I have a working setup of an IDP initiated SAML sign on to our single SP. The metadata configuration is as shown:
With the above setup, the application parses the token(binding used is HTTP-POST) authenticates and logs in the user. So far so good. Now i need to be able to support multiple IDPs and SPs for my one application. SAML sign on will still be IDP initiated. I read from the documentation that Multi Tenant SP configuration is possible by using the ExtendedMetaDataDelegate bean. I'm just not sure as to how i need to use it. I tried a few things:
1. I added new "FilesystemMetadataProvider" beans with metadata for the new SP configuration to the existing CachingMetadataManager bean, but it seems like the assertion validation fails because the expected audience does not match the value in the "hostedSPName" of my metadata configuration (now that i have multiple SPs).
2. I added a new bean (in addition to the cachingMetaDataManager):
With this i don't even see the assertion being authenticated.
I'm new to this and spent a few days looking at the code and the documentation to try and figure things out. We currently use Spring security and i was very happy to find that SAML integration is possible with Spring security. I'm trying to stack SAML authentication on top of other GUI + Siteminder authentication that we currently support.
Thanks to the SAML dev team for all the great work on this. I'd appreciate a little guidance in trying to figure this problem out.
Code:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- Local metadata for SP: certificate + key data for SP initiated calls. Doesn't look the keys are needed for the current IDP initiated SAML login -->
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:sp-metadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- IDP metadata: configured with IDP provided certificate and public key data -->
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:idp-metadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
<property name="defaultExtendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/> <!-- Indicates configuration for local SP -->
<property name="alias" value="${saml_sp_alias}"/>
<property name="securityProfile" value="metaiop"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</property>
<property name="hostedSPName" value="${saml_sp_alias}"/>
</bean>1. I added new "FilesystemMetadataProvider" beans with metadata for the new SP configuration to the existing CachingMetadataManager bean, but it seems like the assertion validation fails because the expected audience does not match the value in the "hostedSPName" of my metadata configuration (now that i have multiple SPs).
2. I added a new bean (in addition to the cachingMetaDataManager):
Code:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:sp-metadata-2.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="sp-2"/>
<property name="securityProfile" value="metaiop"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>I'm new to this and spent a few days looking at the code and the documentation to try and figure things out. We currently use Spring security and i was very happy to find that SAML integration is possible with Spring security. I'm trying to stack SAML authentication on top of other GUI + Siteminder authentication that we currently support.
Thanks to the SAML dev team for all the great work on this. I'd appreciate a little guidance in trying to figure this problem out.