Spring Security SAML2 使用 G Suite 作为 Idp

【问题标题】:Spring Security SAML2 Using G Suite as IdpSpring Security SAML2 使用 G Suite 作为 Idp
【发布时间】:2020-10-06 17:27:05
【问题描述】:

我正在尝试使用 Spring Security (5.3.3.RELEASE) 在 Spring Boot 应用程序中处理 SAML2 身份验证。带有 SP 和 G Suite 的 Spring Boot 应用程序将是 IDP。

在我的 Maven pom.xml 文件中,我有:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-saml2-service-provider</artifactId>
        </dependency>

在我的代码中:


@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        final String registrationId = "gsuite";
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
            final RelyingPartyRegistration googleRegistration) {

        return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {

        http
                .authorizeRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .saml2Login();
    }
}

问题是我需要一个签名密钥,但是final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING); 行会引发异常,因为您必须将PrivateKey 传递给该构造函数才能将其用于SIGNING 类型。但是,如果我使用该凭据进行验证,应用程序将失败,并出现需要签名密钥的异常。

G Suite 仅提供一个元数据 XML 文件(Spring Security 不支持)和一个.pem 文件。我将.pem 文件中的所有文本复制到上面的那个字符串中以生成X509 证书。

在 Spring Security SAML 的文档中,它们显示 2 个证书,但 G Suite 仅提供 1 个。我应该从 .pem 文件生成 PrivateKey 吗?如果有,怎么做?

【问题讨论】:

    标签: java spring-security saml-2.0 google-workspace spring-security-saml2


    【解决方案1】:

    让它工作!

    密钥正在禁用签名。

        @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        // remote IDP entity ID
        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        // remote WebSSO Endpoint - Where to Send AuthNRequests to
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        // local registration ID
        final String registrationId = "gsuite";
        // local entity ID - autogenerated based on URL
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        // local SSO URL - autogenerated, endpoint to receive SAML Response objects
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        // local signing (and local decryption key and remote encryption certificate)
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

    【讨论】:

    • 等等。这是两个不同的东西。如果要对请求进行签名,则需要带有私钥的签名凭证。您始终需要验证凭证来验证来自 IdP 的 AuthNResponse
    猜你喜欢
    • 1970-01-01
    • 2020-08-24
    • 2020-06-24
    • 2020-06-22
    • 2016-05-20
    • 1970-01-01
    • 2016-05-16
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode