Configuring Spring SAML for SSO with PingFederate

single-sign-on saml saml-2.0 pingfederate spring-saml
hyperlite picture hyperlite · May 7, 2014 · Viewed 7k times · Source

We have decided to use Ping Federate to be our SSO solution. I have searched many examples but have not found a spring configuration that clearly describes how I need to set up my SP and/or IdP on the PingFederate side. I have not found a Spring document that describes what I need exactly to implement this.

Any help, much appreciated.

Answer

Vladimír Schäfer picture Vladimír Schäfer · May 8, 2014

Currently there's no step-by-step guide on establishing federation between Spring SAML and Ping, but the steps are very similar to what's described in the quick start guide of Spring SAML.

The best approach is to start with the sample application included inside Spring SAML, configure it to work with Ping and then transfer the configuration to your current Spring application.

The high level steps are:

  • deploy Spring SAML sample application
  • download its SP metadata from https://server:port/context/saml/metadata (just open browser to the URL and store all content it returns)
  • configure Ping by creating new "SP Connection", as part of the process you import metadata which you stored earlier, to start with you can use defaults on most of the settings
  • when done, export the IDP metadata from Ping using Administrative functions -> Metadata Export for the connection you created in the previous step
  • import the IDP metadata to your Spring SAML (examples are in the manual)

This establishes federation between the two and enables you to start authenticating your users through Ping.

The metadata configuration (bean metadata) should look as follows in your case:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:security/idp.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

Make sure to replace resources/security/idp.xml with metadata from PF. You can remove all unused instances of ExtendedMetadata beans (like the one for SSO Circle). The reason metadata bean can contain multiple "links" is that it can support many IDPs at the same time.

Related questions

What is exactly RelayState parameter used in SSO (Ex. SAML)?

I am trying to understand SSO using SAML. I have come across the RelayState parameter and am very confused exactly why it comes first in SSO to send encoded URLs? What exactly does it mean? Please read the following from …

Read More
What is the correct format for SAML 2.0 Assertions?

We have a customer trying to use ADFS to SSO on to our web application. We are using the ComponentSpace SAML 2.0 library. The assertion being sent to us looks like: <Assertion ID="_b8a24809-ab6b-4acd-ad6a-8bcb97…

Read More
SimpleSamlPhp as SP redirects incorrectly

I have a SimpleSamlPHP implementation working as a Service Provider, so the workflow is as follows: IdP sends assertion to my ACS URL: /simplesaml/module.php/saml/sp/saml2-acs.php/default-sp but then it looks like he authenticates and …

Read More