Geek Answers Handbook

How to configure Spring SAML to work with Okta?

I am trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I made the following changes to WebSecurityConfig.java:

https://gist.github.com/mraible/c8b52972f76e6f5e30d5

I found the following question that gives some recommendations, but I cannot get it to work.

configure saml-sample (SP) to work with Okta (IdP)

Here is what I use for values ​​in Okta:

Application label: Spring Boot SAML App Force Authentication: false Post Back URL: http://localhost:8080/ Name ID Format: EmailAddressRecipient Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias Audience Restriction: com:vdenotaris:spring:sp authnContextClassRef: PasswordProtectedTransport Response: Signed Assertion: Signed Request: Compressed Destination: http://localhost:8080/saml/SSO/alias/defaultAlias Default Relay State: (none) Attribute Statements: email|${user.email},firstName|${user.firstName}

It looks like it works from logs:

 [2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message. [2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E [2014-12-30 12:18:33.004] boot - 18748 INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;

However, it redirects me to the Okta website, and not back to my website.

+7
spring-security spring-saml okta
source share
2 answers

I got it to work! The key seems to be asking for "Uncompressed." From there, I removed "alias / defaultAlias", as this seems to work when you set the alias to ExtendedMetadata. My settings that work on the Okta side:

 Application label: Spring Boot SAML App Force Authentication: false Post Back URL: http://localhost:8080/saml/SSO Name ID Format: EmailAddressRecipient Recipient: http://localhost:8080/saml/SSO Audience Restriction: com:vdenotaris:spring:sp authnContextClassRef: PasswordProtectedTransport Response: Signed Assertion: Signed Request: Uncompressed Destination: http://localhost:8080/saml/SSO Default Relay State: (none) Attribute Statements: email|${user.email},firstName|${user.firstName}
+4
source share

Matte

Try setting the "Post Back URL" to "localhost: 8080 / saml / SSO / alias / defaultAlias".

From your configuration point of view, "localhost: 8080 / saml / SSO / alias / defaultAlias" is the SAML endpoint at "localhost", where we send the SAML response to.

Right now, since it's "localhost: 8080 /", your demo site is probably just redirecting you back to Okta, rather than parsing the SAML response.

You did not mention what you did on the Okta side to test this. Here are instructions on how to do this - https://support.okta.com/entries/27560008-Using-the-App-Integration-Wizard - using our application wizard that creates the correct SAML IDP endpoints on the okta side. The Okta side SAML login URL is required by your demo site so that it knows where to redirect SAML requests.

For more information about SAML - you can find our SAML manual on our developer's site - http://developer.okta.com/docs/getting_started/saml_guidance.html

Let me know how this happens. Greetings

Stephen

0
source share

More articles:


All Articles