Spring 使用 G Suite 作为 Idp 的安全 SAML2
Spring Security SAML2 Using G Suite as Idp
我正在尝试使用 Spring 安全性 (5.3.3.RELEASE) 在 Spring 引导应用程序中处理 SAML2 身份验证。 Spring 作为 SP 和 G Suite 的启动应用程序将成为 IDP。
在我的 Maven pom.xml 文件中我有:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>
在我的代码中我有:
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public RelyingPartyRegistration googleRegistration() throws CertificateException {
final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
final String registrationId = "gsuite";
final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
"REDACTED\n" +
"-----END CERTIFICATE-----").getBytes();
final InputStream is = new ByteArrayInputStream(certBytes);
final CertificateFactory cf = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
final Saml2X509Credential credential = new Saml2X509Credential(cert,
Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
.credentials(c -> c.add(credential))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
}
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
final RelyingPartyRegistration googleRegistration) {
return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests(authorize -> authorize
.anyRequest().authenticated())
.saml2Login();
}
}
问题是我需要一个签名密钥,但是 final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING);
行抛出异常,因为您必须将 PrivateKey
传递给该构造函数才能将其用于 [=15] =] 类型。但是,如果我使用该凭据进行验证,应用程序将失败,但需要签名密钥。
G Suite 仅提供元数据 XML 文件(Spring 安全性不支持)和 .pem
文件。我将 .pem
文件中的所有文本复制到上面的字符串中以生成 X509 证书。
在 Spring 安全 SAML 的文档中,他们显示了 2 个证书,但 G Suite 只提供了 1 个。我应该从 .pem 文件生成一个私钥吗?如果是,怎么做?
成功了!
关键是禁用签名。
@Bean
public RelyingPartyRegistration googleRegistration() throws CertificateException {
// remote IDP entity ID
final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
// remote WebSSO Endpoint - Where to Send AuthNRequests to
final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
// local registration ID
final String registrationId = "gsuite";
// local entity ID - autogenerated based on URL
final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
// local SSO URL - autogenerated, endpoint to receive SAML Response objects
final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
// local signing (and local decryption key and remote encryption certificate)
final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
"REDACTED\n" +
"-----END CERTIFICATE-----").getBytes();
final InputStream is = new ByteArrayInputStream(certBytes);
final CertificateFactory cf = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
final Saml2X509Credential credential = new Saml2X509Credential(cert,
Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
.providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
.credentials(c -> c.add(credential))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
}
我正在尝试使用 Spring 安全性 (5.3.3.RELEASE) 在 Spring 引导应用程序中处理 SAML2 身份验证。 Spring 作为 SP 和 G Suite 的启动应用程序将成为 IDP。
在我的 Maven pom.xml 文件中我有:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-saml2-service-provider</artifactId>
</dependency>
在我的代码中我有:
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public RelyingPartyRegistration googleRegistration() throws CertificateException {
final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
final String registrationId = "gsuite";
final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
"REDACTED\n" +
"-----END CERTIFICATE-----").getBytes();
final InputStream is = new ByteArrayInputStream(certBytes);
final CertificateFactory cf = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
final Saml2X509Credential credential = new Saml2X509Credential(cert,
Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
.credentials(c -> c.add(credential))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
}
@Bean
public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
final RelyingPartyRegistration googleRegistration) {
return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.authorizeRequests(authorize -> authorize
.anyRequest().authenticated())
.saml2Login();
}
}
问题是我需要一个签名密钥,但是 final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING);
行抛出异常,因为您必须将 PrivateKey
传递给该构造函数才能将其用于 [=15] =] 类型。但是,如果我使用该凭据进行验证,应用程序将失败,但需要签名密钥。
G Suite 仅提供元数据 XML 文件(Spring 安全性不支持)和 .pem
文件。我将 .pem
文件中的所有文本复制到上面的字符串中以生成 X509 证书。
在 Spring 安全 SAML 的文档中,他们显示了 2 个证书,但 G Suite 只提供了 1 个。我应该从 .pem 文件生成一个私钥吗?如果是,怎么做?
成功了!
关键是禁用签名。
@Bean
public RelyingPartyRegistration googleRegistration() throws CertificateException {
// remote IDP entity ID
final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
// remote WebSSO Endpoint - Where to Send AuthNRequests to
final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
// local registration ID
final String registrationId = "gsuite";
// local entity ID - autogenerated based on URL
final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
// local SSO URL - autogenerated, endpoint to receive SAML Response objects
final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
// local signing (and local decryption key and remote encryption certificate)
final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
"REDACTED\n" +
"-----END CERTIFICATE-----").getBytes();
final InputStream is = new ByteArrayInputStream(certBytes);
final CertificateFactory cf = CertificateFactory.getInstance("X.509");
final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
final Saml2X509Credential credential = new Saml2X509Credential(cert,
Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
.providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
.credentials(c -> c.add(credential))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
}