Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP

PROBLEM

Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP.

SOLUTION

Using Spring Security SAML, the binding configuration is highlighted below:-

@Configuration
@EnableWebSecurity
public abstract class SecuritySAMLConfig extends WebSecurityConfigurerAdapter {

	...

    @Bean
    public WebSSOProfileOptions webSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        webSSOProfileOptions.setBinding(...);
    }

    @Bean
    public SAMLEntryPoint samlEntryPoint(WebSSOProfileOptions webSSOProfileOptions) {
        SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
        samlEntryPoint.setDefaultProfileOptions(webSSOProfileOptions);
        return samlEntryPoint;
    }

	...
}

HTTP-POST Binding

Configuration:-

webSSOProfileOptions.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);

Using HTTP-POST binding, the SAML message to IdP will contain the signature information:-

<!--?xml version="1.0" encoding="UTF-8"?-->
<samlp:response consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" destination="https://server/my-app/saml/SSO" id="_370d6ba5-177c-494b-9147-2eafd9ecb6c9" inresponseto="a5c5dja1i5fgb2bf2e66f6g9g5398gj" issueinstant="2016-02-18T15:28:43.473Z" version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</issuer>
    <samlp:status>
        <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
    </samlp:statuscode></samlp:status>
    <encryptedassertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc">
            <keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:encryptedkey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
                    </digestmethod></e:encryptionmethod>
                    <keyinfo>
                        <ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:x509issuerserial>
                                <ds:x509issuername>CN=server</ds:x509issuername>
                                <ds:x509serialnumber>1822784706</ds:x509serialnumber>
                            </ds:x509issuerserial>
                        </ds:x509data>
                    </keyinfo>
                    <e:cipherdata>
                        <e:ciphervalue>isG83fVk50fJRI...</e:ciphervalue>
                    </e:cipherdata>
                </e:encryptedkey>
            </keyinfo>
            <xenc:cipherdata>
                <xenc:ciphervalue>+b2o6HNxaxsse7rkB...</xenc:ciphervalue>
            </xenc:cipherdata>
        </xenc:encryptionmethod></xenc:encrypteddata>
    </encryptedassertion>
</samlp:response>

HTTP-Redirect Binding

Configuration:-

webSSOProfileOptions.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);

Using SAML2_REDIRECT_BINDING_URI binding, the signature will be removed before the message is delivered. The signature is then performed on the serialized request and sent as a GET parameter.

<!--?xml version="1.0" encoding="UTF-8"?-->
<saml2p:authnrequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" assertionconsumerserviceurl="https://server/my-app/saml/SSO" destination="https://adfs-server/adfs/ls/" forceauthn="false" id="a4719398gd37jgg464505g70i40a49" ispassive="false" issueinstant="2016-02-18T15:24:59.036Z" protocolbinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" version="2.0">
    <saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://server/my-app/saml/metadata</saml2:issuer>
</saml2p:authnrequest>

Leave a Reply

Your email address will not be published. Required fields are marked *