时间戳

首页 > 解决方案 > Spring Security SAML2 使用 G Suite 作为 Idp

java - Spring Security SAML2 使用 G Suite 作为 Idp

问题描述

我正在尝试使用 Spring Security (5.3.3.RELEASE) 在 Spring Boot 应用程序中处理 SAML2 身份验证。带有 SP 和 G Suite 的 Spring Boot 应用程序将是 IDP。

在我的 Maven pom.xml 文件中,我有:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-saml2-service-provider</artifactId>
        </dependency>

在我的代码中,我有:


@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        final String registrationId = "gsuite";
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
            final RelyingPartyRegistration googleRegistration) {

        return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {

        http
                .authorizeRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .saml2Login();
    }
}

问题是我需要一个签名密钥,但是该行final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING);会引发异常,因为您必须将 a 传递给PrivateKey该构造函数才能将其用于该SIGNING类型。但是,如果我使用该凭据进行验证,则应用程序将失败,并出现需要签名密钥的异常。

G Suite 只提供一个元数据 XML 文件(Spring Security 不支持)和一个.pem文件。我将文件中的所有文本复制.pem到上面的那个字符串中以生成 X509 证书。

在 Spring Security SAML 的文档中,它们显示 2 个证书,但 G Suite 仅提供 1 个。我应该从 .pem 文件生成 PrivateKey 吗?如果是这样,怎么做?

标签: javaspring-securitysaml-2.0google-workspacespring-security-saml2

解决方案

让它工作!

关键是禁用签名。

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        // remote IDP entity ID
        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        // remote WebSSO Endpoint - Where to Send AuthNRequests to
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        // local registration ID
        final String registrationId = "gsuite";
        // local entity ID - autogenerated based on URL
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        // local SSO URL - autogenerated, endpoint to receive SAML Response objects
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        // local signing (and local decryption key and remote encryption certificate)
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----\n" +
                "REDACTED\n" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

推荐阅读