Month: February 2016
-
Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms
PROBLEM By default, Spring Security SAML’s SAMLBootstrap uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm. For example, the above configuration will generate the following SAML request payload when using HTTP-POST binding:- Unfortunately, SHA-1 is now deemed insecure due to “Freestart Collision” attack. Further, most modern browsers have ceased to trust SHA-1 code signing… Read More…
-
Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS
PROBLEM By default, when loading IdP’s metadata over HTTPS (ex: https://adfs-server/federationmetadata/2007-06/federationmetadata.xml), Spring Security SAML will perform the trust verification configured in JDK. However, there are times we do not have direct access to JDK home directory especially if the web apps are hosted on someone else’s JEE or PaaS servers. SOLUTION To fix this, the… Read More…
-
Java + SAML: Illegal Key Size
PROBLEM When attempting to decrypt the SAML response from IdP, the following exception occurs:- SOLUTION When inspecting the SAML response payload below, the data is encrypted with AES-256:- By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws. To fix this… Read More…
-
Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP
PROBLEM Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP. SOLUTION Using Spring Security SAML, the binding configuration is highlighted below:- HTTP-POST Binding Configuration:- Using HTTP-POST binding, the SAML message to IdP will contain the signature information:- HTTP-Redirect Binding… Read More…