-
Notifications
You must be signed in to change notification settings - Fork 738
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
9 additions
and
47 deletions.
There are no files selected for viewing
56 changes: 9 additions & 47 deletions
56
servlet/spring-boot/java/saml2/identity-provider/README.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,51 +1,13 @@ | ||
| = SAML 2.0 Login & Logout Sample | ||
| = A Sample Identity Provider | ||
|
|
||
| This guide provides instructions on setting up this SAML 2.0 Login & Logout sample application. | ||
| It uses https://simplesamlphp.org/[SimpleSAMLphp] as its asserting party. | ||
| This sample by default uses Docker to stand up two sample IdPs, each with one asserting party and multiple relying parties registered. | ||
| This allows you to explore different arrangements between multiple relying parties and asserting parties. | ||
|
|
||
| The sample application uses Spring Boot and the `spring-security-saml2-service-provider` | ||
| module which is new in Spring Security 5.2. | ||
| To ensure that there are no issues with sharing cookies between the Identity Provider and Service Provider applications, the application uses `nip.io` hostnames. | ||
| The first identity provider can be reached by navigating to `http://idp-one.7f000001.nip.io`. | ||
| The second identity provider can be reached by navigating to `http://idp-two.7f000001.nip.io`. | ||
|
|
||
| The https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[SAML 2.0 Logout feature] is new in Spring Security 5.6. | ||
|
|
||
| == Goals | ||
|
|
||
| === SAML 2.0 Login | ||
|
|
||
| `saml2Login()` provides a very simple implementation of a Service Provider that can receive a SAML 2.0 Response via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation. | ||
|
|
||
| The following features are implemented in the MVP: | ||
|
|
||
| 1. Receive and validate a SAML 2.0 Response containing an assertion, and create a corresponding authentication in Spring Security | ||
| 2. Send a SAML 2.0 AuthNRequest to an Identity Provider | ||
| 3. Provide a framework for components used in SAML 2.0 authentication that can be swapped by configuration | ||
| 4. Work against the Okta SAML 2.0 IDP reference implementation | ||
|
|
||
| === SAML 2.0 Single Logout | ||
|
|
||
| `saml2Logout()` supports RP- and AP-initiated SAML 2.0 Single Logout via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation. | ||
|
|
||
| On this sample, the SAML 2.0 Logout is using the HTTP-POST binding. | ||
|
|
||
| You can refer to the https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[reference documentation] for more details about the RP- and AP-initiated SAML 2.0 Logout. | ||
|
|
||
| == Run the Sample | ||
|
|
||
| === Start up the Sample Boot Application | ||
| ``` | ||
| ./gradlew :servlet:spring-boot:java:saml2:login:bootRun | ||
| ``` | ||
|
|
||
| === Open a Browser | ||
|
|
||
| http://localhost:8080/ | ||
|
|
||
| You will be redirect to the Okta SAML 2.0 IDP | ||
|
|
||
| === Type in your credentials | ||
|
|
||
| ``` | ||
| User: [email protected] | ||
| Password: 12345678 | ||
| ``` | ||
| To change how the IdP is configured, you can go to the sibling `identity-provider` project and edit the following files: | ||
|
|
||
| * `one-relyingparties.php` - the list of relying parties that `idp-one` knows about | ||
| * `two-relyingparties.php` - the list of relying parties that `idp-two` knows about |