Skip to content

Instantly share code, notes, and snippets.

@knivmakkara

knivmakkara/Steps to integrate with IdP.md

Last active August 29, 2015 14:11
Show Gist options
  • Save knivmakkara/2443e6988a29b85f619f to your computer and use it in GitHub Desktop.
Save knivmakkara/2443e6988a29b85f619f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Steps to integrate with IdP.md

Integrate with IdP

In order for authentication to work properly both SP(FMU in this case) and the IdP(Säkerhetstjänster) must publish a meta-data document to each other. These documents are needed in order to redirect the User Agent(a user trying to log in) through the authentication flow. They also contain certificate data to sign/validate statements issued between the entities.

Add IdP meta-data to SP

The meta-data for the IdP is published on a URL depending on what environment is needed (test, acctest, prod, etc.). Let's assume we're going for acctest.

  1. Download the meta-data from: https://idp2.acctest.sakerhetstjanst.inera.se/idp/saml
  2. Save this file in the project (e.g. metadata/siths.xml)
  3. Point out the location of this file to Spring Security SAML in securityContext.xml 
    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
  <constructor-arg>
    <list>
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
            <constructor-arg>
              <bean class="java.util.Timer"/>
            </constructor-arg>
            <constructor-arg>
              <bean class="org.opensaml.util.resource.ClasspathResource">
                <constructor-arg value="/metadata/siths.xml"/>
              </bean>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
          </bean>
        </constructor-arg>
        <constructor-arg>
          <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
							</bean>
        </constructor-arg>
      </bean>
    </list>
  </constructor-arg>
  <!-- OPTIONAL used when one of the metadata files contains information 
				about this service provider -->
  <!-- <property name="hostedSPName" value=""/> -->
  <!-- OPTIONAL property: can tell the system which IDP should be used for 
				authenticating user by default. -->
  <property name="defaultIDP" value="https://idp2.acctest.sakerhetstjanst.inera.se:443/idp/saml"/>
</bean>
  4. Note that the "defaultIDP"-property should point to this IdP as well.

Add SP meta-data to IdP

The SP meta-data is tightly bound to the URL where the application is accessible. This means that if you successfully integrate to the IdP and then decide to move your application to another URL - the meta-data must be updated and sent to the IdP again.

The easiest way to get the SP meta-data should be the following:

  1. Run the SP at the location you want it to be publicly accessible.
  2. Visit the endpoint created by Spring Security SAML for generating meta-data. For example: http://ec2-54-72-253-84.eu-west-1.compute.amazonaws.com:9000/saml/metadata.
  3. Send this file as an attachment to your contact at CGI (I was in touch with d.fjallstrom@cgi.com and roger.oberg@cgi.com)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment