9

I'm trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I've made the following changes to WebSecurityConfig.java:

https://gist.github.com/mraible/c8b52972f76e6f5e30d5

I found the following question that provides some guidance, but I can't quite get things to work.

configuring saml-sample (SP) to work with Okta (IdP)

Here's what I'm using for values on Okta:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}

It looks like it works from the logs:

[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748  INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;

However, it redirects me to Okta's site rather than back to my site.

Community
  • 1
  • 1
Matt Raible
  • 5,905
  • 8
  • 47
  • 98
  • I don't have any personal experience with this but I know the Cloud Foundry identity team has done it. See source code here: https://github.com/cloudfoundry/login-server/tree/master/src/main/resources. – Dave Syer Dec 31 '14 at 09:44

2 Answers2

4

I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/saml/SSO
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Uncompressed
Destination: http://localhost:8080/saml/SSO
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
Matt Raible
  • 5,905
  • 8
  • 47
  • 98
  • 2
    For anyone integrating Okta with Spring SAML, the manual now contains a basic step-by-step integration guide for Okta, see http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/html/chapter-idp-guide.html#d4e1782 – Vladimír Schäfer Feb 01 '15 at 20:31
  • @VladimírSchäfer Could you please update the java config in the link above you provided. – rogue lad Nov 13 '17 at 10:45
  • Here's a guide I updated last month (October 2017): https://developer.okta.com/blog/2017/03/16/spring-boot-saml – Matt Raible Nov 13 '17 at 11:29
0

Matt,

Try setting the "Post Back URL" to "localhost:8080/saml/SSO/alias/defaultAlias".

From the looks of your configuration "localhost:8080/saml/SSO/alias/defaultAlias" is the SAML endpoint on "localhost" which is where we post the SAML Response to.

Right now with it being "localhost:8080/" - your demo site is probably just redirecting you back to Okta rather than parsing the SAML response.

You haven't mentioned what you have done on the Okta side to test this out. Here is the instructions on how to do it - https://support.okta.com/entries/27560008-Using-the-App-Integration-Wizard - using our App Wizard which creates the proper SAML IDP endpoints on the okta side. The SAML login URL on the Okta side is needed by your demo site so that it knows where to redirect SAML requests to.

For more info on SAML - you can check out our SAML guidance on our developer site - http://developer.okta.com/docs/getting_started/saml_guidance.html

Let me know how it goes. Cheers

Stephen

Stephen Lee
  • 76
  • 3
  • I tried that, still doesn't work. I used the Template SAML 2.0 Application to create an app on the Okta side. I was able to get a Node and Sinatra applications working easily. A lot less code too. – Matt Raible Jan 05 '15 at 19:48
  • I tried changing the Request to "Uncompressed" on the Okta side of things and got a bit further. Now it redirects back to my app, but I see the following error in my logs: https://gist.github.com/mraible/02ad43d4deb7823ce449 – Matt Raible Jan 05 '15 at 20:01