SAML Authentication Implementation

390 views
Skip to first unread message

Nuno Alexandre

unread,
Jul 1, 2015, 9:57:11 AM7/1/15
to pac4j...@googlegroups.com
Hi,

First of all thanks for the great library. I've starting developing a proof of concept application at my company and I was restricted to Java, I chose SparkJava as it is very similar to what I'm used in terms of web development in Python (Flask).
I need now to implement authentication into my application using SAML2.0. It's basically a type file server that need to perform authentication, logging and authorization (not SAML, it's an internal API). I also need to use SSL (http) when making the authentication.

My company have a SAML IdP. I'm given a .P12 file from which I created a keygen to use when creating the SAML2 Client.)
The IdP gives me a Metadata file. They also have a link to generate a SP Metadata where we need to change manually some details (entityIDLocation and the KeyInfo > X509Certificate). The X509 hash we are supposed to copy from the IdP Metadata, I guess they need to match to establish the trusted link? But I see that Pac4J generates its own SP metadata, so which should I use? Any help would be great as I'm a bit lost (first time I have to deal with SAML).

Other question I ran the app demo (https://github.com/pac4j/spark-pac4j-demo) and every authentication example works (Facebook, Twitter, etc...) but on SAML I get a "Needs client redirection" I also get the same on my implementation that is basicaly what the demo app uses.

I have a client builder:

public class ClientsBuilder {

    public static Clients build(){

        final Saml2Client sapidSaml2Client = new Saml2Client();
        sapidSaml2Client.setKeystorePath("src/main/resources/jks/keystore.jks");
        sapidSaml2Client.setKeystorePassword("welcome1");
        sapidSaml2Client.setPrivateKeyPassword("welcome1");
        sapidSaml2Client.setIdpMetadataPath("src/main/resources/idp.xml");

        return new Clients("https://localhost:8888/callback", sapidSaml2Client);
    }
}


And my authentication is simply this class:

public class Authentication {

    public Authentication() {

        final Clients clients = ClientsBuilder.build();
        final Route callback = new CallbackRoute(clients);

        get("/callback", callback);
        post("/callback", callback);
        // Require authentication before proceeding with the rest of the process
        before("/", new RequiresAuthenticationFilter(clients, "Saml2Client"));
        get("/", (req, res) -> postAuthentication(req, res, clients)); // After authentication
    }

    private static String postAuthentication(final Request request, final Response response, final Clients clients) {
        final SparkWebContext context = new SparkWebContext(request, response);
        final CommonProfile profile = UserUtils.getProfile(request);

        return "<a href='" + clients.findClient(Saml2Client.class).getRedirectionUrl(context) + "'>Authenticate</a>";
    }
}


If anyone could give me some insight into what I may be doing wrong it would be great, I can also show the metadatas if needed.

Michaël REMOND

unread,
Jul 3, 2015, 3:31:58 AM7/3/15
to Nuno Alexandre, pac4j...@googlegroups.com, Jérôme LELEU
Hello,

First, Thank you for using pac4j.
I confirm that the spark demo is not fully functional, especially for the SAML part. Unfortunately, I was not involved in the spark-pac4j module development and I suggest you to wait Jérôme's feedback on this.

Now, for the SAML part:
 - If you don't read it already, begin with https://github.com/pac4j/pac4j/wiki/Code-samples#saml-support
 - pac4j generates SP metadata in order be imported (and therefore trusted) in the IDP. If you have another tool for this task, no problem. What is important is to have a coherent configuration among SP and IDP, especially for the private/public key.
 - you must also provide the IDP metadata to pac4j so that it knows how to interact with the IDP.
 - your code seems correct, again I suspect there is some issue with spark-pac4j

Regards,

Michaël


--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nuno Alexandre

unread,
Jul 3, 2015, 3:48:06 AM7/3/15
to pac4j...@googlegroups.com, lel...@gmail.com, grev...@gmail.com
Thanks for the feedback Michael!

Since this also happens on the Spark demo I suspect it's a bug on the pac4J Spark implementation, yes.

Thanks for the help and pointers, I'll wait for Jérôme's feedback. :)

Jérôme LELEU

unread,
Jul 5, 2015, 5:46:42 AM7/5/15
to Nuno Alexandre, pac4j...@googlegroups.com
Hi,

I just tested the SAML support using the demo: https://github.com/pac4j/spark-pac4j-demo. Indeed, it doesn't work. Internally (in the SAML provider), everything works and the redirection page is correctly generated, but not taken into account by the spark-java implementation, it seems that I need to perform something adequate for a 200 HTTP success.

Would you mind opening an issue on Github ? I will take a look at it next week and probably release a 1.0.1 version along the fix.

Thanks.
Best regards,
Jérôme

Nuno Alexandre

unread,
Jul 6, 2015, 4:38:25 AM7/6/15
to pac4j...@googlegroups.com, grev...@gmail.com
Hi Jérôme,

I will open the issue.

Thanks for the help,

Nuno.
Reply all
Reply to author
Forward
0 new messages