SAML Integration
80 views
Skip to first unread message
Rohit Pawar
Jul 8, 2023, 8:33:02 AM7/8/23
to Please use https://stackoverflow.com with the pac4j tag
Hello, I am integrating Saml SP thing by using the Pac4j-j2ee package and its filter.
Here I have done things like :
1. Configuration making things using config and
2. Configured filters
3. AzureIDP
In some applications, I have different logins for 2 features, which means 2 logins :
1. Commerce: https://localhost:8443/commerce/control/main login
2. Fulfillment: https://localhost:8443/fulfilment/control/main login
- For commerce login and logout, I have configured IDP for that
- But I have to use the same IDP with the fulfillment login also but for that, I can't handle the request in commerce/callback because after that I have a redirect on fulfillment which cleans the session. and other issues
can you suggest the preferred way to deal with this situation?
Here I have done things like :
1. Configuration making things using config and
2. Configured filters
3. AzureIDP
In some applications, I have different logins for 2 features, which means 2 logins :
1. Commerce: https://localhost:8443/commerce/control/main login
2. Fulfillment: https://localhost:8443/fulfilment/control/main login
- For commerce login and logout, I have configured IDP for that
- But I have to use the same IDP with the fulfillment login also but for that, I can't handle the request in commerce/callback because after that I have a redirect on fulfillment which cleans the session. and other issues
can you suggest the preferred way to deal with this situation?
Rohit Pawar
Jul 11, 2023, 2:23:03 AM7/11/23
to Please use https://stackoverflow.com with the pac4j tag
package co.hotwax.security.saml2sso;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.DelegatorFactory;
import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.config.ConfigFactory;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.store.HttpSessionStore;
import org.pac4j.saml.store.SAMLMessageStore;
import org.pac4j.saml.store.SAMLMessageStoreFactory;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class SamlConfigFactory implements ConfigFactory {
private static final String Module = SamlConfigFactory.class.getName();
public SamlConfigFactory(){
}
@Override
public Config build(final Object[] parameters) {
Delegator delegator= DelegatorFactory.getDelegator("default");
Debug.logInfo("Intialized SamlConfigFactory for saml", Module);
int apps = Integer.parseInt(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.app.size", delegator));
List<Client> listClient= new ArrayList<>();
for(int countApp =1; countApp <= apps; countApp++){
final SAML2Configuration cfg = new SAML2Configuration("samlKeystore.jks",
"pac4j-demo-passwd",
"pac4j-demo-passwd",
EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.metadataurl."+countApp,delegator)
);
//Must be greater then idp session life time otherwise Error:Auth is to old or in future
cfg.setMaximumAuthenticationLifetime( Integer.parseInt( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.authlifetime."+countApp, delegator) ) );
cfg.setServiceProviderEntityId( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.name."+countApp, delegator) );
cfg.setServiceProviderMetadataPath( new File( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.metadatapath."+countApp, delegator) ).getAbsolutePath());
cfg.setPostLogoutURL( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.logouturl."+countApp, delegator) );
cfg.setSpLogoutRequestBindingType( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.logoutrequestbind."+countApp, delegator) );
final SAML2Client saml2Client = new SAML2Client( cfg);
saml2Client.setName(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.clientName."+countApp, delegator));
saml2Client.setCallbackUrl(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.callback."+countApp, delegator));
listClient.add(saml2Client);
}
final Clients clients = new Clients();
clients.setClients(listClient);
final Config config = new Config( clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
// config.addAuthorizer("custom", new CustomAuthorizer());
// config.addAuthorizer("mustBeAnon", new IsAnonymousAuthorizer<>("/?mustBeAnon"));
// config.addAuthorizer("mustBeAuth", new IsAuthenticatedAuthorizer<>("/?mustBeAuth"));
// config.addMatcher("excludedPath", new PathMatcher().excludeRegex("^/facebook/notprotected\\.jsp$"));
return config;
}
}
This works fine by using one Azure-saml-enterprise app we just using the same configuration but with different callbacks in 2 different clients of saml2Client
By doing so we would simply use the same IDP with multiple logins with different callback assertions.
Alternate way
Instead of defining the 2 different callbacks, you can mention the AssertionIndex and create different client.
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.DelegatorFactory;
import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.config.ConfigFactory;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.store.HttpSessionStore;
import org.pac4j.saml.store.SAMLMessageStore;
import org.pac4j.saml.store.SAMLMessageStoreFactory;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class SamlConfigFactory implements ConfigFactory {
private static final String Module = SamlConfigFactory.class.getName();
public SamlConfigFactory(){
}
@Override
public Config build(final Object[] parameters) {
Delegator delegator= DelegatorFactory.getDelegator("default");
Debug.logInfo("Intialized SamlConfigFactory for saml", Module);
int apps = Integer.parseInt(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.app.size", delegator));
List<Client> listClient= new ArrayList<>();
for(int countApp =1; countApp <= apps; countApp++){
final SAML2Configuration cfg = new SAML2Configuration("samlKeystore.jks",
"pac4j-demo-passwd",
"pac4j-demo-passwd",
EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.metadataurl."+countApp,delegator)
);
//Must be greater then idp session life time otherwise Error:Auth is to old or in future
cfg.setMaximumAuthenticationLifetime( Integer.parseInt( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.authlifetime."+countApp, delegator) ) );
cfg.setServiceProviderEntityId( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.name."+countApp, delegator) );
cfg.setServiceProviderMetadataPath( new File( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.metadatapath."+countApp, delegator) ).getAbsolutePath());
cfg.setPostLogoutURL( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.idp.logouturl."+countApp, delegator) );
cfg.setSpLogoutRequestBindingType( EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.logoutrequestbind."+countApp, delegator) );
final SAML2Client saml2Client = new SAML2Client( cfg);
saml2Client.setName(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.clientName."+countApp, delegator));
saml2Client.setCallbackUrl(EntityUtilProperties.getPropertyValue("SamlssoConfig.properties", "saml.sso.sp.callback."+countApp, delegator));
listClient.add(saml2Client);
}
final Clients clients = new Clients();
clients.setClients(listClient);
final Config config = new Config( clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
// config.addAuthorizer("custom", new CustomAuthorizer());
// config.addAuthorizer("mustBeAnon", new IsAnonymousAuthorizer<>("/?mustBeAnon"));
// config.addAuthorizer("mustBeAuth", new IsAuthenticatedAuthorizer<>("/?mustBeAuth"));
// config.addMatcher("excludedPath", new PathMatcher().excludeRegex("^/facebook/notprotected\\.jsp$"));
return config;
}
}
This works fine by using one Azure-saml-enterprise app we just using the same configuration but with different callbacks in 2 different clients of saml2Client
By doing so we would simply use the same IDP with multiple logins with different callback assertions.
Alternate way
Instead of defining the 2 different callbacks, you can mention the AssertionIndex and create different client.
Reply all
Reply to author
Forward
0 new messages