Stan
Hi Matt,
If I want to login using IDP initiated flow ( from Okta’s app screen) . Do I need to make any changes to the code?
thanks
Matt Raible
I don’t know as I don’t have a way to test this out. Can you try and see if you run into issues?
Matt Raible
Hello Stan: I don’t think Okta prevents you from using http vs https. However, we do recommend you use HTTPS whenever dealing with authentication. I tried to modify the Spring Boot app in this post to use http and I couldn’t even get it to start up. Error is:
Factory method ‘springSecurityFilterChain’ threw exception;
nested exception is java.lang.IllegalArgumentException: Location must not be null
Stan
Agree !!! use https. If I have more time i’ll play with it a bit more , but out of the box it didn’t work.
Stan
I wasn’t able to port your configuration into my application. I was getting an expected type mismatch in one of the filters expecting a SAMLToken and instead getting a UserNamePassword token and endless redirect in the end.
After some time I went back to Spring SAML project and it worked with minor tweaks( XML config) . IDP initiated flow worked as well.
kayla
Hi Matt!
I used https://localhost:8443/saml/metadata for the metadata url, but it didnt work so i tried http://www.okta.com/exke6gh… was in the meta data file) but that didnt work either. Or at least i dont think it did because it just says the site cant be reached.
Matt Raible
Does your application.properties look like the one from the sample app? https://github.com/oktadeve…
kayla
it does now, but it still says the site cant be reached
Matt Raible
I’m guessing you might have a network issue. Are you on a corporate network or VPN? You might try running your app on a more open network.
Trevor Miller
My application has a context path configured. I get an HTTP 404 error when the SAML discovery URL is redirected because it does not include the context path. How can I fix this? http://localhost:8080/saml/discovery should be http://localhost:8080/contextpath/saml/discovery
Rohit Patil
Hello Sunil,
Did you get the workaround for this? kindly share …
Matt Raible
Rohit - did you see my answer to Sunil below? Here’s a direct link. If this doesn’t help, can you please explain what you are trying to accomplish?
Santosh Hemashekar
The above tutorial is absolutely working fine. Even ran the same in a docker container and its working fine. I tried deploying the container image into Amazon Cloud, I could see that the authorization is failing when i try to access the application from AWS, I have updated the url and metadata accordingly in Okta and Spring Boot properties. Please advise. thank you
Matt Raible
Hello Santosh: I haven’t tried to deploy the example app in AWS. Can you post your question (with errors/stacktrace) to Stack Overflow? I’ll see it there if you tag it with “okta”. I’d suggest adding “spring-boot” and “spring-security” as tags too so the greater Spring community sees it and can help if they know the answer.
Nathan
Hi, this tutorial has been working fine. Have you ever come across a SAML exception for “InResponseToField of the Response doesn’t correspond to sent message”. I’ve noticed this issue has started happening for my application that’s being deployed to a docker container into AWS. Hope you can help
subrat
Hi Matt,
can you please share the code to do authentication in okta but authorization should happen from my data base
Matt Raible
I’m not sure I would recommend this, but I’m sure it’s possible. You would have to do something like grabbing the username from the Principal, looking up the user in your database to find their roles, then configuring Spring Security to have these roles. It can get tricky because if your database doesn’t have these roles, you might have to add them.
You could look at the code in JHipster’s UserService#getUserFromAuthentication() method. It does something similar, but uses OAuth 2.0 instead of SAML.
Matt Raible
Hello Nathan - Unfortunately, I don’t know what could be causing this issue. I’d suggest asking your question on our Developer Forums or on Stack Overflow (with okta, saml, docker, and aws tags).
Stanislau Yarkouski
Hello Matt,
Thank you very much for this tutorial, I got it running without any issues.
We would like to use Okta as additional authentication mechanism along with our regular authentication. If user tries to access any page of our application without logging in, he would be redirected to our regular login page right away and not to Okta login.
I see it like this: on our login page we would have “Authenticate by Okta” button. When user clicks it, it leads him to https://ourdomain/okta_protected where Okta authentication happens (as it’s demonstrated in this tutorial). Then we take username from Principal, load that user from database and provide him access to our application according to his roles.
So my question are:
1) Can the logic that I’ve described be implemented at all?
I mean, I understand that Spring Security hardcodes the endpoint saml/SSO, so I assume setting Single sign on URL to
https://ourdomain/okta_protected/saml/SSO and modifying basePath to /okta_protected would not help.
Could you please suggest anything that I can try? Maybe setting Recipient URL and/or Destination URL somehow…
2) Let’s assume it can be done. To enable our users to use Okta authentication we should assign our Okta application to all our users. Am I right? Is there a way for automatic assignment when new users are created?
Sorry for the long post. Your reply will be really appreciated.
Matt Raible
Hello Stanislau: since your questions seem a little out-of-scope for this blog post, can you please post them to our Developer Forums? I’m not sure it’s possible to do what you’re looking for with SAML, but possibly with OIDC.