Search:

Well, you are right (again) :-)
First, I changed both ends to work with http (easier...) - and it works fine.
I guess that after changing both ends to https, it will work as well.

thanks Vladi!...

Wow, it might be it!
In my case, upon trying to get a token, there is a redirect to https://<my app>/oauth/authorize, (and then another https redirect to the IdP).
On the way back, the IdP makes a...

Vladi,

I've posted this in the main security forum because I think it is relevant not only for saml ot oAuth, but maybe you will have an idea how to resolve this one...

Ohad

I'm trying to integrate the spring-oauth with spring-saml.
I want my authorization server to function as a "bridge" to saml; meaning the clients will use oauth (there is a "resource-server", and...

<http pattern="/oauth/authorize"... starts a chain for all calls that their pattern is /oauth/authorize.
then, inside this block, you also say that specifically for '/oauth/authorize' - the user...

1. I looked carefully into the implementation and saw that after the XMLObject is restored, only 5 items are checked: ID, assertionConsumerServiceIndex, assertionConsumerServiceUrl, protocolBinding,...

Well, I found another way to de/serialize... :-) anyways, I'd love to contribute it, if you find it interesting.
I know that the relevant classes are from opemsaml, so it cannot be changed by you....

So i've implemented a class called JdbcMessageStorage implements SAMLMessageStorage.
The problem now is that AuthnRequestImpl is not Serializable... Any ideas??
(p.s. why AuthnRequestImpl is not...

Hi,

in my case, the system contains multiple tomcats, each one of them runs a WAR that contains the sprin-sec-saml. so i'm not sure that the tomcat which sent the saml-request is the one to...

something that I probably miss, and maybe someone can spill some light.

I saw that the SAMLAuthenticationProvider creates a new authentication token of type ExpiringUsernameAuthenticationToken. ...

Vladi,

thanks for your help.

Anyways, I solved this thing. how? I tried to debug the saml-sample, and I saw it does not stop at the "SAMLProcessingFilter". so I figured out that it is never...

hi experts,

something that is not cleared to me... what is the meaning of having 2 blocks of "http" in my XML? (threads, etc...)
suppose each one of them has its own "entry point" - what is the...

After sniffing in Okta's docs, I found this:



So I figured out that this URL should be:
http://<my-host>/spring-security-saml2-sample/saml/SSO/alias/defaultAlias

when using saml-sample,...

Some details:
Okta (acting as the IDP) supports 2 methods of authentication:
In IDP initiated the flow is:
User goes to Okta and from their framework gets to the SP.
In SP initiated the flow is:...

Thanks Vlad!

Indeed, I asked them and they pointed me to their metadata xml file.

EDIT
I succeeded to add their metadata to my SP (using FilesystemMetadataProvider).

However - even though I...

Hi,

I'm a bit new to SAML, so maybe there is something basic that I miss here.

I read the wiki page, and succeeded to operate the saml-example to work as SP in front of the SSOcircle (the...

Hi

did you find how to do it?
Seems like I encounter the same challenge
:)

Thanks!
Ohad

anyone?
please advise ...

That will be problematic, since if you use this, you will not be able to use any other rule

paste here your xml, etc, so it will be easier to help.
In addition, have a look here.

My suggestion is to make personal.htm 'prtected', meaning defining it in your security.xml so only ROLE_USER can access it. This way, when a non-registered user will try to get to this page, he will...

what do u mean by

do you get redirected?

what is your flow? do you try to directly get to the login page? if so, Spring does not know what is your "previous" page.
do you try to get to another page, and then you get to the login screen?

'Protected resource' is something you protect, using Spring Security. In your case, you have a web app that you protect, meaning only logged-in users can see.
Let's say you have a page in your app,...

Actually, Spring does so by default. Have a look at SavedRequestAwareAuthenticationSuccessHandler (which is used by Spring as a default handler).

What I suggest is: do not try to access directly...