Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I configure Spring Security SAML to work with Okta?

I'm trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I've made the following changes to WebSecurityConfig.java:

https://gist.github.com/mraible/c8b52972f76e6f5e30d5

I found the following question that provides some guidance, but I can't quite get things to work.

configuring saml-sample (SP) to work with Okta (IdP)

Here's what I'm using for values on Okta:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}

It looks like it works from the logs:

[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748  INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;

However, it redirects me to Okta's site rather than back to my site.

like image 262
Matt Raible Avatar asked Dec 30 '14 22:12

Matt Raible


People also ask

How do you integrate Okta SAML?

Sign in to your Okta tenant as an administrator. In the Admin Console, navigate to Applications > Applications. Click Create App Integration. In the Create a new app integration dialog, choose SAML 2.0 and click Next.

How do you integrate Okta with spring boot?

Create a Web App on Okta To create a new OIDC app for Spring Boot on Okta: Log in to your developer account, navigate to Applications, and click on Add Application. Select Web and click Next. Give the application a name and add http://localhost:8080/login/oauth2/code/okta as a login redirect URI.


1 Answers

I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/saml/SSO
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Uncompressed
Destination: http://localhost:8080/saml/SSO
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}
like image 172
Matt Raible Avatar answered Nov 28 '22 01:11

Matt Raible