GWRose
Hi Matt, thank you for this post. Before I start walking through the steps you’ve outlined, I wanted to see if you were aware of a similar tutorial for a “standard” Java web app, e.g. minus Spring Boot. By standard, I mean something as basic a .jsp or servlet plus Tomcat and any required config files. What I’m hoping to be able to do is tease out any Spring Boot-specific steps as my app does not use it.
On a related note, do you happen to be aware of any guides for migrating from onelogin to Okta?
Matt Raible
Hello GWRose,
I’m sorry for the delayed response, I was on vacation the last couple of weeks. If you’re looking for something that works with Okta and doesn’t use Spring Boot, you can check out my Build a Java REST API with Java EE and OIDC post. It doesn’t use SAML, it uses OIDC. However, it shows three techniques that should work with most Java web apps. If you’d prefer to use SAML, you might check out Pac4J’s SAML implementation.
As far as migrating from OneLogin to Okta, I don’t know of any guides. I’d just be googling for the answer. 
Abhinav Priyadarshi
Can you just tell how the Service Provider (SP) , in this case the Spring application generating its metadata file
and how that file is being comunicated with Okta for establishing the connection (with reference to code ).
Matt Raible
It’s not generating its metadata file, it’s merely pointing to the one that Okta creates. For example, in application.properties, I have:
security.saml2.metadata-url = https://dev-158606.oktapreview.com/app/exke0mu7zknCJ5m140h7/sso/saml/metadata
You can see all the code in this example on GitHub.
venkat pasupuleti
How did you solve this issue, could please elaborate it, i stuck with same issue.
k m
Hi
I have successfully implemented the sample and I must say this tutorial is very helpful.
Problem
But now I want to make a rest API to confirm whether the JSESSIONID passsed is valid or not. Currently if any rest API comes with any JSESSIONID the spring security checks for valid session id and if the JSESSIONID is not valid it gives a html page which I don’t want. I want a verification API in which we have JSESSIONID and could verify whether the JSESSIONID is valid and loggedIN (valid session) . I was able to bypass the saml by .antMatchers("/auth*").permitAll() and it is coming in my rest controller function but
here I could not validate whether my SessionId is valid or not.
Tried Solution
I was trying to implement SessionRegistry but it was not having any sessions and tried to follow https://stackoverflow.com/q… with above code but not understanding how to intgerate it with the solution provided.
Could you @mattraible help me with this.
Matt Raible
I’m sorry. I don’t know how to do this. I’ve never tried to write this type of logic before. I’d suggest you ask your question on our developer forums and hope there’s a community member that can help.
Kumar
Hi,
Thanks for guide. Could you help me where we can generate logout url which can logout from Okta session.
And How do we configure this.
Matt Raible
Hello Kumar: I asked the Spring Security team for a logout example in May 2017. There are comments on that issue that show how to log out. I haven’t tried the suggestions myself.
MP
You can create a meatadata.xml file under /sec/main/resource folder and copy the values provided by Okta (you will find this on your account - application - SignOn page)
https://uploads.disquscdn.c…
And then change .metadataFilePath in SecurityConfiguration → configure method
.metadataFilePath(URLEncoder.encode(“metadata.xml”, “UTF-8”));
https://uploads.disquscdn.c…
Praveen Patil
Hi Rajendra, I am trying to use webSSOProfileConsumer(ssoConsumer), but i get an error The method webSSOProfileConsumer(WebSSOProfileConsumerImpl) is undefined for the type HttpSecurity
How did you solve this problem.
Daynok
Really good post! I’ll admit… it took waaay to long for me to find “Identity Provider metadata” link… this is the metadata link that ya need.
I mistakenly was digging under app → sign on → “View Setup Instructions” and app → general → “SAML Settings” for ages lol I’m dumb
Dev
Hi,
I m successfully logged in with your guide lines, thank you.
Now I m trying to login with my own IdP application. this not required service provider signature.
Could you pls help me, How to disable service provider signature with SAML Request
http.authorizeRequests().antMatchers("/saml*").permitAll().anyRequest().authenticated().and().apply(saml())
.serviceProvider().keyStore().storeFilePath(this.keyStoreFilePath).password(this.password)
.keyname(this.keyAlias).keyPassword(this.password).and().protocol(“https”)
.hostname(String.format("%s:%s", “localhost”, this.port)).basePath("/").and().identityProvider()
.metadataFilePath(this.metadataUrl);
Matt Raible
I’m sorry, I don’t know the answer to this question. You might try posting it to Stack Overflow and tag with with “spring-security” and “saml”.
Daniel Cody
Hey,
I was having an issue once I deployed out this code to a clustered kuberenetes environment that the sessions need to hit the same pod or the auth does not persist. Is there a way to share the SAML across multiple instances of the app running? For the traditional OAuth implementation we use redis to persist the tokens so no matter what node you hit it persists. Is there a way to do this?
Thanks,
Dan
Matt Raible
Hello Dan,
You can use Spring Session to replace the default HttpSession implementation. You can use Redis with Spring Session. See https://docs.spring.io/spri… for more information.
J S
Hi Maat, I did not get the importance of configuring one user account for Spring application because in reality, assume 1000s of users want to access my apps. in this case is that we create 1000 accounts ? Please guide me how do we achieve authenticating 1000s of users for my application through this OKTA SAML integration. Really Appreciate your time.
Matt Raible
I don’t think it makes any difference if you have one user accessing your app or thousands of users. The code will be the same. I do recommend using OIDC instead of SAML though, it’s much easier to work with in my opinion. See OAuth 2.0 Java Guide: Secure Your App in 5 Minutes for more information.
J S
Thank you very much Matt. I will go through the link you provided. I am still curious to know how do we add multiple users to my application through OKTA. How do we add multiple metadata URLs (for different users) in the .YAML file. Please help me out to understand this approach also. Thank you for guiding me.
Matt Raible
There is no YAML file referenced in this post, so I’m guessing you’re referring to the properties file. The metadata URL is for the Okta org you’re using, not for a particular user. You can add thousands of users to your Okta org (manually or by importing them). See User Migration: The Definitive Guide for more information on getting your users into Okta.
