Tag: Spring Security SAML
-
Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms
PROBLEM By default, Spring Security SAML’s SAMLBootstrap uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm. For example, the above configuration will generate the following SAML request payload when using HTTP-POST binding:- Unfortunately, SHA-1 is now deemed insecure due to “Freestart Collision” attack. Further, most modern browsers have ceased to trust SHA-1 code signing… Read More…
-
Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS
PROBLEM By default, when loading IdP’s metadata over HTTPS (ex: https://adfs-server/federationmetadata/2007-06/federationmetadata.xml), Spring Security SAML will perform the trust verification configured in JDK. However, there are times we do not have direct access to JDK home directory especially if the web apps are hosted on someone else’s JEE or PaaS servers. SOLUTION To fix this, the… Read More…
-
Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP
PROBLEM Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP. SOLUTION Using Spring Security SAML, the binding configuration is highlighted below:- HTTP-POST Binding Configuration:- Using HTTP-POST binding, the SAML message to IdP will contain the signature information:- HTTP-Redirect Binding… Read More…