Spring Security SAML – My Shitty Code

Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms

Shitty Author — Tue, 23 Feb 2016 20:20:08 +0000

PROBLEM

By default, Spring Security SAML’s SAMLBootstrap uses SHA1withRSA for signature algorithm and SHA-1 for digest algorithm.

@Configuration
@EnableWebSecurity
public abstract class AppSAMLConfig extends WebSecurityConfigurerAdapter {
	...

    @Bean
    public static SAMLBootstrap SAMLBootstrap() {
        return new SAMLBootstrap();
    }

	...
}

For example, the above configuration will generate the following SAML request payload when using HTTP-POST binding:-



    https://server/app/saml/metadata
    
        
            
            
            
                
                    
                    
                
                
                u25hV7rk8hIpXYLJQs0aZjkueP0=
            
        
        YDR9ybi...
        
            
                MIICxz...
            
        
    
    
        urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Unfortunately, SHA-1 is now deemed insecure due to “Freestart Collision” attack.

Further, most modern browsers have ceased to trust SHA-1 code signing certificates starting January 2016 and will eventually stop accepting these certificates by January 2017.

SOLUTION

To fix this, we could replace SHA-1 with stronger secure hash algorithm, such as SHA-256.

To do so, create a class that extends SAMLBootstrap that uses SHA256withRSA for signature algorithm and SHA-256 for digest algorithm.

public final class CustomSAMLBootstrap extends SAMLBootstrap {
    @Override
    public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
        super.postProcessBeanFactory(beanFactory);
        BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
    }
}

Then, return CustomSAMLBootstrap instead of SAMLBootstrap

@Configuration
@EnableWebSecurity
public abstract class AppSAMLConfig extends WebSecurityConfigurerAdapter {
	...

    @Bean
    public static SAMLBootstrap SAMLBootstrap() {
        return new CustomSAMLBootstrap();
    }

	...
}

Now, the generated SAML request payload using HTTP-POST binding looks like this:-



    https://server/app/saml/metadata
    
        
            
            
            
                
                    
                    
                
                
                w4qHFsBxFGifzemEJCYcuGOt+oZJ9N2DQM+Q2aEqJFI=
            
        
        YDR9ybi...
        
            
                MIICxz...
            
        
    
    
        urn:oasis:names:tc:SAML:2.0:ac:classes:Password

The post Spring Security SAML: Replacing SHA-1 with SHA-256 on Signature and Digest Algorithms appeared first on My Shitty Code.

Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS

Shitty Author — Fri, 19 Feb 2016 20:15:11 +0000

PROBLEM

By default, when loading IdP’s metadata over HTTPS (ex: https://adfs-server/federationmetadata/2007-06/federationmetadata.xml), Spring Security SAML will perform the trust verification configured in JDK.

However, there are times we do not have direct access to JDK home directory especially if the web apps are hosted on someone else’s JEE or PaaS servers.

SOLUTION

To fix this, the IdP’s public certificate can be imported into the app’s keystore instead of JDK’s keystore.

keytool -importcert -file adfs-server.cer -keystore app-keystore.jks -alias "adfs-server"

Then, configure Spring Security SAML to use TLSProtocolConfigurer, which will use all public certificates stored in the app’s keystore as trust anchors for PKIX validation.

@Configuration
@EnableWebSecurity
public abstract class SecuritySAMLConfig extends WebSecurityConfigurerAdapter {

    ...

	// in this case, `app-keystore.jks` contains the app's public/private keys and
	// the imported IdP's public certificate
    @Bean
    public KeyManager keyManager() {
        DefaultResourceLoader loader = new DefaultResourceLoader();
        Resource storeFile = loader.getResource("classpath:app-keystore.jks");
        Map passwords = new HashMap<>();
        passwords.put("app_alias", "app_password");
        return new JKSKeyManager(storeFile, "app_password", passwords, "app_alias");
    }

    @Bean
    public TLSProtocolConfigurer tlsProtocolConfigurer() {
        return new TLSProtocolConfigurer();
    }

    @Bean
    public ProtocolSocketFactory protocolSocketFactory(KeyManager keyManager) {
        return new TLSProtocolSocketFactory(keyManager, null, "default");
    }

    @Bean
    public Protocol protocol(ProtocolSocketFactory protocolSocketFactory) {
        return new Protocol("https", protocolSocketFactory, 443);
    }

    @Bean
    public MethodInvokingFactoryBean socketFactoryInitialization(Protocol protocol) {
        MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
        methodInvokingFactoryBean.setTargetClass(Protocol.class);
        methodInvokingFactoryBean.setTargetMethod("registerProtocol");
        Object[] args = {"https", protocol};
        methodInvokingFactoryBean.setArguments(args);
        return methodInvokingFactoryBean;
    }

    ...
}

Doing so makes the app more portable so that it can be deployed into any JEE or PaaS servers without any problem.

The post Spring Security SAML: Handling IdP’s Public Certificate When Loading Metadata Over HTTPS appeared first on My Shitty Code.

Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP

Shitty Author — Thu, 18 Feb 2016 19:15:20 +0000

PROBLEM

Depending on each institution’s Identity Provider (IdP) configuration, the Service Provider (Sp) may need to configure the correct binding for sending SAML messages to IdP.

SOLUTION

Using Spring Security SAML, the binding configuration is highlighted below:-

@Configuration
@EnableWebSecurity
public abstract class SecuritySAMLConfig extends WebSecurityConfigurerAdapter {

	...

    @Bean
    public WebSSOProfileOptions webSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        webSSOProfileOptions.setBinding(...);
    }

    @Bean
    public SAMLEntryPoint samlEntryPoint(WebSSOProfileOptions webSSOProfileOptions) {
        SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
        samlEntryPoint.setDefaultProfileOptions(webSSOProfileOptions);
        return samlEntryPoint;
    }

	...
}

HTTP-POST Binding

Configuration:-

webSSOProfileOptions.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);

Using HTTP-POST binding, the SAML message to IdP will contain the signature information:-



    http://adfs-server/adfs/services/trust
    
        
    
    
        
            
            
                
                    
                        
                    
                    
                        
                            
                                CN=server
                                1822784706
                            
                        
                    
                    
                        isG83fVk50fJRI...
                    
                
            
            
                +b2o6HNxaxsse7rkB...

HTTP-Redirect Binding

Configuration:-

webSSOProfileOptions.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);

Using SAML2_REDIRECT_BINDING_URI binding, the signature will be removed before the message is delivered. The signature is then performed on the serialized request and sent as a GET parameter.



    https://server/my-app/saml/metadata

The post Spring Security SAML: Configuring Binding for Sending SAML Messages to IdP appeared first on My Shitty Code.