I have a bean setup which returns a decoded password for a keystore. For CXF calls I can get the password using #{decoder.keystorePassword} but when I try to do the same thing from camel:keyStore password for a rest call, it doesn't work and just uses #{..} as the password. I imagine the syntax for referencing a bean is slightly different because I am in a camel component?
Any suggestions on how to get the value here?
Related
I am attempting to create a custom identity provider (based on https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestIdPCore) but using HTTT-POST binding. The issue I am having is that when the service provider tries to validate the authn response they are getting errors ("actual digest value does not match expected"). I have also attempted to use a third party tool validating the xml response and was getting an error like "The XML has been altered after signing."
I am signing the assertion on the response using a certificate in the key store on the server where the service is running.
The XML need to keep the same plain format for the signatur validation to succeed.
You probably need to debug to find the problem.
Do you IdP work with a sample RP, e.g. https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
Do you have different RP's and do someone work?
I am using Spring SAML integration. I am getting below error when I tried to SAML logout without SingleLogout point.
I override the SAML method to check metadata has any SingleLogout point or not but it's not working.
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:108)
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:66)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:140)
To properly override the lack of single logout endpoint in the metadata, you'd have to provide your own implementation of org.springframework.security.saml.websso.SingleLogoutProfile and inject it as a dependency in your application config. Certainly doable but quite a bit of effort for a problem that has a simpler solution: manually modify the metadata you received from the IdP and add the endpoint. (If the metadata is signed, you'll need to remove the signature).
I am trying to create a client that uses SAML, but I am not sure what the Master SAML Processing URL field should be.
I read the documentation, but its still not clear to me.
SAML uses assertions in order to verify resource accesses. The service provider needs to declare a specific url for this assertion exchange. On the other hand, there's the url which the Service Provider uses to manage the Single Sign Out process. The Master SAML Processing URL of Keycloak just lets you specify the same endpoint for both processes (you can still configure them individually using the fine grain configuration).
Kentor - Using the SampleMvcApplication with success through their StubIdp but when I try with Clareity I receive the above error.
Without knowing anything about the implementations ( Kentor, SampleMvcApplication, StubIdP, Clareity )it looks as if:
Your Identity Provider implementation does not return a 'RelayState' parameter in the body of the HTTP POST along with the SAMLResponse.
Your Identity Provider implementation has added an InResponseTo attribute in the SAMLResponse element
Your Service Provider implementation interprets this as an IdP initiated SSO since it does not see a 'RelayState' parameter
Your Service Provider throws an error since it doesn't make sense for an SAMLResponse in an IdP initiated SSO flow to have an InResponseTo. InResponseTo refers to an AuthenticationRequest which is only there in a normal SP initiated SSO.
To get more help, you should tell us a little about the implementation you are using and your configuration.
I'm pretty new to camel so perhaps I'm going about this the wrong way but I'm routing messages from one endpoint to another and transforming them on the way. However the next stage is to add authentication to the pipeline. I have a service that tracks authenticated users. My plan is to, in the first stage of the route, to add a filter that checks to see if the current user is authenticated. If the user is not I want to transform the message into an authentication request and send that to my endpoint. All good so far, however, after authentication (if successful) I want to send the original message down the pipeline. Is this something that can be done?
A simplified version of my route would be:
from("seda:in").
filter(method(Authentication.class, "isNotAuthenticated")).
bean(AuthenticationTransformer.class)
to("cxfbean:out")
.end()
.bean(RequestTransformer.class)
.to("cxfbean:out")
The same message would be sent to both transformer beans.
You should preserve the message in the Exchange property setProperty("originalMessage", body()) before transforming it. Afterwards you can access that property using getProperty("originalMessage")