SAML Webview App Config

Configuration

1 Dependencies

The SAML Sample needs JKS keystores. If you are using a web server to handle SSL, then you will only need 1 otherwise you need at least 2. Please see the Keystores page for instructions.

2 Application Properties

Please see Editing Application Properties for general instructions regarding editing and the location of the application.properties file, and the common Spring Boot properties set across all applications.

2.1 Application Specific Settings

The table below shows the configuration settings for this application.

Setting	Description	Sample Value
`sampleapp-saml-webview.key-store-file`	Keystore used to identify the application to the IdP.	`file:${user.home}/spring-security-samples.jks`
`sampleapp-saml-webview.key-store-password`	Password for the keystore.	`changeit`
`sampleapp-saml-webview.key-store-default-key`	Alias for the private key in the keystore.	`spring-security-samples`
`sampleapp-saml-webview.key-password`	Password for the private key in the keystore.	`changeit`
`sampleapp-saml-webview.idp-metadata-url`	URL to the IdP's metadata (part of SAML2 spec).	`http://www.testshib.org/metadata/testshib-providers.xml`
`sampleapp-saml-webview.entity-i-d`	Entity ID for the application (part of SAML2 spec).	`com:github:argherna:spring:sp`
`sampleapp-saml-webview.idp-discovery-url`	Optional URL to discovery service with a query parameter named `return` that is an encoded URL back to the login of your application.	`https://example.com/discovery?return=https%3A%2F%2F${HOST}%3A${server.port}%2Fsaml%2Flogin`
`sampleapp-saml-webview.idp-discovery-response-url`	Optional URL to service provider that should only be set when the public address of the SP differs from values seen by the application server. It is rare to set this.	`https://different.example.com/app/saml/login`
`sampleapp-saml-webview.default-i-d-p`	Optional URL to a default IDP. This will override the `idp-discovery-url` when set.	`https://example.com/myIdp`
`sampleapp-saml-webview.role-prefix`	Application-specific setting which will scan for values of a SAML2 attribute called `isMemberOf` containing this prefix and set a role. This is completely optional and will not break the application if not found.	`urn:my-ou-prefix`
`sampleapp-saml-webview.metadata-reload-delay-ms`	Configurable delay for reloading metadata (default is 4 hours)	`3600000`

2.2 Logger Settings

The table below shows the recommended logger settings. These are common properties to Spring Boot but with recommended values for this sample application.

Setting	Description	Sample Value
`logging.file`	File name for the log file	`spring-security-saml-sample.log`
`logging.path`	Directory to store log files in	`${user.dir}/logs`

Individual loggers can be tuned to a specific level. Prefix all logger names with logging.level. and use the logger name given below.

Logger Name	Description	Recommended Value
`com.github.argherna`	Base logger for this sample application	`debug`
`org.springframework`	Base logger for the Spring framework; can be 'noisy'	`warn`
`org.springframework.security.saml`	Base logger for the Spring Security SAML library	`info`
`org.opensaml`	Base logger for the underlying OpenSAML library; can be 'noisy' but useful during setup	`warn` after setup, `debug` during setup
`PROTOCOL_MESSAGE`	Emits message protocol events	`debug` for demo, `info` otherwise

3 Configuration Quick Start

3.1 Configure Application to use IdP Discovery

Set the following application properties:

# Application keystore (just an example; your's would be different)
#
sampleapp-saml-webview.key-store-file             = file:${user.home}\
                                                    /spring-security-samples.jks
sampleapp-saml-webview.key-store-password         = changeit
sampleapp-saml-webview.key-store-default-key      = spring-security-samples
sampleapp-saml-webview.key-password               = changeit

# Discovery and metadata settings
#

# Url of metadata file.
#
sampleapp-saml-webview.idp-metadata-url           = http://some.idp.com\
                                                    /metadata/metadata.xml

# Entity ID. Values vary depending on your organization.
#
sampleapp-saml-webview.entity-i-d                 = com:github:argherna:spring\
                                                    :sp

# URL of IDP Discovery service. NOTE: this should include a return Url 
# parameter that is url-encoded.
#
sampleapp-saml-webview.idp-discovery-url          = http://some.idp.com\
                                                    /discovery?return=\
                                                    https%3A%2F%2Fmy-host.com\
                                                    %3A${server.port}%2Fsaml\
                                                    %2Flogin

# When set our local IDP Discovery implementation will send response back 
# to Service Provider on this address. Value should be set in situations 
# when public address of the SP differs from values seen by the application sever.
#
sampleapp-saml-webview.idp-discovery-response-url = 

# The default IDP (overrides discovery)
#
sampleapp-saml-webview.default-i-d-p              = 

# Application configuration. This application looks for a role in the 
# 'isMemberOf' SAML2 attribute and if found, applies it to setting a role. This
# is just an example and while setting this parameter is required, it is not 
# required that your SAML2 installation have an 'isMemberOf' attribute 
# available since a default role will be set.
#
sampleapp-saml-webview.role-prefix                = changeme

# Configurable delay for reloading metadata (leave blank for default of 4 hours)
#
sampleapp-saml-webview.metadata-reload-delay-ms   = 3600000

3.2 Configure Application to use a Default IdP