Java Web App Integration with SAML SSO
I have a Restful Java Web Application that needs to be deployed in several different environments (outside of my control) that will use a SAML 2.0 SSO solution.
My application (which I think is a "service provider") needs to store user-generated state and uses internal business logic to determine which users can view or update other user data. For this to work, we need to know who the user is and what groups they are from. But how do I get this information?
Ideally, my web application will be SSO agnostic and will look for some custom key headers in HTTP requests to get this information eg. a SAML token in a request that can be parsed, or perhaps some custom headers specific to my "service provider".
Many thanks
source to share
You can run a reverse proxy in front of a Java web application to handle part of the SSO protocol and pass user ID information to the application in HTTP headers. for SAML 2.0 there is mod_auth_mellon: https://github.com/UNINETT/mod_auth_mellon
source to share
You are correct, your application is a Service Provider and you will have an external Identity Provider (IdP) for authentication.
Basically you need to issue an IdP authentication request (via HTTP POST or SOAP back channel / whatever they support) and use an authentication request from the IdP to make your decision as to whether they are who they are say whether they are.Generally, you should be able to get the main topic (i.e. username) and any group memberships from authnResponse, however exactly how this works will depend on whether the IdP is set or not configured.
Before you do this, you will need to exchange the SAML metadata with the IdP (usually part of registering as an SP with the IdP), which gives both parties things like a public X509 certificate to sign and validate requests.
There's a good spring library for SAML SP support, http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle
source to share
If this is done in Java and is running on a webcontainer (Tomcat, JBoss, etc.), then the agent can be implemented as a web authentication filter (servlet) (add to web.xml). The user is usually inferred from the SAML Auth response <saml: NameID> or from the <saml: Attribute> by matching the userid attribute (uid, email, etc.). This user should be verified against the web application identity repository (could be LDAP, databases, etc.) and the corresponding computed groups. Instead of using arbitrary headers or a custom view for an authenticated user, consider using a Java principal (for users and groups) on a topic. The filter can then run the rest of the filter chain in the Subject.doAs () object. So the object can be searched anywhere in the downstream code,using Subject.getSubject ().
source to share