integrating spring security and saml - join 2014
TRANSCRIPT
Ordina JOIN 2014
Ken Coenen@CoenenKen
Senior Java DeveloperArchitecture & Best Practices Competence Lead at Ordina
Integrating Spring Security and SAML
SAML
What is SAML?
▪ Security Assertion Markup Language▪ XML protocol▪ Approved standard▪ SAML 2.0 dates from March 2005▪ Used for eg. Single Sign-On (SSO)
SAML overview
▪ Identity Provider (IDP)Authenticating party
▪ Service Provider (SP)Relies on the IDP and provides a service
▪ Circle of Trust (COT)Group of trusted SPs
SAML sequence
1. User requests access to a service
2. Redirect to IDP logon page3. POST to IDP4. Redirect to application5. User can access any
application in the Circle of Trust
Spring Security
What is Spring Security?
▪ Part of the Spring frameworkhttp://projects.spring.io/spring-security/
▪ Provides dozens of customizable security features▪ Authentication and Authorization
→ For now we’ll focus on authentication
▪ Support for a wide range of authentication models▪ Possible to write your own
→ That’s what we’ll do!
Authentication Concepts
▪ Filter Chain▪ Security rules for your application
▪ Entry Point▪ How an unauthenticated user tries to access secured resources▪ eg. Form login, OpenID, basic authentication, ...
▪ Manager▪ Manages authentication requests▪ Uses AuthenticationProvider and User Details Service
Putting the pieces together
Include Maven dependencies
Check latest dependencies on http://projects.spring.io/spring-security/
Include Maven dependencies (2)
OpenAM library to interpret SAML assertion and perform redirects
Map Spring Security filter in web.xml
▪ Let your J2EE application know we’re using Spring Security
Authentication Filter Chain
Filter Chain
Triggered if not authenticated
1. Redirect to IDP
2. Process SAMLassertion
▪ Extends GenericFilterBean
Request initiator
Redirect to the IDP
Process the SAML response
▪ Extends AbstractAuthenticationProcessingFilter
Wrap our SAML assertion in a PreAuthenticated-AuthenticationToken in the request parameters
Processes Authentication object
Authentication Manager
Triggers the User Details Service to authenticate the user
Interpret SAML attributes
▪ Extends AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>
▪ Maps SAML assertions to Spring privileges
Custom User Details Service
Q&A