WSO2 Identity Server 4 minutes

WSO2IS as an IdP for Spring Application with SAML2

Sajith Abeywardhana
Integration / DevOps Consultant
WSO2 Identity Server SML2
Scroll

In this article, we will discuss how we can integrate WSO2 Identity Server with a Spring boot application using the SAML2. SAML2 is an open security standard.

Using SAML2 integration within the Spring boot application will enable users to authenticate using WSO2 IS for that application. Our Spring boot application will act as a SAML2 service provider (SP) and the WSO2 IS acts as a SAML2 identity provider (IdP). The user would be a ‘principle‘ and this article uses the service provider-initiated SAML2 flow.

The below diagram depicts the SAML2 flow.

The article is divided into below main topics:

  • Creating a service provider in WSO2 IS
  • Implementing the Spring boot application
  • Testing the use case

Creating a service provider in WSO2 IS

  1. Start the WSO2 IS, login to the management console, and navigate to the Identity > Service Providers > Add.[1]
  2. Enter the service provider name as “SpringbootSAML2SP” and click on the “Register” button.
  3. In the service provider’s “Basic Information” window we have to give an Application Certificate. This certificate is used when validating the SAML2 requests sent by our Spring boot application.

Note: Keystore and certificate creation are related to the Spring boot application but in this section,  we are going to create both as we need to insert the certificate when configuring the service provider in WSO2 IS.

A. Create a new keystore
keytool -genkey -keyalg RSA -alias saml2cert -keystore keystore.jks -storepass password -validity 365 -keysize 2048

B. Export the certificate
keytool -export -keystore keystore.jks -alias saml2cert -file certificate.cer

C. Use the following command to display the certificate in the terminal. Then copy the content of it and paste it in the service provider’s application certificate section in the WSO2 IS admin console.
keytool -printcert -rfc -file certificate.cer

D. Tick the “SaaS Application” checkbox and then scroll to the “Inbound Authentication Configuration” -> SAML2 Web SSO Configuration. Click on the Configure link.

E. Configure the service provider information as below and click on the “Register” button.

issuerhttp://localhost:8080/saml2/service-provider-metadata/wso2Unique identifier of the service provider. This is also the issuer value specified in the SAML Authentication Request issued by the service provider.
Assertion Consumer URLshttp://localhost:8080/login/saml2/sso/wso2This is the URL to which the browser should be redirected to after the authentication is successful.

Keep the remaining configuration as default and update the service provider.

Implementing the Spring boot application

To create a Spring boot project, I will use the Spring Initializer web tool, then I will import the project into the IDE and then will do the rest of the implementation.

Complete sample project in Bitbucket: https://bitbucket.org/yenlo/yenlo_springboot-wso2is-sample 

Step 1

Open the https://start.spring.io/ web page and enter the project artifacts as below.

Group: com.wso2is.saml2.sample
Artifact: springboot-wso2is-sample

Add the dependences of Thymeleaf, Spring Security, Spring Boot DevTools and Lombok

Click in the “Generate” to download the project, then import it to your IDE as a Maven project.

Step 2

Add the following SAML2 dependency to the project.

<dependency> 

<groupId>org.springframework.security</groupId>

<artifactId>spring-security-saml2-service-provider</artifactId> 

</dependency>

Step 3

After we have implemented all our sample code, our project structure will look like as below:

Step 4

When the user tries to login to the Spring boot application, they need to authenticate first using the SAML2 flow. The WebConfiguration class will intercept the login and it will initiate the SAML2 request as shown below:

Step 5

The controller below takes care of the HTTP requests. When the user executes the HTTP GET via http://localhost:8080/login, it will use the autowired relaying parties configuration to get the required certificates, private keys, SSO URL, etc.

Step 6

Configure “wso2” relying party using the application.properties file.

A. Generate a private key: As we already have a KeyStore and a certificate, use the following commands to generate a private key.
keytool -importkeystore -srckeystore keystore.jks -srcstorepass password -srckeypass password -srcalias saml2cert -destalias saml2cert -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out private_key.pem

B. Generate the certificate from wso2carbon.jks.
keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2is-certificate.cer

Step 7

Create a sample HTML file to display the SAML response.

Create an index.html page inside resources/templates/ folder. Once the IdP redirects the request then the ACS URL controller will call this sample index page.

Testing the use case

Step 1

Now build and run the Spring boot application.

Step 2

Open the web browser and enter the URL as http://localhost:8080/login

This should be redirected to the WSO2 IS login page. Enter the username/password (admin/admin) and then click on the “Continue” button.

Step 3

You will be redirected to the Spring boot application and the index page will be displayed with SAML2 response information.

Conclusion

In the above blog the outlines have been shown of a Spring boot application that delegates user-authentication to WSO2 Identity Server. Connecting a Spring boot application to an Identity Provider means that certificates and keys must be generated and a few configurations on both the Spring-boot application as well as the WSO2 Identity Server side need to be performed. 

Using SAML2 we’ve demonstrated that we can use WSO2 Identity Server simply as a Single Sign-On engine for our Spring-boot application.

References:

[1]. https://is.docs.wso2.com/en/5.9.0/learn/adding-and-configuring-a-service-provider/#
[2]. https://github.com/spring-projects/spring-security/blob/master/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc#saml-2-login—not-yet-supported