How do I configure Spring Security SAML to work with Okta?

Asked 30/12, 2014 at 22:30 Answered 5/1, 2015 at 20:41

Solved spring-security saml-2.0 spring-saml okta

I'm trying to make spring-boot-security-saml-sample application work with Okta. To add Okta as a provider, I've made the following changes to WebSecurityConfig.java:

https://gist.github.com/mraible/c8b52972f76e6f5e30d5

I found the following question that provides some guidance, but I can't quite get things to work.

configuring saml-sample (SP) to work with Okta (IdP)

Here's what I'm using for values on Okta:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO/alias/defaultAlias
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Compressed
Destination: http://localhost:8080/saml/SSO/alias/defaultAlias
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}

It looks like it works from the logs:

[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- BaseMessageEncoder: Successfully encoded message.
[2014-12-30 12:18:33.004] boot - 18748 DEBUG [http-nio-8080-exec-8] --- HttpSessionStorage: Storing message a12gf64fh3f35fgh2a8dd1fd0i0dc02 to session C5D010344EF5D022718B12B6D25F1D1E
[2014-12-30 12:18:33.004] boot - 18748  INFO [http-nio-8080-exec-8] --- SAMLDefaultLogger: AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;com:vdenotaris:spring:sp;http://www.okta.com/k2gpb06TOMYOKAWUSXJM;;;

However, it redirects me to Okta's site rather than back to my site.

Tiaratibbetts answered 30/12, 2014 at 22:30 Comment(1)

I don't have any personal experience with this but I know the Cloud Foundry identity team has done it. See source code here: github.com/cloudfoundry/login-server/tree/master/src/main/…. – Erbium 31/12, 2014 at 9:44

I got it to work! The key appears to be setting Request to "Uncompressed". From there, I removed "alias/defaultAlias" since this only seems to work when you set an alias on the ExtendedMetadata. My settings that work on the Okta side:

Application label: Spring Boot SAML App
Force Authentication: false
Post Back URL: http://localhost:8080/saml/SSO
Name ID Format: EmailAddressRecipient
Recipient: http://localhost:8080/saml/SSO
Audience Restriction: com:vdenotaris:spring:sp
authnContextClassRef: PasswordProtectedTransport
Response: Signed
Assertion: Signed
Request: Uncompressed
Destination: http://localhost:8080/saml/SSO
Default Relay State: (none)
Attribute Statements: email|${user.email},firstName|${user.firstName}

Tiaratibbetts answered 5/1, 2015 at 20:41 Comment(3)

For anyone integrating Okta with Spring SAML, the manual now contains a basic step-by-step integration guide for Okta, see docs.spring.io/autorepo/docs/spring-security-saml/… – Playhouse 1/2, 2015 at 20:31

@VladimírSchäfer Could you please update the java config in the link above you provided. – Robinett 13/11, 2017 at 10:45

Here's a guide I updated last month (October 2017): developer.okta.com/blog/2017/03/16/spring-boot-saml – Tiaratibbetts 13/11, 2017 at 11:29

Matt,

Try setting the "Post Back URL" to "localhost:8080/saml/SSO/alias/defaultAlias".

From the looks of your configuration "localhost:8080/saml/SSO/alias/defaultAlias" is the SAML endpoint on "localhost" which is where we post the SAML Response to.

Right now with it being "localhost:8080/" - your demo site is probably just redirecting you back to Okta rather than parsing the SAML response.

You haven't mentioned what you have done on the Okta side to test this out. Here is the instructions on how to do it - https://support.okta.com/entries/27560008-Using-the-App-Integration-Wizard - using our App Wizard which creates the proper SAML IDP endpoints on the okta side. The SAML login URL on the Okta side is needed by your demo site so that it knows where to redirect SAML requests to.

For more info on SAML - you can check out our SAML guidance on our developer site - http://developer.okta.com/docs/getting_started/saml_guidance.html

Let me know how it goes. Cheers

Stephen

Petta answered 31/12, 2014 at 18:32 Comment(2)

I tried that, still doesn't work. I used the Template SAML 2.0 Application to create an app on the Okta side. I was able to get a Node and Sinatra applications working easily. A lot less code too. – Tiaratibbetts 5/1, 2015 at 19:48

I tried changing the Request to "Uncompressed" on the Okta side of things and got a bit further. Now it redirects back to my app, but I see the following error in my logs: gist.github.com/mraible/02ad43d4deb7823ce449 – Tiaratibbetts 5/1, 2015 at 20:1

Recommended topics

Hot tags