Get Started with Spring Boot, SAML, and Okta
Learn how to build a Spring Boot application that authenticates against Okta’s API with SAML. Uses Spring Security’s Java config and its SAML DSL.
Muhammad Aslam
Hi Matt, This tutorial is wonderful. I have a question regarding ssl certificate that okta provides while adding application in it. Do we need to import that certificate into the keystore of SP? and what will happen if we don’t add it in SP keystore,
Thank you.
Matt Raible
Hello Muhammad. The SSL certificate in this example is one that you generate and self-sign. For production use, I’d recommend you get a real certificate. I’d recommend looking into Let’s Encrypt for that.
Piotr Klubiński
Hi Matt
I have one issue with this example, when I run app via java -jar it fails to start due to “FileNotFoundException” when looking for keystore.jks.
Everything works just fine when I run app via bootRun (gradle).
Matt Raible
Hello Piotr. That sounds reasonable since the server.ssl.key-store property is hard-coded in application.properties. You can override the location using java -D server.ssl.key-store=/path/to/file …, by setting a SERVER_SSL_KEY_STORE environment variable, or using Spring Boot’s other property override mechanisms.
Piotr Klubiński
I found different solution.
In application.properties i changed store-key from src/main/resources/saml/keystore.jks to classpath:saml/keystore.jks.
So now I can actually make a use of keyStoreFilePath field (which you seem to create but not use) and at the same time properly supply this property to tomcat in order to enable SSL.
Matt Raible
That’s a great solution! I’ve created an issue with this improvement. Will update this blog post soon.
theLearner
Hi Matt,
Thanks for simplifying this example for us. I have 1 question. When OKTA SSO authenticates a user, it sends a redirect to <hostname>/sasl/sso and the application itself handles the redirects to different urls (i.e. if I access <hostname>/app/abc and am then redirected to Okta SSO page. After signing in, Okta returns “<hostname>/sasl/sso” which is then handled by app to redirect to <hostname>/app/abc). Can you help me figure out how is this routing going on behind the scenes
theLearner
Also, if I add a different uri on Okta. e.g. instead of localhost:8443:/saml/sso,
1. Suppose If i define localhost:8443/saml/abcd. I get 403 error.
2. Or if i define localhost:8443/app/saml/sso as single sign on url and define basepath as “/app” in spring security, I get 401 error.
theLearner
Now I am facing a weird situation. The app has suddenly started giving 404 errors after getting redirected to /saml/sso.
If i define an explicit controller mapping to saml/sso, it gets hit otherwise 404. Up until now the spring security app was handling the redirect from saml/sso to the specific url itself.
Matt Raible
Hello Akshay. Please don’t cross-post to our comments and to Stack Overflow. We get alerts for both systems via email almost immediately. I answered your question about flow on Stack Overflow.
Matt Raible
This is because Spring Security hardcodes the endpoint. More details in my answer to your similar question is on Stack Overflow. 
theLearner
@mattraible
Apologies for duplicating queries.
Thanks for the clarification. Now I am starting to get hold of it.
1 more query is that what is passed on to the spring security application on authentication success?. Is it a token or something else?
Also if you can tell whether the following assumption is correct or not:
After authentication i guess the spring security maintains a jsession and when that jsession cookie expires, only then another request goes to okta api to authenticate user.
Browser also contains the jsession cookie for okta which if valid does not require user to re-enter credentials on the okta login page and on expiring redirects to okta login page.
(I have checked that jsession cookie exist in the browser, but are they being used in this flow)
Matt Raible
The SAML assertion is processed by Spring Security SAML in the SAMLProcessingFilter. On authentication success, SavedRequestAwareAuthenticationSuccessHandler is called and a cookie is set for the session. As far as your assumption about the jsession cookie, you are correct.
sunil bandapally
Hi Matt,
Thanks for all your help for the beginners in SAML.
I want to understand how to get the UserDetails after SAML Assersion
Do you have an example of retrieving SAML Response from IDP how to handle in Springboot application?
Please help
Thanks,
Sunil Bandapally
Matt Raible
You can inject java.security.Principal into your method and you should be able to get user information from that. You could also inspect the Principal object and see if it’s a Spring Security type. Baeldung also has a good post on how to retrieve user information in Spring Security.
Matt Raible
You should be able to compare your application with the example for this blog post and see what’s different.
Stan
Hi Matt, thanks for the write up ,
Is there a way to get this to work with http instead of https ?
Matt Raible
I wouldn’t know without trying. I’m assuming you tried and ran into issues? If so, what are they?
Stan
The browser enters an endless redirect to :
first post to http://localhost:8085/saml/SSO is successful with 200,
then it does
https://<myco>dev.oktapreview.com/app/<my…
repeat forever.
thanks !!