Announcement Announcement Module
No announcement yet.
ADFS / SAML and Java (Spring) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • ADFS / SAML and Java (Spring)


    I am currently working on a project where we are trying to deploy a single sign on solution based on ADFS (Active Directory Federation Service) 2.0. As our web environment is java based, I am looking to use Spring to connect to the ADFS to get SSO for our java web applications. Unfortunately, after going through the ADFS documentation from Microsoft, I am still unclear on how to approach this. Is there somewhere some documentation and/or examples that might be a good guide to get me going?


  • #2

    I'm also looking into using ADFS SSO in a Spring Security based Java app.

    Any help is appreciated.

    @YuLong - I'd be happy to hear if you made any progress in this area :-)



    • #3
      The good news is that the current version of the module can be configured to work with ADFS 2.0, it's been tested sometime last year. The bad news is that I can't find my notes related to it.

      The manual of the upcoming release will contain guidelines on how to set this up, I'll also drop a line here, once this part is ready.


      • #4
        Any progress on this? I have a project that needs to take advantage of ADFS and OpenSSO as well and it'd be awesome if we could plug spring security in as this is what we already use.


        • #5
          We have used Spring Security SAML to connect to ADFS 2.0. I haven't looked into OpenSSO though.


          • #6
            ADFS and Spring Security integration

            Hi All,
            Could you please guide us to the documentation for integrating Spring Security with ADFS?

            We are using MULE Service BUS which uses SPring security. Our portal is based on Shaperpoint 2010 and we are using ADFS for SSO. Right now we are struggling to integrate MULE and ADFS SSO.

            Any help is much appreciated!!!!



            • #7
              I'm working on this project right now as well.

              Has anyone found any resources to integrate Spring to ADFS through SAML? Nothing in the docs, and only cryptic references to "the notes" on the board. Any help would be appreciated!


              • #8
                Any answers on this?

                This seems like it would be a common enough requirement that there should be a sample app like Sparklr/tonr, possibly even with a sample STS to mimic ADFS (would the STS not be transparent)? Maybe I'm looking in all the wrong places, but the other posts seem to be about implementing it via hacks on older versions of Spring Security and Oauth. There will be lots more people asking about this when Microsoft officially releases the Windows Identity stuff.


                • #9

                  The Spring Security SAML Extension manual now contains a chapter about ADFS integration with a step-by-step guide. You can find it in chapter 6.1 at

                  It should enable you to get the integration running in a matter of minutes. Please let me know if you run into any troubles. Make sure to use the latest version which updates the default certificate with a new validity period.

                  • Install AD FS 2.0 (
                  • Run AD FS 2.0 Federation Server Configuration Wizard in the AD FS 2.0 Management Console
                  • Make sure that DNS name of your Windows Server is available at your SP and vice-versa
                  • Install a Java container (e.g. Tomcat) for deployment of the SAML 2 Extension
                  • Configure your container to use HTTPS, this is required by AD FS

                  Initialize IDP metadata:
                  • Download AD FS 2.0 metadata from https://server/FederationMetadata/20...onMetadata.xml
                  • Store the downloaded content to saml2-sample/WEB-INF/src/main/resources/security/FederationMetadata.xml
                  • Modify bean metadata in securityContext.xml and replace classpath:security/idp.xml with classpath:security/FederationMetadata.xml and add property metadataTrustCheck to false to skip signature validation:
                    <bean class="">
                            <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                                    <value type="">classpath:security/FederationMetadata.xml</value>
                                <property name="parserPool" ref="parserPool"/>
                            <bean class=""/>
                        <property name="metadataTrustCheck" value="false"/>

                  Initialize SP metadata:
                  • Deploy SAML 2 Extension war archive from saml2-sample/target/spring-security-saml2-sample.war
                  • Open browser at e.g. https://serverort/spring-security-saml2-sample, make sure to use HTTPS protocol, system will automatically generate metadata document
                  • Click Metadata information, select item with your server name in the Service providers list
                  • Store content of the Metadata field to a document metadata.xml and upload it to the AD FS server
                  • In AD FS 2.0 Management Console select "Add Relying Party Trust"
                  • Select "Import data about the relying party from a file" and select file created earlier, select Next
                  • System may complain that some content of metadata is not supported, you can safely ignore this warning
                  • Continue with the wizard, on the "Ready to Add Trust" make sure that tab endpoints contains multiple endpoing values, if not verify that your metadata was generated with https protocol in their URLs
                  • Leave "Open the Edit Claim Rules dialog" checkbox checked and finish the wizard
                  • Select "Add Rule", choose "Send LDAP Attributes as Claims" and press Next
                  • Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window
                  • Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1

                  Test SSO

                  Open SAML Extension at https://localhost:8443/spring-security-saml2-sample, select your AD FS server and press login. In case Artifact binding is used and SSL/TLS certificate of your AD FS is not already trusted you have to import it to your samlKeystore.jks by following instructions in the error report.

                  Hope this helps,
                  Vladimír Schäfer


                  • #10
                    I'm nearly there but fell at the final fence...

                    I realize it's a bit late to reply to this thread but it has proved so useful and I feel like I'm nearly there.

                    I'm attempting to set up the sample app to demonstrate a Java application working with our ADFS 2.0 installation. I quite new to Java server side stuff and the learning curve has been... steep. I've installed the current JRE (Java 7u17 x64) on my Windows 2008 R2 server and the matching Jave SE JDK (7u17 x64) on my workstation. I've set up a Tomcat service on the server using the installer for Windows. I've installed the IIS to Tomcat connector because I get SSL working in Tomcat. (For one, I couldn't work out how to request an SSL cert from my MS CA - it requires a template and keytool doesn't seem to allow me to specify one). So, I can access the example apps that come with Tomcat, over SSL via IIS.

                    Then I've downloaded spring-security-saml2-sample to my workstation and followed your instructions, above. I've built the code using gradlew.bat and copied it to "C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps", stopped and started Tomcat and see the app folder created and the pages served. On the (main) IDP selection page, I've selected my IDP and clicked Login. I'm redirected to the ADFS 2.0 server, where I log in with credentials that work in other apps.

                    I get an IIS 7.5-style:
                    Server Error
                    401 - Unauthorized: Access is denied due to invalid credentials.
                    You do not have permission to view this directory or page using the credentials that you supplied.


                    Any ideas?
                    Attached Files


                    • #11
                      When I increased the logging level, as described elsewhere on this site, I found this:

                      - Error decrypting the encrypted data element
             ception: Illegal key size

                      and this post, led to this post (on which the instructions are still relevant for JRE7) and this download (which is the JRE7 version).

                      I restarted Tomcat, as a matter of habit and it worked. I was particularly impressed that you'd gone to the trouble of offering local and global logout buttons.

                      So, a hearty thank you to the people who worked on this sample and to Vladimír Schäfer for the instructions, above. You enabled an infrastructure/C# developer to get a demo site working in less than a working day, starting from a server that didn't even have Tomcat. I wish I could make it list a few more claims from the SAML token but I think I'll have to leave that to the Java guys.


                      • #12

                        ADFS logs could possibly provide some further insight. You can also find many pointers here And thank you for your feedback!

                        Last edited by vsch; Mar 20th, 2013, 09:55 AM.