CODEWITHSUNDEEP
spring-securityoktaspring-saml
wangzl
wangzl

Reputation: 21

How to alter the default SP SSO URL of Spring Security SAML?

I try integrating Spring Security SAML in my project. I have experienced the demo of okta. And I know the URI /saml/SSO is used to consume the SAMLResponse from Idp. But I have registered a consume-uri which different with the URI /saml/SSO in my Idp and it can't be changed.

so I have to find a way to change the default SSO processesUrl.

I think I need to change something as next:

  1. change FilterChainProxy
public FilterChainProxy samlFilter() throws Exception {
        List<SecurityFilterChain> chains = new ArrayList<>();
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
                samlEntryPoint));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
                samlLogoutFilter));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
                metadataDisplayFilter));
        // chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
        // samlWebSSOProcessingFilter()));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/consume/**"),
        samlWebSSOProcessingFilter()));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
                samlWebSSOHoKProcessingFilter()));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
                samlLogoutProcessingFilter));
        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
                samlDiscovery));
        return new FilterChainProxy(chains);
       }
  1. Create a new class to extends SAMLProcessingFilter
public class CustomSAMLProcessingFilter extends SAMLProcessingFilter {
    public CustomSAMLProcessingFilter() {
        this("/saml/consume");
    }

    public CustomSAMLProcessingFilter(String defaultFilterProcessesUrl) {
        super(defaultFilterProcessesUrl);
    }

    @Override
    protected String getProfileName() {
        return super.getProfileName();
    }

    @Override
    protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
        return super.requiresAuthentication(request, response);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        return super.attemptAuthentication(request, response);
    }
}
  1. replace the SAMLProcessingFilter by CustomSAMLProcessingFilter
    @Bean
    public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
        // SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
        SAMLProcessingFilter samlWebSSOProcessingFilter = new CustomSAMLProcessingFilter("/saml/consume");
        samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
        samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(samlAuthSuccessHandler);
        samlWebSSOProcessingFilter.setAuthenticationFailureHandler(samlAuthFailureHandler);
        return samlWebSSOProcessingFilter;
    }
  1. make consume-uri permitted
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/pre-auth**").permitAll()
                .antMatchers("/form-login**").permitAll()
                .antMatchers("/error").permitAll()
                .antMatchers("/saml/**").permitAll()
                .antMatchers("/saml2/**").permitAll()
                .antMatchers("/css/**").permitAll()
                .antMatchers("/img/**").permitAll()
                .antMatchers("/js/**").permitAll()
                .antMatchers("/sw.js").permitAll()
                .anyRequest().authenticated();

After that, when I tried to login, there is no reaction in Filter Chain. In console, my project has received the SAMLResponse, but no more reaction.And the web page shows an error page.

When I did the Okat demo before, it got my login info and showed in success page.

I would like to know how to change the default SSO processesUrl and login successfully. Would you guys give me some ideas or suggestions to help me resolve this problem please, thanks a lot!

Upvotes: 2

Views: 3222

Answers (1)

Eleftheria Stein-Kousathana
Eleftheria Stein-Kousathana

Reputation: 6479

It appears you are using the old spring-security-saml project which is in maintenance mode. Please use Spring Security's SAML support instead.

In Spring Security's SAML support, the default for the assertionConsumerServiceLocation is /login/saml2/sso/{registrationId}.
The application will process any POST /login/saml2/sso/{registrationId} request containing a SAMLResponse parameter.

You can customize this when creating your RelyingPartyRegistration.

If you are using Spring Boot, you can configure it in the application.yml.

spring:
  security:
    saml2:
      relyingparty:
        registration:
          one:
            identityprovider:
              metadata-uri: https://idp/metadata.php
            acs:
              location: "{baseUrl}/custom/{registrationId}"

To update the login processing URL, you can customize HttpSecurity

http
    .saml2Login(saml2 -> saml2
            .loginProcessingUrl("/custom/{registrationId}")
    );

Upvotes: 2

Related Questions