PROBLEM
Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP.
SOLUTION
Using Spring Security SAML, the binding configuration is highlighted below:-
@Configuration
@EnableWebSecurity
public abstract class SecuritySAMLConfig extends WebSecurityConfigurerAdapter {
...
@Bean
public WebSSOProfileOptions webSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
webSSOProfileOptions.setBinding(...);
}
@Bean
public SAMLEntryPoint samlEntryPoint(WebSSOProfileOptions webSSOProfileOptions) {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(webSSOProfileOptions);
return samlEntryPoint;
}
...
}
HTTP-POST Binding
Configuration:-
webSSOProfileOptions.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
Using HTTP-POST binding, the SAML message to IdP will contain the signature information:-
<!--?xml version="1.0" encoding="UTF-8"?-->
<samlp:response consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" destination="https://server/my-app/saml/SSO" id="_370d6ba5-177c-494b-9147-2eafd9ecb6c9" inresponseto="a5c5dja1i5fgb2bf2e66f6g9g5398gj" issueinstant="2016-02-18T15:28:43.473Z" version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</issuer>
<samlp:status>
<samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:statuscode></samlp:status>
<encryptedassertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc">
<keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:encryptedkey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</digestmethod></e:encryptionmethod>
<keyinfo>
<ds:x509data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:x509issuerserial>
<ds:x509issuername>CN=server</ds:x509issuername>
<ds:x509serialnumber>1822784706</ds:x509serialnumber>
</ds:x509issuerserial>
</ds:x509data>
</keyinfo>
<e:cipherdata>
<e:ciphervalue>isG83fVk50fJRI...</e:ciphervalue>
</e:cipherdata>
</e:encryptedkey>
</keyinfo>
<xenc:cipherdata>
<xenc:ciphervalue>+b2o6HNxaxsse7rkB...</xenc:ciphervalue>
</xenc:cipherdata>
</xenc:encryptionmethod></xenc:encrypteddata>
</encryptedassertion>
</samlp:response>
HTTP-Redirect Binding
Configuration:-
webSSOProfileOptions.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
Using SAML2_REDIRECT_BINDING_URI binding, the signature will be removed before the message is delivered. The signature is then performed on the serialized request and sent as a GET parameter.
<!--?xml version="1.0" encoding="UTF-8"?-->
<saml2p:authnrequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" assertionconsumerserviceurl="https://server/my-app/saml/SSO" destination="https://adfs-server/adfs/ls/" forceauthn="false" id="a4719398gd37jgg464505g70i40a49" ispassive="false" issueinstant="2016-02-18T15:24:59.036Z" protocolbinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" version="2.0">
<saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://server/my-app/saml/metadata</saml2:issuer>
</saml2p:authnrequest>
Leave a Reply