I have one application with onelogin SAML 2.0 configured using Spring boot Java and REST web services (microservice architecture) and angularjs in front end. I am getting SAML response in java code. From there how to redirect to UI and pass the token in the browser.
I have to implement single sign-on in a ReactJs application where it's back-end is in python?
using pingFederation - checking user authentication.
then redirect to "React application" login page with SAML response.
By hitting a POST request on login page
Please help me to handle this SAML response at my application login page. I am stack here to handle/get SAML response.
how do I configure shibboleth as a service provider?
Please share your thoughts.
Thank you
Only React application cannot do that.
You need some backend.
If you are using SAML to connect then Shibboleth SP is a good choice.
Preferably Apache HTTPD server and java application.
Something like this
I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.
I need to integrate angular front end with spring boot backend (REST API's) with SAML 2.0 and my identity provider is keycloak.
I have used SAML2-js library to integrate with the front end, now how do I secure my backend spring rest apis with the saml assertion that I have received after successful login in the frontend. What I can get in front is nameID and session index. If anyone has integrated to secure the spring backend rest API using SAML please let me know any documentation or any write up on these.
Thanks!
What I have done for the above problem is I've used OIDC integration for login flow with 2 clients one for frontend with authorization code flow and another client with bearer only for my backend to secure the REST APIs.
For providing SSO with SAML 2.0 I have used identity brokering from Keycloak which provides seamless SSO.
I'm currently working on an application with AngularJS, Spring MVC, Spring Security and SAML 2.0 Extension. I’m new to Spring Security SAML and I’ve ran into multiple issues and this is the latest one.
InResponseToField of the Response doesn't correspond to sent message a1f4a0e24c8a49a99f1h9df73e95c2
All of my saml configuration files are available here
https://github.com/MatthewLangford/samlConfig/tree/master
I have followed the saml example implementation here
https://github.com/vdenotaris/spring-boot-security-saml-sample
I have been following the AngularJS with Spring Security blog here
jasha.eu/blogposts/2015/10/saml-authentication-angularjs-spring-security.html
I’ve searched the internet for the solution to this and it seems like a common problem, and as per the spring security saml documentation this issue can be solved by setting the storageFactory property to the SAMLContextProviderImpl like so
#Bean
public SAMLContextProviderImpl contextProvider() {
SAMLContextProviderImpl samlContextProviderImpl = new SAMLContextProviderImpl();
samlContextProviderImpl.setStorageFactory(emptyStorageFactory());
return samlContextProviderImpl;
}
#Bean
public EmptyStorageFactory emptyStorageFactory() {
return new EmptyStorageFactory();
}
But still I am getting the same error.
I am using Spring Boot 1.5.4.RELEASE, Spring Security 4.2.3.RELEASE, spring-security-saml2-core:1.0.2.RELEASE, AngularJS 1.5.8
I am loading the sp and idp metadata locally to the spring saml config, but the idp is a remote entity and sp is local entity.
It is an angularjs based web application and application flow is supposed to be I hit the url that takes me to an insecure page with a login link, after I hit the login link I am sending a request to the sso controller that does a logical check on whether I am a authenticated user or not, if not I am supposed to be redirected to the sso for authentication.
Please provide your valuable input to help me in resolving this issue.
Thanks in advance.