Spring Security XML configuration and Spring SAML in Java configuration

Question

I am using Spring Security in one of my project and now want to introduce Spring SAML. I have used Spring's XML configuration so far. Can I integrate SAML using Java based configuration?

I am new to SAML integration.

Answer 1

Yes you can configure Spring SAML using Java just like you can with the rest of Spring Security.

You need a WebSecurityConfig class with a configure class like this

   protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic()
            .authenticationEntryPoint(samlEntryPoint());
    http
        .csrf()
            .disable();
    http
        .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
        .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
    http        
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/error").permitAll()
        .antMatchers("/saml/**").permitAll()
        .anyRequest().authenticated();
    http
        .logout()
            .logoutSuccessUrl("/");
}

You just need to write all the different beans together using Java, e.g. set up the SecurityFilterChain like this

    public FilterChainProxy samlFilter() throws Exception {
    List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
            samlEntryPoint()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
            samlLogoutFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
            metadataDisplayFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
            samlWebSSOProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
            samlWebSSOHoKProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
            samlLogoutProcessingFilter()));
    chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
            samlIDPDiscovery()));
    return new FilterChainProxy(chains);
}

Look at this project https://github.com/vdenotaris/spring-boot-security-saml-sample as an example for how it is done. The com.vdenotaris.spring.boot.security.saml.web.config.WebSecurityConfig.java shows the ingredients of the secret sauce.

Answer 2

you can use xml configuration for SAML integration. It is hard to create it from scratch as a starter, so i suggest you to download spring saml sample application and create your configuration based on it. Integration to your existing application is just a spring security integration.