stackoom
  简体   繁体   中英

How to use Spring SAML code with jks or signed metdata

 原文  2018-09-18 03:48:26       java/ spring-mvc/ saml-2.0/ opensaml/ spring-security-saml2

Question

The IDP only provided .crt file and metadata xml file, and IDP told us there is no password for .crt file, I created jks file with command:keytool -import -alias zoom -trustcacerts -file qa.crt -keystore keystory.jks. Now,I downloaded the spring SAML demo code, and changed the securiyContext.xml as bellow:

--------matadata.xml--------------------- 

<md:EntityDescriptor entityID="gene.com" cacheDuration="PT1440M" ID="dfhGJ7yKW7C3nvicVEN.puf7bSh" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#dfhGJ7yKW7C3nvicVEN.puf7bSh">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>lSCVZb+3JcGXnhwYj5IQqxaM2UaBbmiTOYa/fO5NRAo=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        {my ds:SignatureValue}
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                {my ds:X509Certificate}
            </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>
                    {my ds:Modulus}
                </ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    {my ds:X509Certificate}
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="WorkPhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ChrisID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Account" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MobilePhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Sex" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">
    <md:Company>Genentech Inc.,</md:Company>
    <md:GivenName>IAM-DFS</md:GivenName>
    <md:EmailAddress>GLOORG_SAS-AMS-Web-Access-Services-Comms@msxdl.roche.com</md:EmailAddress>
</md:ContactPerson>


<bean id="samlMetadataManager" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean id="samlRocheIDP" class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">classpath:qa.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="samlParserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

--------------securiyContext.xml-------------------- But there is always failed where SP initialize, error message: 

Signature verification failed.
Signature trust establishment failed for metadata entry https://b2b.roche.com
Error filtering metadata from E:\Workspace2\saml\spring-security-saml\target\classes\qa.xml

And my question is that how to integration the spring saml with signed metadata xml file. should i create another jks file? I have cloned many java demos, they have configured metadata xml files and jks files in springWebSecurityContext.xml .

But I think the metadata xml already contains the certificate and the secret key. I don't think I need to configure the jks file anymore, right?

Can you help me find out how to integrate saml into my project? Thank you everyone!

1 answers

solution1
 2  2018-09-18 09:07:43

Make sure you have proper .jks file . You will need a bean for keyManager.

@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader
        .getResource("classpath:/saml/keystore.jks");
    String storePass = "nalle123";
    Map<String, String> passwords = new HashMap<String, String>();
    String defaultKey = "apollo";
    passwords.put("apollo", "nalle123");
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

You can have multiple keys and password for this in Map but it need one as default. This bean is also used by MetadataGenerator bean

You can import certificate in keystore , below script can be used

IDP_HOST=<hostip>
IDP_PORT=<port>
CERTIFICATE_FILE=certfile.cert
KEYSTORE_FILE=keystore.jks
KEYSTORE_PASSWORD=<password>

openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
keytool.exe -delete -alias <put alias name here> -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool.exe -import -alias <put alias name here> -file $CERTIFICATE_FILE - 
keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create a JKS file using public and private keys for spring saml application? How use cacerts and jks trustore togeser, Import .key and .pem file to jks file and use in Java/Spring Spring Security SAML: Accept only signed SAML response messages from IDP How add new SSL connection Spring Boot jks cacerts Rampart: how to use a JKS certificate without any password How to use 2 or more jks certificate files at the same time? How to use keystore.jks to sign and encrypt a SOAP message How to Use .jks file in node js to submit request on https endpoint How to configure the remote discovery with Spring Security SAML?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM