Grails + saml
Using Grails Spring Security Saml Plugin
How this works
→ Go Right for Next Steps →
↓Go Down For Details↓
Here would be some good details....
- Idp - Identity Provider
- SP - Service Provider (In our case the grails app.)
- Metadata - A XML file describing a SP or Idp
Accept Idp Certificate
We need accept the certificate from our Idp
keytool -import -alias myIdp -keystore keystore2.jks -file Idp.cer
Generate Key for SP
We need to generate the Key for the SP and add it to the java keystore.
keytool -genkey -alias myKey -keyalg RSA -keystore keystore2.jks
Java keytool Commands
- List Keys -
keytool -list -v -keystore keystore2.jks
- Delete Key -
keytool -delete -alias badKey -keystore keystore2.jks
We need to configure the plugin use our keystore and the keys we have generated.
In Config.groovy we will set the needed properties. They should all start with: grails.plugins.springsecurity.saml
grails.plugins.springsecurity.saml.active = true
- responseSkew - What window to allow for timestamps in seconds, I set mine to 300.
- active - True
- autoCreate.active - If you want the plugin to generate users in the DB as they are authenticated via SAML
- autoCreate.assignAuthorities - If you want the plugin to assign the authorities that come from the SAML message.
- keyManager.defaultKey - The alais of the key generated in the last step, 'myKey'.
- keyManager.storeFile - The file created in the last step, 'classpath:keystore2.jks'
- keyManager.storePass - The password for the keystore file, 'password'.
- keyManager.passwords - The alais and password for the keys, [myKey:'password'].
We need to use the plugin to generate a Metadata file for our SP.
There is a UI available as the metadata controller.
Save the file so you can reference it in your config.
There are a lot of options with SAML, the key is to get a configuration that works with your Idp.
That was mostly a back and forth process with the Idp administrator but maybe they have a list of what they support....
- Store for Current Session - Has to be Yes. (It won't always allow the download of the metadata otherwise.)
- Entity Id - We used the url of the metadata file
- Entity Base URL - The url of the public app.
- Entity Alias - Just make it unique doesn't really matter only comes up to bite you when you are generating more then one file without restarting the server.
- Include Idp Discovery - Turn this off if your Idp doesn't support it.
- SSO Bindings - Select which bindings to support, for our ADFS setup we needed to turn off Artifact because it made our ADFS puke.
- Security profile - I left it as MetaIOP but I'm not sure this setting is actually working correctly.
- Signing Key - Pick the key you created for the SP
- Encryption Key - Use the key created for the SP
- SSL/TLS Key - Use the key created for the SP
- Sign Metadata - Check this if the Idp wants the metadata signed which they probably do.
Even More Settings!!!
Yes for all of these unless you need to not to because of the Idp. (Sorry not much help on these)
- Sign sent AuthNRequests
- Require Signed Auth Assertion
- Require Signed Logout Request
- Require Signed LogoutResponse
- Require Signed Artifact Resolve
Download the metadata file from the Idp and make it available to your app so you can reference it in your config.
Configure Plugin Part 2
We need to now configure the metadata parts of the plugin with the xml files we now have from the last two steps.
I saved both the xml files from the last steps in a security directory under the grails-app/conf .
Remember these all start with grails.plugins.springsecurity.saml
- metadata.sp.file - The metadata file for the sp, 'security/sp.xml'.
- metadata.providers - Map of providers and path to their metadata, [qaIdp: 'security/QAMetadata.xml'].
- metadata.defaultIdp - Which Idp to use by default, 'qaIdp'.
- metadata.sp.defaults - Defaults to use for the SP, it must be set see slide below.
We must provide the default alias to use that needs to match the alias from the service provider xml generated before. If that is not included it will not allow the user to log in. Set the alias to the Entity Id from the generated XML.
grails.plugins.springsecurity.saml.metadata.sp.defaults = [ local: true, alias: 'http://example.com/saml/metadata', securityProfile: 'metaiop', signingKey: 'mykey', encryptionKey: 'mykey', tlsKey: 'mykey', requireArtifactResolveSigned: false, requireLogoutRequestSigned: true, requireLogoutResponseSigned: true ]
Endorse XML Libs
We need to endorse the following JARs, you may be able to use newer versions. Here is what versions I used.
Endorsing with Tomcat
Make sure you have a dir set to be endorsed in tomcat. I used the following for tomcat6 in the init.d script.
Just place any jars that you want to endorse in that dir and restart tomcat.
Unlimited JCE Policy
We need the unlimited encryption policy... Java is odd.
Add the following files to JRE_HOME/lib/security
Just get a hold of me on twitter @beckje01
By Jeff Beck