1

我正在使用带有 Spring Boot 的Spring Security Saml 2.0进行 SSO(单点登录),Azure 作为身份提供者。

Spring security 使用“{baseUrl}/login/saml2/sso/{registrationId}”作为默认的“Reply Url”,

但我想使用“{baseUrl}/login/{registrationId}”

所以按照 我写的官方文档

RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
                .fromMetadataLocation("https://login.microsoftonline.com/<metadata url>")
                .registrationId("azure")
                .entityId("{baseUrl}")
                .assertionConsumerServiceLocation("{baseUrl}/login/{registrationId}")
                .build();

通过这个我进入登录页面,但之后有无限循环的登录......

Spring Boot 无法 POST 到 /login/azure

o.s.security.web.FilterChainProxy        : Securing POST /login/azure
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/login/azure
o.s.s.w.access.AccessDeniedHandlerImpl   : Responding with 403 status code

我试图允许此端点的 CSRF 并允许所有访问,但是它无法解析元数据。

我发现它是在过滤器“Saml2WebSsoAuthenticationFilter”中实现的

4

1 回答 1

1

Looking around in the source code I found the solution.

It turns out you have to update "Reply URL" link in 2 places

  1. In RelyingPartyRegistration or in application.properties as I did in question.

This will tell Spring where the page will be redirected after successful login, On this URL IP (identity provider) will provide SAML response in XML format.

  1. In WebSecurityConfigurerAdapter

So We have to explicitly tell Spring to expect SAML response on this URL and parse it.

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http
                .authorizeRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .saml2Login(h -> h.loginProcessingUrl("/login/{registrationId}"));
   }
}

This will Update Saml2WebSsoAuthenticationFilter to use /login/{registrationId} for SAML parsing instead of /login/saml2/sso/{registrationId}

于 2021-04-17T11:54:17.083 回答