I'm currently working on an application with AngularJS, Spring MVC, Spring Security and SAML 2.0 Extension. I’m new to Spring Security SAML and I’ve ran into multiple issues and this is the latest one.
InResponseToField of the Response doesn't correspond to sent message a1f4a0e24c8a49a99f1h9df73e95c2
All of my saml configuration files are available here
https://github.com/MatthewLangford/samlConfig/tree/master
I have followed the saml example implementation here
https://github.com/vdenotaris/spring-boot-security-saml-sample
I have been following the AngularJS with Spring Security blog here
jasha.eu/blogposts/2015/10/saml-authentication-angularjs-spring-security.html
I’ve searched the internet for the solution to this and it seems like a common problem, and as per the spring security saml documentation this issue can be solved by setting the storageFactory property to the SAMLContextProviderImpl like so
#Bean
public SAMLContextProviderImpl contextProvider() {
SAMLContextProviderImpl samlContextProviderImpl = new SAMLContextProviderImpl();
samlContextProviderImpl.setStorageFactory(emptyStorageFactory());
return samlContextProviderImpl;
}
#Bean
public EmptyStorageFactory emptyStorageFactory() {
return new EmptyStorageFactory();
}
But still I am getting the same error.
I am using Spring Boot 1.5.4.RELEASE, Spring Security 4.2.3.RELEASE, spring-security-saml2-core:1.0.2.RELEASE, AngularJS 1.5.8
I am loading the sp and idp metadata locally to the spring saml config, but the idp is a remote entity and sp is local entity.
It is an angularjs based web application and application flow is supposed to be I hit the url that takes me to an insecure page with a login link, after I hit the login link I am sending a request to the sso controller that does a logical check on whether I am a authenticated user or not, if not I am supposed to be redirected to the sso for authentication.
Please provide your valuable input to help me in resolving this issue.
Thanks in advance.
Related
im trying to use saml for our sites login(react front-end and .net api backend) using ITFoxtec package. After logging in on SSO site, the assertion url is getting success message but throwing exception because the XML is empty.
I'm not sure what the problem is in your situation. The SAML 2.0 login and logout has to be handled by the backend .NET server and your React and API security is therefor handled by .NET.
Some info on the topic:
Nuget ITfoxtec SAML & Angular
How to redirect on backend for Angular application using Itfoxtec to access app through Azure Active Directory
Getting error Cannot POST in angular when redirected to call back url with SAML response
Nuget ITfoxtec SAML & Angular
AssertionUrl for AngularJS Application
I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.
I am trying to crawl a website, more specifically a Google Site using ManifoldCF that has SAML authentication and index the crawled data into Apache Solr. But as I crawl the URL, it gives me 302 redirection to login page and then says RESPONSECODENOTINDEXABLE.
I am not sure if have I authenticated correctly or not. In manifoldCF we have options for HTTP basic authentication, NTLM authentication and Session-based access credentials authentication method. I used Session based authentication method which more looks like a form based authentication rather than SAML authentication.
Has anybody crawled a website using manifoldCF which has SAML authentication? And if not manifoldCF, has anyone been able to accomplish this via Apache Nutch, because I am afraid, it also provides only HTTP basic , Digest and NTLM authentication.
Any insight would be helpful. Can provide more information regarding the issue, if anyone here thinks it can easily be accomplished. Basically when I crawl https://sites.google.com/a/my-sub-domain.com, it redirects to SSO login page and crawler refuses to crawl any more giving a 302 error. It's an intranet based website.
There is no support in Nutch forSSO authentication using SAML. You need to handle it by writing your custom plugin. We have extended proptocol selenium plugin to handle SAML flows.
Not sure whether this helps, just try it out.
In nutch, we can provide credentials to login to the page, we have httpclient-auth.xml file in conf directory.
There u can provide your host name along with the credentials.
<auth-configuration>
<credentials username="admin" password="admin123">
<authscope host="hostname" realm="login"/>
<default/>
</credentials>
</auth-configuration>
Similarly you can add any number of credentials to this configuration.
To crawl https site, change plugin.includes property from protocol-http to protocol-httpclient in nutch-conf.xml
We have modified logic in Nutch protocol-selenium plugin to handle SSO flows.
You need to wait for redirect to SSO page. Then using selenium you can handle SSO. Again wait for redirection to original page after SSO.
If 2 factor auth is required, then things become complex. In that case you can configure google authenticator (if allowed by your IdP). You can use that to get get TOTP.
For crawling files behind authentication there is no usual way. You can configure driver to always downlaod files and then use the docwnlaoded file.
You can handle the auth flow using another http clients. If you need dynamic page's content (after all JS and Ajax request completed) then selenium is the best choice and if you are using it, you can move auth part to selenium.
I'm writing an Angular app which has Grails with Spring Security as a backend. I don't want to couple frontend with backend, so I don't use any gsp's, the communication goes only through REST requests.
Now the question comes which authentication to use.
Form authentication could be useful, but spring security redirects to the default form page and my login page is outside of Grails (in Angular project). I don't need a form page from spring security, I just need a URL where I can do my post request with credentials and get a cookie back.
So I started with Basic authentication which is easy enough, but then we have to add Authorization header to each request, which is annoying and not secure.
Spring security allows remember me cookie, but it is coupled to form authentication, so it is not possible (or difficult) to use it with basic authentication.
Stateless token authentication (for example, JWT) sounds great, but it is not clear how to configure it with Grails. The documentation for Security plugin has no mention about stateless authentication: http://grails-plugins.github.io/grails-spring-security-core/guide/index.html
So what is the best way to do authentication from Angular in Spring Secirity?
You are using default behavior of spring security. If you want stateless authentication, you will have to override the default behavior. Please go through this wiki page and also see this sample app for angular backend.
Any help, advice and experience is welcome.
Im currently having a separate AngularJS SPA on a Apache HTTP Server and a Spring Backend on a Tomcat 7 Servlet. The backend serves as a Rest API for the SPA.
Some rest resources will require a user to have a certain role.
I've been searching the internet for days on what and how to implement the best security strategy:
Basic Auth
Digest
oAuth
Stateless, Cookies? Sessions? Tokens? CSRF?
How would you go about communicating Spring Security in Json or XML to your SPA to show the user an authentication page or an "your successfully authenticated page"?
Any help is appreciated.
I finally figured out how to make the SPA authenticate with my Rest Backend.
In spring security I created a
Custom SimpleUrlAuthenticationFailureHandler which returns a HTTP-Unauthorizated if a login attempt fails.
Custom SavedrequestAwareAuthenticationSuccessHandler which returns Http-Oke if a login attempt is successful.
Custom AuthenticationEntryPoint which returns Http-Unauthorizated instead of a redirect.
Custom LogoutSuccessHandler which returns Http-OK.
I disabled CSRF.
If anyone needs more help feel free to let me know or message me.
I highly recommend watching this Spring's introductory video. It explains usage of Spring Security from ground up using Java configuration. Apart basic configuration, authentication and CLRF token usage also dive into field security. Uses templating on server with Thymeleaf though, but can provide a lot of wisdom for REST based app also.