Menu
Spring Security SAML insists on requesting the Artifact binding in the SAML authentication request (ProtocolBinding attribute):
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="http://sp.com/saml/SSO/alias/defaultAlias"
Destination="https://idp.com/idp"
ForceAuthn="false"
ID="a4acj06d42fdc0d3494h859g3f7005c"
IsPassive="false"
IssueInstant="2012-12-05T17:07:18.271Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version="2.0"
>
How can I configure POST binding instead? Thanks for any answers!
-- Andreas
917
HTTP POST enables SAML protocol messages to be transmitted within an HTML form by using base64-encoded content. It enables SAML requestors and responders to communicate by using an HTTP user agent as an intermediary. The agent might be necessary if the communicating entities do not have a direct path of communication.
Spring SAML Extension allows seamless inclusion of SAML 2.0 Service Provider capabilities in Spring applications. All products supporting SAML 2.0 in Identity Provider mode (e.g. ADFS 2.0, Shibboleth, OpenAM/OpenSSO, Ping Federate, Okta) can be used to connect with Spring SAML Extension.
This plugin adds to GeoServer the support for SAML based Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as OneLogin) rather than obtaining and using a separate username and password handled by GeoServer.
Thanks nobby and Sanjeev, I've recently applied this to a similar case and it put me on the right track.
Being very new to the Spring Security SAML2 extension, I had to do a little extra digging around to get the WebSSOProfileOptions applied. Essentially to get an HTTP-POST binding on the SAML authentication request you need the profile options passed to the org.springframework.security.saml.websso.WebSSOProfileImpl#sendAuthenticationRequest() method.
For our config, which is very similar to the config in the Spring RC2 sample project, this meant passing the WebSSOProfileOptions bean as described in Sanjeev's solution to the samlEntryPoint.defaultProfileOptions property (or adding a binding property there).
Trouble is, this did not result in the AuthnRequest picking up the binding property as set. In our case our SAML metadata was specifying isDefault=true on the HTTP-Artifact bound AssertionConsumerService. And in our RC2 version of the Spring Security SAML2 library this is the default behaviour of the org.springframework.security.saml.metadata.MetadataGenerator.
This can be overridden by setting the assertionConsumerIndex property of the MetadataGenerator. The HTTP Post assertion consumer gets configured at index 1 in our case.
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="assertionConsumerIndex" value="1" /><!-- 1=HTTP-POST -->
</bean>
</constructor-arg>
</bean>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
