Announcement Announcement Module
Collapse
No announcement yet.
SAML SSO with Swing Client, webapp SP and IdP using spring-security-saml2-core Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML SSO with Swing Client, webapp SP and IdP using spring-security-saml2-core

    My project is currently uses spring-security as follows:
    • Has a webapp service provider (SP)
    • SP uses LDAP as IdP username / password as auth tokens
    • Has a Swing based fat client (FC) that accesses SP using SOAP/HTTP
    • Has a REST client (RC) access the SP using HTTP
    • FC and RC both authenticate with SP via WSS using spring-security and basic authentication

    I would to enhance my project to support SAML2 SSO using spring-security-saml2-core and an external IdP such as ssocircle.com or onelogin.com but I am not sure if it is possible and if so how. Specifically I have the following questions:
    • How to handle the Swing based fat client (FC) in the SSO scenario? How does it change to support SAML2 SSO?
    • What would be the authentication mechanism between FC and SP? Would it still be WSS using spring-security?

    TIA for any high level advice on how to support SAML2 SSO in my scenario.

  • #2
    Hi,

    In order to authenticate user with an IDP using SAML 2.0 WebSSO you need to get your user to open the IDP's authentication page and enter her credentials, there's no way around it. So some ideas on how it could be achieved:

    - your FC generates a random token ID
    - FC opens a native browser at URL which starts SAML 2.0 authentication and includes the random token ID as a relay state
    - user authenticates using the native browser against your SP and SP creates a global session linked to the token ID
    - SP provides an interface (e.g. a WS secured using WSS where username is a constant identifying your FC and password = token ID) which enables querying based on the token ID and FC polls your SP for information related to the token ID
    - once user successfully authenticates, FC retrieves this information using the token ID

    Same applies to your RC - you cannot simply make a REST call with user's credentials. The key idea of federated authentication is that your client doesn't know credentials of the user. You'd again need to initialize the SSO using browser and later perhaps poll for the result from your SP.

    Cheers, Vladi

    Comment


    • #3
      Hi Vladi,

      Thanks very much for your help on both of my recent questions and for a terrific OS project.

      Do you think that for my Fat Client (FC) the SAML Enhanced client/proxy profile would play a role?

      I will continue to research this and summarize my findings here at some point. Thanks again.

      Comment


      • #4
        Hi,

        I'm afraid that ECP won't be of help here. Most IDP's simply don't support it. It might make sense in case you'd be in control of the IDP you want to use and could customize it.

        Vladi

        Comment


        • #5
          Hi Vladi,

          I forgot to mention that my Swing / Fat Client (FC) can receive incoming HTTP requests via an embedded HTTP server? Can that simplify the Authentication protocol with the IdP? What if user enetered basic credentials for IdP (e.g. ssocircle) in the FC. Can spring-security-saml2-core be used to then take those credentials and send an Authentication Request to IdP, receive a response on its HTTP listener endpoint and then use the response to make an authenticated request withthe SP?

          If above is the simplest solution then what would the spring config look like for the FC?

          Thanks for any pointers you can provide. With some minimal validation of a design approach I can do some prototyping and report back and share my finding.

          Comment


          • #6
            Hi Vladi,

            I do have control over the choice of IdP's. Shibboleth 2.4.0 IdP supports ECP Profile. Will ECP Profile work as expected if my SP is implemented using spring-security-saml2-core and my IdP is Shibboleth 2.4.0. What classes in spring-security-saml2 project support implementing ECP support in non-browser based Java clients such as a Swing application. If there is no such support do you or any one else have experience with another library to fill that gap? Does any one have ECP Profile working with spring-security-saml2-core in SP and Shibboleth Idp?

            Thanks for your help.

            Originally posted by vsch View Post
            Hi,

            I'm afraid that ECP won't be of help here. Most IDP's simply don't support it. It might make sense in case you'd be in control of the IDP you want to use and could customize it.

            Vladi

            Comment


            • #7
              I would be grateful if Vladi or anyone else can comment on my last message. This is hopefully a simple question about the level of support for ECP profile in spring-security-saml2. TIA for your help.

              Originally posted by farrukh_najmi View Post
              Hi Vladi,

              I do have control over the choice of IdP's. Shibboleth 2.4.0 IdP supports ECP Profile. Will ECP Profile work as expected if my SP is implemented using spring-security-saml2-core and my IdP is Shibboleth 2.4.0. What classes in spring-security-saml2 project support implementing ECP support in non-browser based Java clients such as a Swing application. If there is no such support do you or any one else have experience with another library to fill that gap? Does any one have ECP Profile working with spring-security-saml2-core in SP and Shibboleth Idp?

              Thanks for your help.

              Comment

              Working...
              X