Geek Answers Handbook

Spring SAML - Support for Custom SAML Claims

We have a product with one client, and we implemented the SAML stream for this client, using Spring SAML security , when we act as a service provider and idp are on the client side.

Now we have another client that also wants authentication to be with SAML, and we want the same SP to implement the SAML stream for this client, and the second client will have 2 threads for SAML for the mobile device and one for the other devices using the same IDP. IDPs of two clients are different.

Problem

There are several differences between the two clients, for example, the approval attributes are different, and the action for successful authentication is different, we currently provide our own implementation.

There may also be more changes, such as various bindings, etc.

My question is, what is the best option / best practice to support such a scenario and the possibility of expanding my SP to support more SAML streams with differences in Assertion attributes and other configurations?

When we use Spring SAML, should we use different Spring security context files for each of the SAML flavors?

Are there thread safety issues when using multiple contexts in parallel?

+4
1

- / SP SAML ?

, Assertion, . . . , SAMLUserDetailsService, EntityID SAML - IDP.

Spring SAML, Spring Security SAML? ?

. , SAML , , , , .

Spring SAML . Spring , . , , Spring, , , .

IDP?

, , , .

  • URL . IDP , URL-

    "/saml/login/alias/" +productAlias+ "?idp=" + entityId;

    , URL-, URL- .

  • . metadata.xml . , SAML .

    , , , IDP, . SAMLUserDetailsService. SAMLCredential, , credential.getRemoteEntityID(), . .

SAML Microsoft IDP

 public class AttributeMapperImpl implements AttributeMapper {

    @Override
    public Map<String, List<String>> parseSamlStatements(List<AttributeStatement> attributeList) {
        Map<String, List<String>> map = new HashMap<>();
        attributeList.stream().map((statement) -> parseSamlAttributes(statement.getAttributes())).forEach((list) -> {
            map.putAll(list);
        });
        return map;
    }

    @Override
    public Map<String, List<String>> parseSamlAttributes(List<Attribute> attributes) {
        Map<String, List<String>> map = new HashMap<>();
        attributes.stream().forEach((attribute) -> {
            List<String> sList = parseXMLObject(attribute.getAttributeValues());
            map.put(attribute.getName(), sList);
        });
        return map;
    }

    @Override
    public List<String> parseXMLObject(List<XMLObject> objs) {
        List<String> list = new ArrayList<>();

        objs.stream().forEach((obj) -> {
            if(obj instanceof org.opensaml.xml.schema.impl.XSStringImpl){
                XSStringImpl xs = (XSStringImpl) obj;
                list.add(xs.getValue());
            }else if(obj instanceof org.opensaml.xml.schema.impl.XSAnyImpl){
                XSAnyImpl xs = (XSAnyImpl) obj;
                list.add(xs.getTextContent());
            }
        });  

        return list;
    }

    @Override
    public String parseSamlStatementsToString(Map<String, List<String>> map) {
        String values = "";
        Iterator it = map.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry pair = (Map.Entry) it.next();
            values += pair.getKey() + "=" + pair.getValue() + " ";
            it.remove(); // avoids a ConcurrentModificationException
        }
        return values;
    }

}
  • /. . , , . , IDP . , , , , , IDP (.. saml ).
+2

More articles:


All Articles