diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/.gitignore b/servlet/spring-boot/java/saml2/identity-provider/.idea/.gitignore
new file mode 100644
index 00000000..13566b81
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/checkstyle-idea.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/checkstyle-idea.xml
new file mode 100644
index 00000000..0389c406
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/checkstyle-idea.xml
@@ -0,0 +1,15 @@
+
+
+
+ 10.18.1
+ JavaOnly
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/codeStyles b/servlet/spring-boot/java/saml2/identity-provider/.idea/codeStyles
new file mode 100644
index 00000000..72a9bbb5
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/codeStyles
@@ -0,0 +1,31 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/compiler.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/compiler.xml
new file mode 100644
index 00000000..b86273d9
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/compiler.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/gradle.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/gradle.xml
new file mode 100644
index 00000000..ce1c62c7
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/gradle.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/jarRepositories.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/jarRepositories.xml
new file mode 100644
index 00000000..5938bdd6
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/jarRepositories.xml
@@ -0,0 +1,35 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/misc.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/misc.xml
new file mode 100644
index 00000000..7c47dd48
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/misc.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/uiDesigner.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/uiDesigner.xml
new file mode 100644
index 00000000..2b63946d
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/uiDesigner.xml
@@ -0,0 +1,124 @@
+
+
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+
+
+
+ -
+
+
+
+
+
+ -
+
+
+
+
+
+ -
+
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+
+
+ -
+
+
+ -
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/.idea/vcs.xml b/servlet/spring-boot/java/saml2/identity-provider/.idea/vcs.xml
new file mode 100644
index 00000000..bc599707
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/.idea/vcs.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/README.adoc b/servlet/spring-boot/java/saml2/identity-provider/README.adoc
new file mode 100644
index 00000000..73bf4ade
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/README.adoc
@@ -0,0 +1,51 @@
+= SAML 2.0 Login & Logout Sample
+
+This guide provides instructions on setting up this SAML 2.0 Login & Logout sample application.
+It uses https://simplesamlphp.org/[SimpleSAMLphp] as its asserting party.
+
+The sample application uses Spring Boot and the `spring-security-saml2-service-provider`
+module which is new in Spring Security 5.2.
+
+The https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[SAML 2.0 Logout feature] is new in Spring Security 5.6.
+
+== Goals
+
+=== SAML 2.0 Login
+
+`saml2Login()` provides a very simple implementation of a Service Provider that can receive a SAML 2.0 Response via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation.
+
+The following features are implemented in the MVP:
+
+1. Receive and validate a SAML 2.0 Response containing an assertion, and create a corresponding authentication in Spring Security
+2. Send a SAML 2.0 AuthNRequest to an Identity Provider
+3. Provide a framework for components used in SAML 2.0 authentication that can be swapped by configuration
+4. Work against the Okta SAML 2.0 IDP reference implementation
+
+=== SAML 2.0 Single Logout
+
+`saml2Logout()` supports RP- and AP-initiated SAML 2.0 Single Logout via the HTTP-POST and HTTP-REDIRECT bindings against the https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/[Okta SAML 2.0 IDP] reference implementation.
+
+On this sample, the SAML 2.0 Logout is using the HTTP-POST binding.
+
+You can refer to the https://docs.spring.io/spring-security/reference/servlet/saml2/logout.html[reference documentation] for more details about the RP- and AP-initiated SAML 2.0 Logout.
+
+== Run the Sample
+
+=== Start up the Sample Boot Application
+```
+ ./gradlew :servlet:spring-boot:java:saml2:login:bootRun
+```
+
+=== Open a Browser
+
+http://localhost:8080/
+
+You will be redirect to the Okta SAML 2.0 IDP
+
+=== Type in your credentials
+
+```
+User: testuser2@spring.security.saml
+Password: 12345678
+```
+
diff --git a/servlet/spring-boot/java/saml2/identity-provider/build.gradle b/servlet/spring-boot/java/saml2/identity-provider/build.gradle
new file mode 100644
index 00000000..78c965a2
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/build.gradle
@@ -0,0 +1,23 @@
+plugins {
+ alias(libs.plugins.org.springframework.boot)
+ alias(libs.plugins.io.spring.dependency.management)
+ id "nebula.integtest" version "8.2.0"
+ id 'java'
+}
+
+repositories {
+ mavenCentral()
+ maven { url "https://repo.spring.io/milestone" }
+ maven { url "https://repo.spring.io/snapshot" }
+}
+
+
+dependencies {
+ implementation 'org.springframework.boot:spring-boot-starter'
+ runtimeOnly "org.springframework.boot:spring-boot-docker-compose"
+}
+
+tasks.withType(Test).configureEach {
+ useJUnitPlatform()
+
+}
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradle.properties b/servlet/spring-boot/java/saml2/identity-provider/gradle.properties
new file mode 100644
index 00000000..9676187c
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/gradle.properties
@@ -0,0 +1,4 @@
+version=6.1.1
+spring-security.version=6.4.0-SNAPSHOT
+org.gradle.jvmargs=-Xmx6g -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.caching=true
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradle/libs.versions.toml b/servlet/spring-boot/java/saml2/identity-provider/gradle/libs.versions.toml
new file mode 120000
index 00000000..108961c7
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/gradle/libs.versions.toml
@@ -0,0 +1 @@
+../../../../../../gradle/libs.versions.toml
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 00000000..afba1092
Binary files /dev/null and b/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 00000000..5c40527d
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,6 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+networkTimeout=10000
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradlew b/servlet/spring-boot/java/saml2/identity-provider/gradlew
new file mode 100755
index 00000000..65dcd68d
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/gradlew
@@ -0,0 +1,244 @@
+#!/bin/sh
+
+#
+# Copyright © 2015-2021 the original authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+#
+# Gradle start up script for POSIX generated by Gradle.
+#
+# Important for running:
+#
+# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+# noncompliant, but you have some other compliant shell such as ksh or
+# bash, then to run this script, type that shell name before the whole
+# command line, like:
+#
+# ksh Gradle
+#
+# Busybox and similar reduced shells will NOT work, because this script
+# requires all of these POSIX shell features:
+# * functions;
+# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+# * compound commands having a testable exit status, especially «case»;
+# * various built-in commands including «command», «set», and «ulimit».
+#
+# Important for patching:
+#
+# (2) This script targets any POSIX shell, so it avoids extensions provided
+# by Bash, Ksh, etc; in particular arrays are avoided.
+#
+# The "traditional" practice of packing multiple parameters into a
+# space-separated string is a well documented source of bugs and security
+# problems, so this is (mostly) avoided, by progressively accumulating
+# options in "$@", and eventually passing that to Java.
+#
+# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+# see the in-line comments for details.
+#
+# There are tweaks for specific operating systems such as AIX, CygWin,
+# Darwin, MinGW, and NonStop.
+#
+# (3) This script is generated from the Groovy template
+# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+# within the Gradle project.
+#
+# You can find Gradle at https://github.com/gradle/gradle/.
+#
+##############################################################################
+
+# Attempt to set APP_HOME
+
+# Resolve links: $0 may be a link
+app_path=$0
+
+# Need this for daisy-chained symlinks.
+while
+ APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
+ [ -h "$app_path" ]
+do
+ ls=$( ls -ld "$app_path" )
+ link=${ls#*' -> '}
+ case $link in #(
+ /*) app_path=$link ;; #(
+ *) app_path=$APP_HOME$link ;;
+ esac
+done
+
+# This is normally unused
+# shellcheck disable=SC2034
+APP_BASE_NAME=${0##*/}
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD=maximum
+
+warn () {
+ echo "$*"
+} >&2
+
+die () {
+ echo
+ echo "$*"
+ echo
+ exit 1
+} >&2
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "$( uname )" in #(
+ CYGWIN* ) cygwin=true ;; #(
+ Darwin* ) darwin=true ;; #(
+ MSYS* | MINGW* ) msys=true ;; #(
+ NONSTOP* ) nonstop=true ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+ if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+ # IBM's JDK on AIX uses strange locations for the executables
+ JAVACMD=$JAVA_HOME/jre/sh/java
+ else
+ JAVACMD=$JAVA_HOME/bin/java
+ fi
+ if [ ! -x "$JAVACMD" ] ; then
+ die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+ fi
+else
+ JAVACMD=java
+ which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
+ case $MAX_FD in #(
+ max*)
+ # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+ # shellcheck disable=SC3045
+ MAX_FD=$( ulimit -H -n ) ||
+ warn "Could not query maximum file descriptor limit"
+ esac
+ case $MAX_FD in #(
+ '' | soft) :;; #(
+ *)
+ # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+ # shellcheck disable=SC3045
+ ulimit -n "$MAX_FD" ||
+ warn "Could not set maximum file descriptor limit to $MAX_FD"
+ esac
+fi
+
+# Collect all arguments for the java command, stacking in reverse order:
+# * args from the command line
+# * the main class name
+# * -classpath
+# * -D...appname settings
+# * --module-path (only if needed)
+# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if "$cygwin" || "$msys" ; then
+ APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+ CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+ JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+ # Now convert the arguments - kludge to limit ourselves to /bin/sh
+ for arg do
+ if
+ case $arg in #(
+ -*) false ;; # don't mess with options #(
+ /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
+ [ -e "$t" ] ;; #(
+ *) false ;;
+ esac
+ then
+ arg=$( cygpath --path --ignore --mixed "$arg" )
+ fi
+ # Roll the args list around exactly as many times as the number of
+ # args, so each arg winds up back in the position where it started, but
+ # possibly modified.
+ #
+ # NB: a `for` loop captures its iteration list before it begins, so
+ # changing the positional parameters here affects neither the number of
+ # iterations, nor the values presented in `arg`.
+ shift # remove old arg
+ set -- "$@" "$arg" # push replacement arg
+ done
+fi
+
+# Collect all arguments for the java command;
+# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+# shell script including quotes and variable substitutions, so put them in
+# double quotes to make sure that they get re-expanded; and
+# * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+ "-Dorg.gradle.appname=$APP_BASE_NAME" \
+ -classpath "$CLASSPATH" \
+ org.gradle.wrapper.GradleWrapperMain \
+ "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+ die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+# set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+ printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+ xargs -n1 |
+ sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+ tr '\n' ' '
+ )" '"$@"'
+
+exec "$JAVACMD" "$@"
diff --git a/servlet/spring-boot/java/saml2/identity-provider/gradlew.bat b/servlet/spring-boot/java/saml2/identity-provider/gradlew.bat
new file mode 100644
index 00000000..6689b85b
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/gradlew.bat
@@ -0,0 +1,92 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/servlet/spring-boot/java/saml2/identity-provider/settings.gradle b/servlet/spring-boot/java/saml2/identity-provider/settings.gradle
new file mode 100644
index 00000000..733fda69
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/settings.gradle
@@ -0,0 +1,8 @@
+pluginManagement {
+ repositories {
+ mavenCentral()
+ gradlePluginPortal()
+ maven { url 'https://repo.spring.io/milestone' }
+ maven { url "https://repo.spring.io/snapshot" }
+ }
+}
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/ComposeFilePropertyPlaceholderApplicationContextInitializer.java b/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/ComposeFilePropertyPlaceholderApplicationContextInitializer.java
new file mode 100644
index 00000000..69c6e468
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/ComposeFilePropertyPlaceholderApplicationContextInitializer.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import org.springframework.context.ApplicationContextInitializer;
+import org.springframework.context.ConfigurableApplicationContext;
+
+public class ComposeFilePropertyPlaceholderApplicationContextInitializer
+ implements ApplicationContextInitializer {
+
+ @Override
+ public void initialize(ConfigurableApplicationContext context) {
+ DockerProtocolResolver.environment = context.getEnvironment();
+ }
+
+}
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/DockerProtocolResolver.java b/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/DockerProtocolResolver.java
new file mode 100644
index 00000000..2c8c2454
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/java/example/DockerProtocolResolver.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+
+import org.springframework.core.env.Environment;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.core.io.ProtocolResolver;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+public class DockerProtocolResolver implements ProtocolResolver {
+
+ private static final String PREFIX = "docker:";
+
+ static Environment environment;
+
+ @Override
+ public Resource resolve(String location, ResourceLoader resourceLoader) {
+ if (!location.startsWith(PREFIX)) {
+ return null;
+ }
+ Resource resource = resourceLoader.getResource(location.replace(PREFIX, "classpath:"));
+ try {
+ String content = resource.getContentAsString(StandardCharsets.UTF_8);
+ content = environment.resolvePlaceholders(content);
+ File file = resource.getFile();
+ File tmp = new File(file.getAbsolutePath() + ".tmp");
+ tmp.createNewFile();
+ Files.write(tmp.toPath(), content.getBytes(StandardCharsets.UTF_8));
+ tmp.deleteOnExit();
+ return new FileSystemResource(tmp);
+ }
+ catch (Exception ex) {
+ throw new RuntimeException(ex);
+ }
+ }
+
+}
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/META-INF/spring.factories b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/META-INF/spring.factories
new file mode 100644
index 00000000..0bc6cb6f
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/META-INF/spring.factories
@@ -0,0 +1,2 @@
+org.springframework.context.ApplicationContextInitializer=example.ComposeFilePropertyPlaceholderApplicationContextInitializer
+org.springframework.core.io.ProtocolResolver=example.DockerProtocolResolver
\ No newline at end of file
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/compose.yml b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/compose.yml
new file mode 100644
index 00000000..f37a273a
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/compose.yml
@@ -0,0 +1,27 @@
+services:
+ idp-one.7f000001.nip.io:
+ image: kristophjunge/test-saml-idp:1.15
+ volumes:
+ - ./metadata/authsources.php:/var/www/simplesamlphp/config/authsources.php
+ - ./metadata/one-relyingparties.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php
+ environment:
+ - PORT=${SERVER_PORT:-8080}
+
+ idp-two.7f000001.nip.io:
+ image: kristophjunge/test-saml-idp:1.15
+ volumes:
+ - ./metadata/authsources.php:/var/www/simplesamlphp/config/authsources.php
+ - ./metadata/two-relyingparties.php:/var/www/simplesamlphp/metadata/saml20-sp-remote.php
+ environment:
+ - PORT=${SERVER_PORT:-8080}
+
+ nginx:
+ image: nginx:stable
+ links:
+ - idp-one.7f000001.nip.io
+ - idp-two.7f000001.nip.io
+ volumes:
+ - ./nginx:/etc/nginx:ro
+ ports:
+ - '80:80'
+ - '443:443'
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/authsources.php b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/authsources.php
new file mode 100644
index 00000000..6148f909
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/authsources.php
@@ -0,0 +1,31 @@
+ array(
+ 'core:AdminPassword',
+ ),
+
+ 'example-userpass' => array(
+ 'exampleauth:UserPass',
+ 'user1:user1pass' => array(
+ 'uid' => array('1'),
+ 'eduPersonAffiliation' => array('group1'),
+ 'email' => 'user1@example.org',
+ ),
+ 'user2:user2pass' => array(
+ 'uid' => array('2'),
+ 'eduPersonAffiliation' => array('group2'),
+ 'email' => 'user2@example.org',
+ ),
+ 'customer:password' => array(
+ 'uid' => array('3'),
+ 'eduPersonAffiliation' => array('group1'),
+ 'email' => 'customer@example.org',
+ 'firstName' => 'Customer',
+ 'lastName' => 'Example'
+ ),
+
+ ),
+
+);
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/one-relyingparties.php b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/one-relyingparties.php
new file mode 100644
index 00000000..a08fa8c4
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/one-relyingparties.php
@@ -0,0 +1,13 @@
+ "https://localhost:$port/login/saml2/sso",
+ 'SingleLogoutService' => "https://localhost:$port/logout/saml2/slo",
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ 'simplesaml.nameidattribute' => 'emailAddress',
+ 'assertion.encryption' => FALSE,
+ 'nameid.encryption' => FALSE,
+ 'validate.authnrequest' => FALSE,
+ 'redirect.sign' => TRUE,
+);
+?>
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/two-relyingparties.php b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/two-relyingparties.php
new file mode 100644
index 00000000..a82934ea
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/metadata/two-relyingparties.php
@@ -0,0 +1,13 @@
+ "http://localhost:$port/login/saml2/sso",
+ 'SingleLogoutService' => "http://localhost:$port/logout/saml2/slo",
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ 'simplesaml.nameidattribute' => 'emailAddress',
+ 'assertion.encryption' => FALSE,
+ 'nameid.encryption' => FALSE,
+ 'validate.authnrequest' => FALSE,
+ 'redirect.sign' => TRUE,
+);
+?>
diff --git a/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/nginx/nginx.conf b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/nginx/nginx.conf
new file mode 100644
index 00000000..c0bc5df5
--- /dev/null
+++ b/servlet/spring-boot/java/saml2/identity-provider/src/main/resources/docker/nginx/nginx.conf
@@ -0,0 +1,27 @@
+events {
+}
+
+http {
+ resolver 127.0.0.11;
+
+ server {
+ listen 80;
+ server_name idp-two.7f000001.nip.io;
+
+ location / {
+ proxy_pass http://idp-two.7f000001.nip.io:8080;
+ proxy_set_header Host idp-two.7f000001.nip.io;
+ }
+ }
+
+ server {
+ listen 80;
+ server_name idp-one.7f000001.nip.io;
+
+ location / {
+ proxy_pass http://idp-two.7f000001.nip.io:8080;
+ proxy_set_header Host idp-one.7f000001.nip.io;
+ }
+ }
+
+}
diff --git a/settings.gradle b/settings.gradle
index 10aa5915..ec20ccdf 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -70,6 +70,7 @@ include ":servlet:spring-boot:java:oauth2:resource-server:static"
include ":servlet:spring-boot:java:oauth2:restclient"
include ":servlet:spring-boot:java:oauth2:webclient"
include ":servlet:spring-boot:java:observability"
+include ":servlet:spring-boot:java:saml2:identity-provider"
include ":servlet:spring-boot:java:saml2:login"
include ":servlet:spring-boot:java:saml2:login-single-tenant"
include ":servlet:spring-boot:java:saml2:refreshable-metadata"