Brian Demers
Hey @disqus_A8RkmevCVK:disqus !
I’m guessing you need to declare an import for org.springframework.security.core.Authentication
https://docs.spring.io/spri…
Protip: most IDEs will do this for you. I’d be lost without it 
KARAN BANSAL
Thanks Matt for the helpful answer!
It worked like charm.
Although when I tried to modify the port of my application to 8080, I was able to run the application on https://localhost:8080 but after authentication from okta, it got redirected to https://localhost:8443. I’m not able to fix this. Am I missing something?
Matt Raible
Hello Karan: I don’t think Okta prevents you from using http vs https. However, we do recommend you use HTTPS whenever dealing with authentication. Why do you want to use 8080 (HTTP) instead of 8443 (HTTPS)?
KARAN BANSAL
Thanks for the response. The error got resolved when using different port than 8080 (case is different due to popular IE bug).
However, how can I specify the path which will redirect for saml authentication. My page already has two authentication methods (username password, google oauth2). I have specified different url for both authentication mechanisms. Similarly I want user to select the way he wants to authentication by navigating to a specific path. How can I do that here?
Currently any path that requires authentication is automatically redirecting to SAML authentication.
Matt Raible
Unfortunately, I don’t know how to do this with Spring Security and its SAML DSL project. I’d suggest posting your question to Stack Overflow. Another option would be to use Okta’s social login support, but that won’t help you if you want to retain password support in your app.
Vineet Waghdhare
Vineet Waghdhare:
Thanks for the tutorial Matt. I am working on a requirement which has angular front end component and services exposed as web apis (developed on spring boot). We are required to use SAML 2.0 on Okta to support SSO (since its followed as standard across the organization) for authentication and later fetch authorization roles from LDAP after a successful login.
With the given requirements, i am facing 2 challenges -
1. Getting the user redirected to angular component after a successful logic?
2. Using multiple authentication providers - okta & ldap in an order for authentication & authorization saperately.
Another doubt I want to ask is - can we eliminate all of the above complexity by using OAUTH / OPEN ID implementation provided by OKTA and still achieve SSO between other enterprise applications in the organization.
Thanks in Advance.
Matt Raible
Hello Vineet: I don’t think you have to use SAML with Okta for SSO. Using our OAuth 2.0 / OIDC support will give you the same capabilities. That being said, you could use SAML (as described in this post) and package your Angular application in your Spring Boot application. That way, you could allow Spring Boot to handle the authentication, and redirect to the root path (where your Angular app is) after authenticating. I wrote a post about how to package Angular in your Spring Boot app recently.
Vineet Waghdhare
Thanks for your response.
Packaging the Angular application within the Spring Boot will be a change in architecture which would be a challenge.
Can we eliminate all of the above complexity by using OAUTH / OPEN ID implementation provided by OKTA and if yes, can we still achieve SSO between other enterprise applications in the organization (which are based on SAML 2.0).
Matt Raible
As long as you have a session with Okta, you can SSO into your apps with either OIDC or SAML. You just have to set up the bookmark/template to use whichever the app needs. Fundamentally, we don’t care which one you use.
Unless there’s a compelling need to use SAML (technical or company policy), we recommend OIDC. Not only is it generally better supported and more active in the wider community, if you need to step up to full API AM later, it’s just a handful of config changes.
KARAN BANSAL
Hi Matt,
Thanks a lot for the help. I was able to configure Saml SSO using okta as IDP.
I tried to publish my app at okta and got the following response.
Email -
----------------------------------------------------------------------------------------------------------------------------------------------------------------
But how do you set up SAML for multiple customers?
You should take into account, that the SAML configuration is different (IDP ACS URL, IDP Entity ID) for each application instance in Okta, so you need to support multi tenant configuration. So for each application instance in Okta the IDP ACS URL is:
https://[subDomain].[environment].com/app/[appName]/[uniqueAppId]/sso/saml, where uniqueAppId is unique value per application instance. The same is for IDP Issuer (Audience Restriction): http://www.okta.com/[uniqueAppId]. The certificate is also different for each customers in Okta.
----------------------------------------------------------------------------------------------------------------------------------------------------------------
How can I configure to automate this app creation for multiple customers?
It is working fine for one customer.
Matt Raible
Can you please post your question to the Okta Developer Forums? I’m on vacation for the next couple of weeks, and I don’t know the answer to your question.
Walter Hill
Hi Matt,
Would you know how to set the RelayState in an Sp initiated SAML request?
Matt Raible
No. I don’t know because I haven’t tried to do it myself. I did a bit of searching and found this answer on Stack Overflow. Please let me know if it helps!
Walter Hill
Thanks Matt. I decided to just grab the relayState request parameter and use it to set the location of the httpheader using a status of 307 (temporary redirect), to return to the relayState value.
Ramakrishna Vemuri
I tried the example but I am getting No IDP was configured,Please update included metadata with atleast one IDP. How do i set the IDP. I have provided the metadata-url in the application.properties as specified in the example.
Ramakrishna Vemuri
Got it to work now. Thanks,
Saurabh G
@disqus_mxwedXEbvD:disqus I was able to use Okta IDP from localhost using http. But as said by Matt, we should use authentication with https. Please let me know if you were able to run on http finally?
Saurabh G
Attaching the sample code, this way i’m able to print user name. Other details you can get in code similarly.
Saurabh G
u may use it like this - https://uploads.disquscdn.c…
James
What is the point of using Keystore here. If i want to use Http instead of Https and dont want to use keystore with in the application as my cloud environment provide the ssl.Does it support to work on http ?