My Shitty Code

Embracing the Messiness in Search of Epic Solutions

Tag: Spring Security SAML

  • Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms

    PROBLEM By default, Spring Security SAML’s SAMLBootstrap uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm. For example, the above configuration will generate the following SAML request payload when using HTTP-POST binding:- Unfortunately, SHA-1 is now deemed insecure due to “Freestart Collision” attack. Further, most modern browsers have ceased to trust SHA-1 code signing […]

  • Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS

    PROBLEM By default, when loading IdP’s metadata over HTTPS (ex: https://adfs-server/federationmetadata/2007-06/federationmetadata.xml), Spring Security SAML will perform the trust verification configured in JDK. However, there are times we do not have direct access to JDK home directory especially if the web apps are hosted on someone else’s JEE or PaaS servers. SOLUTION To fix this, the […]

  • Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP

    PROBLEM Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP. SOLUTION Using Spring Security SAML, the binding configuration is highlighted below:- HTTP-POST Binding Configuration:- Using HTTP-POST binding, the SAML message to IdP will contain the signature information:- HTTP-Redirect Binding […]