There is a plethora of information available over the web about SAML and its jargons like Service Provider, Identity Provider, SAML assertion and so on. This blog mainly concentrates on integrating SAP Cloud Platform Identity Authentication Service (IAS) tenant as an alternative identity provider (IDP) with Spring Boot sample application.
Prerequisites:
Let's jump into the steps involved in the configuration:
Step 1: Download IDP metadata
Step 1: Generation of SAML key store ( Optional step )
Step 2: Changes in the Sample Application
Changes are mainly in the file WebSecurityConfig.java under the package "com.vdenotaris.spring.boot.security.saml.web.config".
1. Here the idea is to load the metadata of IDP that is downloaded in the previous step. Code changes are mentioned below. Replace the path "<IDP_metadata_filepath>" below with the location where the IDP metadata is saved.
2. Update the keystore details in KeyManger method as shown below.
Step 3: Generate Service Provider Metadata
Step 4: Upload SP Metadata in IDP
Step 5: Testing
Prerequisites:
- Good understanding of SAML
- SAP Cloud Platform Identity Authentication Service (IAS) tenant with admin rights. Typically, the URL format is https://<ias_tenant>.accounts.ondemand.com/admin/, where <ias_tenant> is the IAS tenant name.
- Spring Security SAML sample web application from Spring Boot Sample Application.
- Spring Boot Sample Application should have been configured with https.
Let's jump into the steps involved in the configuration:
Step 1: Download IDP metadata
- Go to the admin page of SAP IAS tenant.
- Navigate to Applications and Resources -> Tenant Settings -> SAML 2.0 Configuration -> Click on Download Metadata File
- Save the file as idp_metadata.xml on your local machine.
Step 1: Generation of SAML key store ( Optional step )
- Keystore provided with the sample application can also be used. For generating the keystore from scratch, below steps can be followed.
- Open the Command prompt as Administrator and switch to the folder <JAVA_HOME>/bin
- Run the following command to generate the keystore file
keytool -genkey -alias <alias name> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA - validity numberofdays -keypass <Key Password> -keystore samlKeystore.jks -storepass <Store Password>
For example:
keytool -genkey -alias SampleKey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 735 -keypass Password1 -keystore samlKeystore.jks -storepass Password1
Step 2: Changes in the Sample Application
Changes are mainly in the file WebSecurityConfig.java under the package "com.vdenotaris.spring.boot.security.saml.web.config".
1. Here the idea is to load the metadata of IDP that is downloaded in the previous step. Code changes are mentioned below. Replace the path "<IDP_metadata_filepath>" below with the location where the IDP metadata is saved.
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider()throws MetadataProviderException {
File metadatafile = new File("<IDP_metadata_filepath>/idp_metadata.xml");
FilesystemMetadataProvider fileSystemMetadataProvider = new FilesystemMetadataProvider(this.backgroundTaskTimer, metadatafile);
fileSystemMetadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(fileSystemMetadataProvider, extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
backgroundTaskTimer.purge();
return extendedMetadataDelegate;
}2. Update the keystore details in KeyManger method as shown below.
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader.getResource("classpath:/saml/samlKeystore.jks");
String storePass = "Password1"; // Store password used while generating the SAML keystore
Map<String, String> passwords = new HashMap<String, String>();
passwords.put("Samplekey", "Password1");// Alias name and key password used while generating the SAML keystore
String defaultKey = "Samplekey";return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);}Step 3: Generate Service Provider Metadata
- Run the sample application in https mode and open the link https://<FQDN>:8080/saml/metadata where <FQDN> is Fully Qualified Domain Name and 8080 is the https port.
- Save the Service Provider Metadata as SP_Metadata.xml.
Step 4: Upload SP Metadata in IDP
- Open the admin page of SAP IAS tenant.
- Navigate to Applications & Resources -> Applications. Create a new application and click on Save.
- Click on SAML 2.0 configuration and upload the SP_Metadata.xml, which was downloaded in the previous step.
Step 5: Testing
- Open the link https://<FQDN>:8080 for testing the successful integration of IDP. It should redirect to the configured IDP.
- SAP Managed Tags:
