main] ERROR org.opensaml.saml2.metadata.provider.HTTPMetadataProvider - Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
java.net.UnknownHostException: idp.ssocircle.com
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184) ~[?:1.8.0_144]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[?:1.8.0_144]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_144]
at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_144]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:673) ~[?:1.8.0_144]
at sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:477) ~[?:1.8.0_144]

Hi,
i have been trying a few samples on your library, and i have got stuck with ECP configuration for quite a while.
Would be very helpful if you could provide some insight into resolving this.

i've made ecp configurations as below

 @Bean
    public ExtendedMetadata extendedMetadata() {
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setIdpDiscoveryEnabled(true);
//      extendedMetadata.setSignMetadata(false);
        extendedMetadata.setEcpEnabled(true);
        return extendedMetadata;
    }

 @Bean
    public MetadataGenerator metadataGenerator() {
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId("urn_boot_saml");
        metadataGenerator.setExtendedMetadata(extendedMetadata());
        List<String> bindingsSSO = new ArrayList<>();
        bindingsSSO.add("paos");
        bindingsSSO.add("post");
        bindingsSSO.add("artifact");
        metadataGenerator.setBindingsSSO(bindingsSSO);
        return metadataGenerator;
    }

i keep getting the below when i try to curl the paos endpoint

curl -k -I -H 'Accept: application/vnd.paos+xml' -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://localhost:8443/saml/sso

HTTP/1.1 406 Not Acceptable
Date: Fri, 29 Jul 2016 09:46:11 GMT
X-Application-Context: application:8443
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 299
Server: Jetty(9.2.16.v20160414)

complete details in below link.
stackoverflow post

Is there a way to add local user form authentication to this example?

Hi,

I have added an entity and the metadata generated using http://localhost:8080/saml/metadata in SSOCircle.

I started the application(running on localhost) and selected SSOCircle as the IdP, it redirects me to the IdP login page and after successful authentication, while redirecting back to the SP, it gives me an error message in UI screen -
"Something went wrong during the authentication process."

Kindly help.

But in Spring Boot console log,there seems to be no error.

2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator               : Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
2018-01-10 13:08:02.439 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator               : Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.SignatureValidator               : Signature validated with key from supplied credential
2018-01-10 13:08:02.482 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine       : Signature validation using candidate credential was successful
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine       : Successfully verified signature using KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine       : Attempting to establish trust of KeyInfo-derived credential
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.t.ExplicitKeyTrustEvaluator      : Successfully validated untrusted credential against trusted key
2018-01-10 13:08:02.483 DEBUG 3912 --- [http-nio-8080-exec-8] o.o.x.s.i.BaseSignatureTrustEngine       : Successfully established trust of KeyInfo-derived credential
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Processing Bearer subject confirmation
2018-01-10 13:08:02.484 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3043e9fb against requested null
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Validation of authentication statement in assertion s2959c42be21e2d85477fa1450d34a5717af116898 was successful
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Including attribute EmailAddress from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.485 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Including attribute UserID from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Including attribute FirstName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.486 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.w.WebSSOProfileConsumerImpl      : Including attribute LastName from assertion s2959c42be21e2d85477fa1450d34a5717af116898
2018-01-10 13:08:02.489  INFO 3912 --- [http-nio-8080-exec-8] v.s.b.s.s.w.c.SAMLUserDetailsServiceImpl : [email protected] is logged in
2018-01-10 13:08:02.494  INFO 3912 --- [http-nio-8080-exec-8] o.s.s.s.l.SAMLDefaultLogger              : AuthNResponse;SUCCESS;0:0:0:0:0:0:0:1;com:infypoc:spring:sp;https://idp.ssocircle.com;[email protected];;
2018-01-10 13:08:02.494 DEBUG 3912 --- [http-nio-8080-exec-8] o.s.s.s.SAMLProcessingFilter             : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@236cffc3: Principal: org.springframework.security.core.userdetails.User@ce0d27b9: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@ce0d27b9: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER

Try to set AssertionConsumerServiceIndex using org.springframework.security.saml.websso.WebSSOProfileOptions#setAssertionConsumerIndex method.
But its not append to the AuthnRequest.

Add a fancy web layout by integrating web framework and utils such as Bootstrap, Font Awesome, etc.

In both firefox and safari, going to localhost:8080 fails with the following message:

"Too many redirects occurred trying to open "http://localhost:8080/saml/discovery?entityID=com%3Avdenotaris%3Aspring%3Asp&returnIDParam=idp". This might occur if you open a page that is redirected to another page which is then directed to open the original page.

Hey

Can you please guide us how to integrate your project with keycloak as an IDP. Or if you can just give me some pointer on where to make the change.

Thanks
Abhishek

I grab the whole codebase and as soon as I start it in STS, I see huge amount of exceptions:
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 46.4.112.4
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.opens
...

[2015-07-23 12:36:23.066] boot - 56854 DEBUG [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error occurred while attempting to refresh metadata from 'https://idp.ssocircle.com/idp-meta.xml'
org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)

Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 46.4.112.4
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.

And once I load localhost:8080, and click login, I got:
Error:
Something went wrong during the authentication process.

So can you tell me what I need to do to be able to run this app successfully? Do I need to change any configuration?

Thanks

Hi,
When I run the application in local, I get

javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null

As per the read me, I need to update the certificate, however update-certifcate.sh is not available in the repository.

Please add the shell script to the repository.

Regards,
Harish

I can access the URL https://idp.ssocircle.com/idp-meta.xml in my browser and access the xml but on server startup i see this exception in eclipse.

org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar:?]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.1.jar:?]

Please help me . I am stuck. I want to test sso with this sample project with ssocircle.If this is working I have to use a different IDP.

It seems that Authentication object does not returning SAML assertion token? We're unable to find it out from the API use for SAML

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
pageContext.setAttribute("authentication", authentication);
pageContext.setAttribute("credential", credential);

Could you please let us know how to get token?

Destroy method on bean with name 'org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory' threw an exception

There seem to be 2 cases of threads that aren't properly terminated, which causes memory leaks when the app is re-deployed, e.g. on Tomcat

In WebSecurityConfig:

• there's a Timer object created (for fetching metadata over HTTP), but it's not destroyed when the bean is destroyed. (thus its TimerThread remains alive)
• MultiThreadedHttpConnectionManager has a static ReferenceQueueThread instance, which also remains alive.

Calling .cancel() + .purge() on the Timer instance, and calling MultiThreadedHttpConnectionManager.shutdownAll() when the config is destroyed seems to solve the issue.
(It's not a big deal for the sample app, but I'm guessing that someone else might also use it as a template and run into the same issue)

Note: Using MultiThreadedHttpConnectionManager.shutdownAll() seems a bit suspect, as it shuts down all instances in the current JVM, but it's the only way to terminate the ReferenceQueueThread that I mentioned

sdugan$ sh ./update-certifcate.sh
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE

Hi Guys,
I am getting following issue while retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
following is my code of security config file.

@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "nalle123";
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("apollo", "nalle123");
String defaultKey = "apollo";
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

and using samlKeystore.jks provided in sample example.

Please guide me in this regard as I am very new to Spring SAML.

Thanks & Regards
Mahesh

Hi All,

I am trying to run the application as it is (only ran the update-certifcate.sh to generate the keystore and then used the command - "keytool -importcert -alias apollo -file ca.cer -keystore samlKeystore.jks" to generate private key pair ) but am getting below error in UI after selecting the default ssocircle IdP.

**Error occurred

Reason: Invalid signature in Request.**

Also, please find below spring boot logs.

Kindly help me to resolve this issue urgently. (seems to be keystore related only).

[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Metadata document does not contain an EntityDescriptor with the ID com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Metadata document did not contain a descriptor for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity com:vdenotaris:spring:sp
[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Metadata document does not contain an EntityDescriptor with the ID com:vdenotaris:spring:sp
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of com:vdenotaris:spring:sp
[36mo.o.x.s.c.KeyStoreCredentialResolver    _[0;39m _[2m:_[0;39m Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
[36mo.o.x.s.c.KeyStoreCredentialResolver    _[0;39m _[2m:_[0;39m Processing PrivateKeyEntry from keystore
[36m.c.c.EvaluableCredentialCriteriaRegistry_[0;39m _[2m:_[0;39m Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[36mo.o.x.s.c.KeyStoreCredentialResolver    _[0;39m _[2m:_[0;39m Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
[36mo.o.x.s.c.KeyStoreCredentialResolver    _[0;39m _[2m:_[0;39m Processing PrivateKeyEntry from keystore
[36m.c.c.EvaluableCredentialCriteriaRegistry_[0;39m _[2m:_[0;39m Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[36mo.o.x.p.StaticBasicParserPool           _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
[36mo.o.x.p.StaticBasicParserPool           _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
[36mo.o.x.p.StaticBasicParserPool           _[0;39m _[2m:_[0;39m Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
[36mo.s.s.s.c.SAMLContextProviderImpl       _[0;39m _[2m:_[0;39m Using user specified IDP https://idp.ssocircle.com from request
[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.o.s.m.p.ChainingMetadataProvider      _[0;39m _[2m:_[0;39m Checking child metadata provider for entity descriptor with entity ID: https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.o.s.m.p.AbstractMetadataProvider      _[0;39m _[2m:_[0;39m Searching for entity descriptor with an entity ID of https://idp.ssocircle.com
[36mo.s.s.s.u.SAMLUtil                      _[0;39m _[2m:_[0;39m Index for AssertionConsumerService not specified, returning default
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.s.s.s.SAMLEntryPoint                  _[0;39m _[2m:_[0;39m Processing SSO using WebSSO profile
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selecting default IndexedEndpoint
[36mo.o.s.m.s.SAML2MetadataHelper           _[0;39m _[2m:_[0;39m Selected IndexedEndpoint with explicit isDefault of true
[36mo.s.s.s.w.WebSSOProfileImpl             _[0;39m _[2m:_[0;39m Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
[36mo.o.w.m.e.BaseMessageEncoder            _[0;39m _[2m:_[0;39m Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder    _[0;39m _[2m:_[0;39m Deflating and Base64 encoding SAML message
[36mo.o.w.m.e.BaseMessageEncoder            _[0;39m _[2m:_[0;39m Marshalling message
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder    _[0;39m _[2m:_[0;39m Building URL to redirect client to
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder    _[0;39m _[2m:_[0;39m Generating signature with key type 'DSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' over query string 'SAMLRequest=fZJfb9sgFMW%2FCrrvscFLNhfFqbJV1Sp1ahS7e9jbDb5LqDB4XBzt44%2F8qdq99AkBv8OBc1je%2Fh2cOFJkG3wDqpAgyJvQW79v4Lm7n9Vwu1oyDq4a9XpKB7%2BlPxNxElnoWV92Gpii1wHZsvY4EOtkdLv%2B8airQuoxhhRMcCDWzBRTtvoWPE8DxZbi0Rp63j42cEhp1GXpgkF3CJx0LWtZngzKtn0CcZddrcd0vukJ5kzbfiyYg7HROCpMGPR8%2FqnMKyfNlnobyaRyoIRrZ5HLcdo5a7IKxH2Ihs5PauA3OiYQD3cNYPW5PyDKfS%2FV%2FqU26ssO94v6xageF7jLEG%2BQ2R7pTcY80YPnhD41UElVz6SayZtOLfTiRs9VUVXqF4jNNYiv1l8C%2Fii13QVi%2Fb3rNrPNU9uB%2BPlaVAbgWos%2Bu8f3fXx8ML6WAKtTXseefEgYM8tjzI55WJbvj15dp%2F9%2FgNU%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23dsa-sha1'
[36mo.o.x.s.SigningUtil                     _[0;39m _[2m:_[0;39m Computing signature over input using private key of type DSA and JCA algorithm ID SHA1withDSA
[36mo.o.x.s.SigningUtil                     _[0;39m _[2m:_[0;39m Computed signature: 302d02150096a63b4d16533e52c14b81d61a3eb15d8086be5d0214324c7d6be3c929a27f3250795e23cb23f328c566
[36mo.o.s.b.e.HTTPRedirectDeflateEncoder    _[0;39m _[2m:_[0;39m Generated digital signature value (base64-encoded) MC0CFQCWpjtNFlM+UsFLgdYaPrFdgIa+XQIUMkx9a+PJKaJ/MlB5XiPLI/MoxWY=
[36mo.o.w.m.e.BaseMessageEncoder            _[0;39m _[2m:_[0;39m Successfully encoded message.
[36mo.s.s.s.s.HttpSessionStorage            _[0;39m _[2m:_[0;39m Storing message a26dhaa0gd01gj8c17bag58jc1da5ab to session C35F885770EDA5A0A9DD205271EC04E4
[36mo.s.s.s.l.SAMLDefaultLogger             _[0;39m _[2m:_[0;39m AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;https://idp.ssocircle.com;;;

Update Spring SAML from 1.0.0.RC to 1.0.0.RELEASE.

Achieved on unstable-update branch.

I want to integrate it with Okta. Please advise.

018-08-16 05:51:13.865 WARN 6978 --- [ main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to parse configuration class [com.vdenotaris.spring.boot.security.saml.web.Application]; nested exception is java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
2018-08-16 05:51:13.883 ERROR 6978 --- [ main] o.s.b.SpringApplication : Application startup failed

org.springframework.beans.factory.BeanDefinitionStoreException: Failed to parse configuration class [com.vdenotaris.spring.boot.security.saml.web.Application]; nested exception is java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:183) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:308) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:228) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:272) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:92) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:687) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:525) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.15.RELEASE.jar:1.5.15.RELEASE]
at com.vdenotaris.spring.boot.security.saml.web.Application.main(Application.java:33) [classes/:?]
Caused by: java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.boot.web.support.SpringBootServletInitializer
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:163) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more
Caused by: java.lang.NoClassDefFoundError: javax/servlet/ServletContext
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_181]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[?:1.8.0_181]
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:152) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more
Caused by: java.lang.ClassNotFoundException: javax.servlet.ServletContext
at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[?:1.8.0_181]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_181]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) ~[?:1.8.0_181]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_181]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[?:1.8.0_181]
at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[?:1.8.0_181]
at org.springframework.core.type.StandardAnnotationMetadata.getAnnotatedMethods(StandardAnnotationMetadata.java:152) ~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.retrieveBeanMethodMetadata(ConfigurationClassParser.java:385) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:319) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:247) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:200) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:169) ~[spring-context-4.3.18.RELEASE.jar:4.3.18.RELEASE]
... 12 more

4.0.0

<groupId>com.vdenotaris.spring</groupId>
<artifactId>spring-boot-security-saml-sample</artifactId>
<version>1.8.0.RELEASE</version>
<packaging>war</packaging>

<!-- Project description -->
<name>Spring Boot and Spring Security SAML integration sample</name>
<description>Currently Spring Security SAML module doesn't provide a starter for Spring Boot. Moreover, its configuration is XML-based as of this writing. The aim of this project is to explain how to develop a Service Provider (SP) which uses Spring Boot and Spring Security SAML Extension, by defining an annotation-based configuration (Java Configuration). Thymeleaf is also used as template engine.</description>
<url>https://github.com/vdenotaris/spring-boot-security-saml-sample</url>

<developers>
	<developer>
		<id>vdenotaris</id>
		<name>Vincenzo De Notaris</name>
		<email>[email protected]</email>
		<timezone>+1</timezone>
	</developer>
</developers>
<contributors>
	<contributor>
		<name>Vladimír Schäfer</name>
	</contributor>
	<contributor>
		<name>Alexey Syrtsev</name>
	</contributor>	
</contributors>	

<licenses>
	<license>
		<name>Apache License, Version 2.0</name>
		<url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
	</license>
</licenses>

<inceptionYear>2017</inceptionYear>

<properties>
	<java.version>1.8</java.version>
	<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
	<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
	<start-class>com.vdenotaris.spring.boot.security.saml.web.Application</start-class>
</properties>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.5.15.RELEASE</version>
</parent>

<dependencies>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter</artifactId>
		<exclusions>
			<exclusion>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-starter-logging</artifactId>
			</exclusion>
		</exclusions>
	</dependency>
	<dependency>
	    <groupId>org.springframework.boot</groupId>
	    <artifactId>spring-boot-starter-log4j2</artifactId>
	</dependency>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-security</artifactId>
	</dependency>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-thymeleaf</artifactId>
	</dependency>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-test</artifactId>
	</dependency>
	<dependency>
    	<groupId>org.springframework.boot</groupId>
    	<artifactId>spring-boot-starter-tomcat</artifactId>
    	<scope>provided</scope>
	</dependency>
	<dependency>
		<groupId>org.springframework.security.extensions</groupId>
		<artifactId>spring-security-saml2-core</artifactId>
		<version>1.0.2.RELEASE</version>
	</dependency>
</dependencies>

<scm>
	<connection>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</connection>
	<url>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</url>
	<developerConnection>scm:git:[email protected]:vdenotaris/spring-boot-security-saml-sample.git</developerConnection>
</scm>

<build>
	<plugins>
		<plugin>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-maven-plugin</artifactId>
		</plugin>
		<plugin>
			<groupId>org.apache.maven.plugins</groupId>
			<artifactId>maven-release-plugin</artifactId>
			<version>2.5.3</version>
		</plugin>
		<plugin>
			<artifactId>maven-war-plugin</artifactId>
			<configuration>
    			<failOnMissingWebXml>false</failOnMissingWebXml>
			</configuration>
		</plugin>
		<plugin>
			<groupId>org.jacoco</groupId>
			<artifactId>jacoco-maven-plugin</artifactId>
			<version>0.7.9</version>
			<executions>
				<execution>
					<goals>
						<goal>prepare-agent</goal>
					</goals>
				</execution>
				<execution>
					<id>report</id>
					<phase>prepare-package</phase>
					<goals>
						<goal>report</goal>
					</goals>
				</execution>
			</executions>
		</plugin>
	</plugins>
</build>

I would like to integrate this in my Spring MVC application(however I am not using Spring boot). How can I do this?

Hi, great app! I used your example little more than a year ago and since I created my own spring-boot SAML plugin. I'd like to get your input since you seem to be active in this topic.
https://github.com/ulisesbocchio/spring-boot-security-saml

We saw that you disabled the csrf in the source, but our project need to avoid the csrf attack, so we cannot disable it.
When we allow the csrf, the authentication failed, if we disable the csrf like your source, the authentication can success. So we want to know how to solve the problem. can you help us? Thank you very much.

Switch to a full annotation-based configuration by implementing SAML bindings as Java Config instead of XML beans.

Achieved on unstable-update branch.

Add SSO live demo deployment by using SSOCircle as Identity Provider.
Tomcat will be used as Application Server.

Hi,

thanks for sharing this precious SAML-SP attempt, this standard is really hard to get, and moreover some good tutorial on it.

Now your project works after a certificate refresh.
I can reach the default choose IDP page, once logged in SSOCircle it gives me error on redirect.

I'm currently using my free SSOCircle user, already validated on the Official Spring SAML Sample tutorial.

I've got to change the EntityID to upload metadata to SSOCircle which says the current is already used.
I've changed:

metadataGenerator.setEntityId("com:mytest:spring:sp");

in WebSecurityConfig.class but the project fails to start:

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_73]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.23-dev]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_73]
Caused by: org.opensaml.common.SAMLException: Error loading metadata
	... 67 more
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for entity com:vdenotaris:spring:sp and role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor wasn't found
	at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalEntity(SAMLContextProviderImpl.java:319) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	at org.springframework.security.saml.context.SAMLContextProviderImpl.populateLocalContext(SAMLContextProviderImpl.java:216) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	at org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalEntity(SAMLContextProviderImpl.java:107) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	at org.springframework.security.saml.SAMLDiscovery.processDiscoveryRequest(SAMLDiscovery.java:183) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	... 66 more

Thanks in advance

SSOCircle AuthN error while updating from Spring SAML version 1.0.0.RC to 1.0.0.RELEASE.

• Stacktrace: https://gist.github.com/vdenotaris/648b31d5d152b3073c09

Active on unstable-update branch.

The constructor HTTPMetadataProvider(String arg0, long arg1) is deprecated.
It will be substituted with HTTPMetadataProvider(Timer arg0, HttpClient arg1, String arg2)

I modify the spring port server port to 9800 (and I tried others) and i get an error from sso circle.

But if I change it back to 8080 then it works fine. Is there any reason that only port 8080 works with your example?

Also I tried to change the context path from "/" to "myservice" and that seemed to fail as well.

In all cases, I created a brand new user. But if I use localhost:8080/ then all is fine.

Is this some weird limitation of sso circle or is there some hidden configuration that I am missing?

Please change CSRF token on successful response by checking in Cookie or Header sent from User

Add Gradle build automation support.

Hi,

This code is resulting in a multiple redirect loop when I have the logout success page is "/logout" instead of "/".

I suspect this has something to do with the logout configuration in HttpSecurity configuration method.
(Below code)
http
.logout()
.logoutSuccessUrl("/");

Please let me know if you agree with this.

I created an OKTA based application using this code. Here, on local system I am able to access the application on http://localhost:8080 and able to authenticate user as well using SSO url as: http://localhost:8080/saml/SSO

Question:
How to run our application on https, instead of http ? What my company has provided is https://"domain-name":8080/saml/SSO

Hi, is possible add Dockerfile used in hub.docker inside project? I need change volume and i do no how is created.

Thanks and great job!

As seen in https://github.com/vdenotaris/spring-boot-security-saml-sample/tree/master/src/main/java/com/vdenotaris/spring/boot/security/saml/web, there are two packages with the almost same name: controllers and contolles (missing the R). They both contain the same Controllers, so this is probably a simple copy/paste bug.

Hello,

I'm trying to make this application work with Okta. I found the following question on Stack Overflow that provides some guidance, but I can't quite get things to work.

http://stackoverflow.com/questions/15997221/configuring-saml-sample-sp-to-work-with-okta-idp

Here's what I'm using for values:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}

It looks like it works from the logs:

[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748  INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;

However, it redirects me to Okta's site rather than back to my site. I was able to get the following Node.js application working:

https://github.com/ThoughtWorksInc/okta-samples/tree/master/okta-node-express

Hi,
First, thanks for this sample :)
Second, I have a question (that may resolve into an actual issue).
Why does your WebSecurityConfig contain a default Spring LogoutFilter configuration:

        http
            .logout()
                .logoutSuccessUrl("/");

From what I understand after hours spent on making Spring SAML work correctly, it (Spring SAML) overrides the default logout behavior with its own (available at /saml/logout), therefore the default Spring LogoutFilter doesn't make sense anymore (it's still available by POST to /logout, but it literally does nothing except for redirecting to /). So since LogoutConfigurer comes as a default and WebSecurityConfig uses defaults (by reusing a default constructor which in turn calls this(false)), does it makes sense to replace the snippet above with http.logout.disable(); at least to avoid confusion?

I had change entity id and run successfully. In SSOCirecle, I had new a user and upload my metadata. When I select IDP, page is jump to SSOCircle login page. In login page, which Login button can be click?
And What should I do next？Thanks.

Hi vdenotaris,
First of all THANK YOU VERY MUCH your saml implementation helped me a lot.

I want to use ADFS as my IdP. I got the IdP metdata.
Now how to use that like you did for SSOCircle?

Any help would be appreciated.

Hello, thanks for your sample project. Currently implementing SAML authentication based on your sample.

Metadata generation works fine as well as the redirection to the IDP site. But on the way back we just get an error...
Error! Something went wrong during the authentication process.

I guess it is caused as the request request is not handled correctly or not handled at all. Can you give me a hint which class is used to handle the /saml/SSO request?

POST /saml/SSO HTTP/1.1
Host: ...
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 2285
Referer: https://...
Cookie: JSESSIONID=93D15C024BF3E8EC6EE186BA4BF33EFA
Connection: keep-alive
Upgrade-Insecure-Requests: 1
SAMLResponse=...: undefined

Hi, I'm very new to SAML so my apologies if this is a stupid question.

I've setup the project locally (localhost:8080) and running it through IntelliJ. I can successfully get to the landing page and select ssocircle as the IdP. Once I'm redirected to ssocircle, I authenticate and then I get the following error:

Error occurred

Reason: Unable to do Single Sign On or Federation.

Please enable the additional debug option in "My Debug".
Detailed trace information only available with paid accounts.
Check our plans.

The handshake did not complete and my local instance never got any information from ssocircle.

Is this a limitation of my environment? Is this because ssocircle can't talk back to my server?
Thanks for your help!

Hello,

How would you go about writing test code with a TestRestTemplate instead of using mockMVC?

Kind Regards,

Ewout.

Hi,

the example should run out of the box, right? So i just checkout, build with

maven clean install

and run it with

java -jar spring-boot-security-saml-sample-1.4.0.RELEASE.war

Is there anything else do to? I get the error below all of the time. Do i need to add some certificates to the keystore or configure a hostname? When i call the address https://idp.ssocircle.com/idp-meta.xml with my browser, i am fine.

Thanks for any help!
Gerd

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
	at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267) ~[opensaml-2.6.1.jar!/:?]
	at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) ~[opensaml-2.6.1.jar!/:?]
	at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) ~[opensaml-2.6.1.jar!/:?]
	at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_121]
	at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_121]
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
	at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar!/:?]
	at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
	... 9 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
	at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.1.jar!/:?]
	at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.1.jar!/:?]
	at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar!/:?]
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar!/:?]
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar!/:?]
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar!/:?]
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar!/:?]
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar!/:?]
	at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar!/:?]
	at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
	... 9 more

Just wanted to give you props on this work... +1. Great work... I was struggling with authentication against ADFS via SAML... this helped a lot.