Spring Security SAML example

This project demonstrates both IDP initiated and SP initiated SSO flows.

Modules

Identity-Provider

• Uses Spring Boot 2 identity provider (https://github.com/spring-attic/spring-security-saml/tree/develop-3.0)
• It contains a basic identity provider application with the ability to define custom user attributes. This test IDP can be used to test any local SAML service provider implementation.
• Requires JDK11

Service-Provider 1

• Uses Spring Boot 2 service provider (https://github.com/spring-attic/spring-security-saml/tree/develop-3.0)
• This is a basic service provider with custom IDP select page and a basic home page.
• Requires JDK11

Service-Provider-SB3 - import this into IDE separately as it uses JDK-17+

• Uses Spring Boot 3 service provider with spring-security-saml2
• https://docs.spring.io/spring-security/reference/servlet/saml2/login/overview.html#servlet-saml2login-minimaldependencies
• This is a basic service provider with custom IDP select page and a basic home page.
• Requires JDK17+

How to Test

• All module are Spring Boot applications. Run the applications (Run IDP first) and open either SP and IDP to initiate the authentication. Watch out for the redirection being performed by SAML.

  • http://localhost:8081/this-is-idp

  • http://localhost:8082/this-is-sp

  • http://localhost:8083/this-is-sp2

Look at UserUtils class to generate custom SAML attributes

• Usernames: user002@email, user003@email
• password: pass

generate a private key with the correct length

openssl genrsa -out pk.key 1024

generate corresponding public key

openssl pkcs8 -topk8 -inform pem -in pk.key -outform pem -nocrypt -out pk.pem

optional: create a self-signed certificate

openssl req -new -x509 -key pk.pem -out cert.pem -days 360

Sample Requests:

Note these are captured using breakpoints at org.springframework.security.saml.provider.AbstractHostedProviderService#fromXml in Identity-Provider module

Auth request from SP

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="http://localhost:8083/this-is-sp2/saml/sso/second-service-provider"
                     Destination="http://localhost:8081/this-is-idp/saml/idp/SSO/alias/my-identity-provider-app"
                     ForceAuthn="false" ID="ARQa06118f-16d5-404b-b083-3aca21c29988" IsPassive="false"
                     IssueInstant="2025-01-11T21:04:10.864Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">second-service-provider</saml2:Issuer>
</saml2p:AuthnRequest>

Login Response from IDP

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 Destination="http://localhost:8083/this-is-sp2/saml/sso/second-service-provider"
                 ID="RPe859c5a1-2f30-4a19-a416-e4b7281f6fe5" InResponseTo="ARQc681f84-9cab-44cc-8476-3b0c273d5a28"
                 IssueInstant="2025-01-11T21:09:45.667Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">my-identity-provider-app</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#RPe859c5a1-2f30-4a19-a416-e4b7281f6fe5">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>4nOd8Ypzy9rf2JD0qj4i0j4PUxK7rT92B1tl9b+tlNU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            KW/RO9j9qAn3kvhDM6MBPBJXyftEzaxyfp9EZSlzsdhKo6RqcDIFMC9vxhqvoSeKw3I8EME/Uq++&#13;
            Kja3uldRV8YhorYKJFcM4Uen7bckJioVExNZZGUJHuDWjAtHeuXGJ0lk+veCzoOrGed3k0bQ6zx0&#13;
            +jRlFXJIdr+aUnDSHMY=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIChTCCAe4CCQDo0wjPUK8sMDANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCVVMxEzARBgNV
                    BAgMCldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsGA1UECgwUU3ByaW5nIFNlY3Vy
                    aXR5IFNBTUwxDDAKBgNVBAsMA2lkcDEhMB8GA1UEAwwYaWRwLnNwcmluZy5zZWN1cml0eS5zYW1s
                    MB4XDTE4MDUxNDE0NTUyMVoXDTI4MDUxMTE0NTUyMVowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
                    DApXYXNoaW5ndG9uMRIwEAYDVQQHDAlWYW5jb3V2ZXIxHTAbBgNVBAoMFFNwcmluZyBTZWN1cml0
                    eSBTQU1MMQwwCgYDVQQLDANpZHAxITAfBgNVBAMMGGlkcC5zcHJpbmcuc2VjdXJpdHkuc2FtbDCB
                    nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2EuygAucRBWtYifgEH/ErVUive4dZdqo72Bze4Mb
                    kPuTKLrMCLB6IXxt1p5lu+tr0JxOiRO3KFVOO3D0l+j9zOow4g+JdoMQsjSzA6HtL/D9ZjXP6iUx
                    FCYx+qmnVl3X9ipBD/HVKOBlzIqeXTSa5D17uxPQVxK64UDOI3CyY4cCAwEAATANBgkqhkiG9w0B
                    AQsFAAOBgQAj+6b6dlA6SitTfz44LdnFSW9mYaeimwPP8ZtU7/3EJCzLd5eq7N/0kYPNVclZvB45
                    I0UMT77AHWrNyScm56MTcEpSuHhJHAqRAgJKbciCTNsFI928EqiWSmu//w0ASBN3bVa8nv8/rafu
                    utCq3RskTkHVZnbT5Xa6ITEZxSncow==
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="A54fe2992-c0a2-4014-97b5-ff5b32de9c2e"
                     IssueInstant="2025-01-11T21:09:45.666Z" Version="2.0">
        <saml2:Issuer>my-identity-provider-app</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#A54fe2992-c0a2-4014-97b5-ff5b32de9c2e">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>dZvMj+HJXvN5EiXWzjGBTRPmjHIyIcPl/xPaM0G2Dzo=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
                RN2goZ+bbfw49E1lJ9TktQN59CmNXRkytzJ5WSdiyG/D9LgzSf0MUsDrBKq/znzXBMcat2ErqpTx&#13;
                o9M6RBqoRIE62wy08oD7SN8OwKIBjEgxBlGwNPqe5bCDdQyqNuUiB0vgMTiLpOabwdvvb/UVKnXJ&#13;
                i7+eFu/1s8vB/JOl9wQ=
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIChTCCAe4CCQDo0wjPUK8sMDANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCVVMxEzARBgNV
                        BAgMCldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsGA1UECgwUU3ByaW5nIFNlY3Vy
                        aXR5IFNBTUwxDDAKBgNVBAsMA2lkcDEhMB8GA1UEAwwYaWRwLnNwcmluZy5zZWN1cml0eS5zYW1s
                        MB4XDTE4MDUxNDE0NTUyMVoXDTI4MDUxMTE0NTUyMVowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
                        DApXYXNoaW5ndG9uMRIwEAYDVQQHDAlWYW5jb3V2ZXIxHTAbBgNVBAoMFFNwcmluZyBTZWN1cml0
                        eSBTQU1MMQwwCgYDVQQLDANpZHAxITAfBgNVBAMMGGlkcC5zcHJpbmcuc2VjdXJpdHkuc2FtbDCB
                        nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2EuygAucRBWtYifgEH/ErVUive4dZdqo72Bze4Mb
                        kPuTKLrMCLB6IXxt1p5lu+tr0JxOiRO3KFVOO3D0l+j9zOow4g+JdoMQsjSzA6HtL/D9ZjXP6iUx
                        FCYx+qmnVl3X9ipBD/HVKOBlzIqeXTSa5D17uxPQVxK64UDOI3CyY4cCAwEAATANBgkqhkiG9w0B
                        AQsFAAOBgQAj+6b6dlA6SitTfz44LdnFSW9mYaeimwPP8ZtU7/3EJCzLd5eq7N/0kYPNVclZvB45
                        I0UMT77AHWrNyScm56MTcEpSuHhJHAqRAgJKbciCTNsFI928EqiWSmu//w0ASBN3bVa8nv8/rafu
                        utCq3RskTkHVZnbT5Xa6ITEZxSncow==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                          SPNameQualifier="second-service-provider">user002@email
            </saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="ARQc681f84-9cab-44cc-8476-3b0c273d5a28"
                                               NotOnOrAfter="2025-01-11T21:11:45.666Z"
                                               Recipient="http://localhost:8083/this-is-sp2/saml/sso/second-service-provider"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2025-01-11T21:08:45.666Z" NotOnOrAfter="2025-01-11T21:11:45.666Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>second-service-provider</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2025-01-11T21:09:45.666Z"
                              SessionIndex="IDXad91f552-650a-4d75-95cf-0a058a810c9e"
                              SessionNotOnOrAfter="2025-01-11T21:39:45.666Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
                </saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement/>
    </saml2:Assertion>
</saml2p:Response>

Logout Request from SP

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                      Destination="http://localhost:8081/this-is-idp/saml/idp/logout/alias/my-identity-provider-app"
                      ID="LR5c81696c-2295-42ad-92c6-b91bc5481f97" IssueInstant="2025-01-11T21:08:25.396Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">second-service-provider</saml2:Issuer>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">user002@email</saml2:NameID>
    <saml2p:SessionIndex>IDX29d3bed5-1e1b-48c5-8951-b14fc05581dd</saml2p:SessionIndex>
</saml2p:LogoutRequest>