I’m following the instructions for setting up SAML with Spring Boot written by Matt Raible, mostly, but with my own application:
The big difference is I’m setting up Groups and am logged in as a member of a Group. However, this code shows my id as being anoymousUser with no authorities:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String user = authentication.getName();
Collection<? extends GrantedAuthority> roles = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
Iterator<? extends GrantedAuthority> iter = roles.iterator();
while (iter.hasNext()) {
GrantedAuthority role = iter.next();
System.out.println("Role: " + role.getAuthority());
}
I can view my SAML XML using SAML tracer in Firefox and it clearly shows my real id and Roles. The format I’m seeing is similar to the one I’ve seen using PicketLink with JBoss and Oracle Access Manager. That worked fine, but I need to convert that application to Spring Boot and using Okta.
So why can’t Spring Security in Spring Boot see who I am and what I’m authorized to do?
I have a theory on why I have the problem. In the instructions it says to set up two URLs in the Okta configuration:
https://localhost:8443/saml/SSO/
https://localhost:8443/saml/metadata
The problem is, as I see it, that no filters have been set up for these URL’s. As a result, even though Okta is POSTing good XML to the application, there is no filter to receive the information and process it.
So the application SEEMS to work, but in fact every user is treated as an anonymous user, so there is no way to see who actually logged in or give anyone special privileges in the application or even limit who can use the application.
There is another example that actually sets up these filters:
I’m having a hard time getting this to even run, but it clearly shows the filters set up.
I don’t have the problem now. Not sure why I had it to begin with. Also, the “vdenotaris” sample is out of date and shouldn’t be used by anyone. Matt Raible’s example is the one to use. However, you need to implement a SAMLUserDetailsService to get the attributes and user name out of the SAML XML and store them in a UserDetails object. Spring Security doesn’t do this for you. On the other hand, doing it yourself gives you a great deal of flexibility.
Once you have the UserDetails created properly you can restrict access to the application by Authorities. All this is in the Spring Security docs and should be easy to understand once you have a working SAMLUserDetailsService.
@jdsimmon
Could you please show me the code for SAMLUserDetailsService. Or give a link to refer.