Getting Started with Spring Boot and SAML

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello travel developers my name is Matt Rabel and today I'd like to show you how to get started with spring Boot and saml let's give it up [Music] screencast is based on a blog post that we published back in August of 2022 but I just updated it recently to use spring boot 3.06 because that August blog post actually used spring boot 3.0 Snapchat none of the code changed just it's nice to use release dependencies so if you scroll down in the blog post you can read about everything I'm going to show you today but also there's a video from my colleague Nick gam that shows a developer's guide to sample so if you want to dive deeper into sample and see how it all works I recommend watching that video and if you click on the code link up at the top here it'll take you to the GitHub repo that has all the code in it and in here there's a demo.adoc adock for ASCII Dock and if I click on the raw version you'll see I get a nice little view here so I'm going to put that on the left there and one of my favorite projects in Spring is Spring Security in most cases it simplifies web security to just a few lines of code it supports HTT basic jdbc JWT openid connect and oauth just to name a few and you might notice that I didn't mention saml in there and that's because I don't really recommend it the specification for saml 2.0 was published in March of 2005 before smartphones and smart devices even existed so it works great on the web you know to do single sign-on in a browser but not for apps not for smart TVs or anything like that and so using saml in 2023 is kind of like implementing a web service using WS star instead of rest so my recommendation use openid connective if you can if you must use saml well that's what this guide is for and the screencast and it'll be quick and easy I promise you so check the description below this video for links back to the blog post as well as this demo script and the GitHub repo so you could do it all yourself if you like so first of all you'll need Java 17 installed I'm gonna put this on the right here on the 17. I do have it installed and sdkman Dot IO the place to get SDK man sdkman allows you to switch between Java versions very easily so I highly recommend that if you have that neat and so if we look at our table of contents here we're going to add a saml application on opta we're going to create a spring boot app with sample support run the app and authenticate add a logout feature customize authorities so we actually take the groups from OCTA and translate them into Spring Security authorities then we'll do the same thing on off zero it's actually a little bit simpler on our sale and then I'll deploy it to Heroku in the end to show you what you need to change for production so the brackets at the end of some of the steps will indicate IntelliJ live templates that I've pre-recorded that allow me to just type a few characters and spit out a bunch of code so if you want those live templates go to github.com idealive templates and you can also expand the file names in the code that I'll be showing here in this demo script and that will show you the code as well so you don't have to use those shortcuts um so begin you'll need an OCTA developer account and I already have one but if you don't you can create one at developer.con sign up or install the OCTA CLI which is available at cli.octa.com and run OCTA register so I'm going to go ahead and log into my account here I'll open up a new browser put this on the right here and go to my account which I need one password for because I forget what the name is a little dev177 there it is and so we'll just uh copy the password open and fill it here we're on our way logging Us in remembrance my credentials now I'm logged in and I'm going to want to go to Applications and create a new application so right under here applications and create an app integration select saml 2.0 go next and then we'll name it spring boot saml click next and then we'll need to fill out the single sign-on URL so that's this value right here on the left and this is stand up for Spring Security so they have mapped you know a endpoint to login saml SSO OCTA after you've configured it appropriately make sure you leave this box checked there and then put in the SP identity ID or the audience URI scroll down to the bottom click next and then I'm an OCTA customer adding an internal app and this is an internal app that we have created all right I'm going to assign it to the everyone group so assigned to groups so everyone can log in click done and then if we go to the sign on Tab and scroll down here and get the Sean to actions view IDP metadata so if you click on that it's got the whole URL right in your browser there and you can copy that and then we'll save it for later so I'm going to leave that on my clipboard I'll use it in a few minutes so we've assigned it to the everyone group we already did that and now we'll create a spring boot app using start.spring.io so I'm gonna open my terminal here clear it and you can use you know start.spring.io to do it you can use this URL right here that I have or you can use HTTP IE so start.spring.io starter so I'm going to copy this right here and we'll do in the downloads directory make sure nothing's in there and then we're going to hit that endpoint spring boot version 306 the dependencies are spring NBC Spring Security and time Leaf it's going to be a Gradle project and we expanded into that spring boot saml directory so then we'll open this up in IntelliJ and the first thing is to add a home controller and this is so when it comes back to our application we don't get a 404 which is default from Spring boot because there's nothing mapped to the home or slash endpoint so I'm just going to create something so it's mapped there and we're going to call this home controller and you can see things aren't quite compiling yet well you notice when we created the app it didn't actually have any sample dependencies for Spring Security so we'll get to those in a minute but you'll see here this is the home controller and you can also expand that code copy and paste it out of there as well and so we'll create a Time Leaf template called home as well and this is saml old HTML is my shortcut so this basically you know just says welcome and then if you're authenticated it shows your email address your authorities and all your different attributes as well as the login button and then we'll need to modify build.gradle to pull in Spring Security saml dependencies so first of all add a new repository here and then set up some constraints so it pulls in the proper version of open saml and then add the implementation for Spring Security sample service provider down hit all right now if we refresh our Gradle build go back to our home controller you'll see everything's compiling now and if you look at that a little easy to read that way and so now we can run our app from our ID right here and if we're to go to localhost 8080 [Music] you'll see it defaults to user and password authentication that's because well I haven't done everything that I was supposed to so go back to my instructions it's basically because I missed a step in my instructions on renaming application properties to application yaml and putting that metadata URL in there so go here rename this put that in there and then we need to get that metadata URL you can see GitHub copile is trying to guess at it for me but it's wrong so grab it from here go back here paste it in and now if we restart it'll come up to the authentication with OCTA rather than doing a Spring Security locally so localhost 8080 again redirects to OCTA and we're successfully logged in right because we already logged into the OCTA dashboard so if we try to log out that doesn't work because there's a little more setup you need to do for logout so we'll edit our application on OCTA I think I got that right here and we'll go to the general tab saml settings and edit click next here configure saml show advanced settings and then scroll down to the enable single log out and you need to enable that but first you have to upload a signature certificate so you can create a private key and a certificate using openssl and then you have to answer at least one of the questions so do that in the terminal here and country name is the one I'll answer and I live in Colorado how about those nuggets and we'll keep going and now we have two files in this project local cert local key put those in the Resources directory here and then we'll need to modify our application configuration and add some more information here for the logout and so we got those credentials with the private key locations certificate location and the single log out configuration so now we need to upload that certificate so browse it right here and downloads reboot saml Source main resources there we are [Music] an enable single log out and then the single logout URL here's this one and the service provider issuer or SP issuer is that one and then we can click next and back to our spring boot app we can restart it and now if we go to localhost 8080 we're logged in and we can log out right that takes us back out to the login again since we're securing all paths in our spring boot app by default so that's all working now we can customize uh just to show you you might have noticed when it comes in here and you log in your authorities are roll user except this user actually has many groups assigned to it it's got the everyone group it's got a rule user and a role admin and so those aren't coming from OCTA and getting translated properly so we need to edit our hop to saml settings again right here General sample settings to fill in the group attributes section so click next and then down here group attributes we can add groups name format just leave it as is matches regex so basically include all the groups that this user is a part of and then above that we can add other attributes [Music] all right and then save those changes by next finish or next finish and that will create a security configuration class and this will override the default configuration that comes with Spring Security and use a converter to translate those values in the groups attribute into Spring Security authorities so back to our project right here security configuration and you'll see it uses a security filter changes like most you know Spring Security configurations but then it has open saml as well here for an authentication provider so it configures that in the new provider manager everything must be authenticated here and then it does saml 2 logout and this converter right here basically gets those groups and then you know Maps them to simple granted authorities and add them all so uh you know saml 2 authentication will have all that information in there so now we can restart our app again there we are we're back up and running and now localhost 8080 login and you can see our authorities actually match what our groups are all right and we have those other attributes as well so that's all working and now we can add sport via zero for the same app so we're gonna log into our zero account or log in with your existing one so if you don't have one ozzero.com sign up or log into manage.o.com I got a browser open here on the right we'll open that up GitHub I got one pass right here and copy it need to do the GitHub mobile dance with my phone and then we're in and then I need to use my UB key remember for 30 days touch it now we're in I can create a new application and we'll call it spring boots animal it's a regular web application and we'll need to add localhost login saml two slash SSO slash zero as in allowed callback so right under a loud callback Uris and then scroll to the bottom advanced settings end points and you can get your metadata URI so I'm just gonna save that here so everything will work if we were to copy that metadata URI into our application start using it but logout's not going to work until you go here and turn on saml 2 so I do think it's kind of neat how r0 actually has oidc like working by default and the metadata URI is already configured from an oidc app so it's kind of cool that you can have oedc hand sample on the same app so um you'll want to go into the settings tab here and then change or Best Buy because this is all just commented out showing you a bunch of examples say log out callback is this and single logout enabled is true so you can go back to the bottom click enable and then we'll change our application the animal to use os0 instead of OCTA so right here zero and then we need to grab that metadata URI from here and we'll put it right there restart our app and you should be able to log in without zero now access.0 again one password yep now I'm logged in you can see that the email address still isn't coming through and our authorities aren't quite right but there's a whole bunch of attributes that are available by default and they have you know these names for them so um you know a little bit more information there so what we can do is update the groups converter to allow both OCTA and Osteo username so that's in security configuration and so groups just right after it if the groups isn't old let's assume it's r0 and use those instead and now we'll need to configure r0 to actually populate the user's groups so log back into your application details and we'll need to add an action for that so if we go to close and login no tour needed here we'll create a custom action and we'll call it add roles and everything else can be the defaults and then we'll change the on execute post login to basically if the event is an authorization event set custom claims so this will work for oidc but it'll also work for uh saml which is pretty cool right so we're just setting the preferred username and the roles and then you can deploy it and after you've deployed it you have to go to your flows log in and then drag and drop it in and then make sure and hit apply or we want to actually be using this and we're gonna modify the home controller since it isn't just email like we typed in for OCTA we're going to need to modify if the email is no go ahead and use you know a different or assume it's osteoso didn't grab all that correctly so let's grab all this right here so currently we're using email address like this and we're going to change it to grabbing that email if it's not present try house zero and hopefully that'll work so now Control Function F5 now we're back at our app here um I have to log in again and hit refresh and hey it's SSO so it logs us right in right now we have the correct email address here and we have the correct authorities coming in so on all zero I happen to be assigned to the same groups that was a j-hipster configuration that I did but basically you know everything's working as expected so the cool thing is you can actually support both Osteo and OCTA in your app at the same time if you want so under application yaml you have r0 here but you can change it so we have OCTA down at the bottom here all right so make sure we're doing our ammo correctly and the cool thing is there's ways of using yaml to say hey this is referenceable and then it's referenceable down there right so same thing with our logout settings here and so you know dry do not repeat yourself and then a little more slick that way and then we'll grab our metadata URL from there and we'll paste it in here or OCTA right and so everything should be good as long as our yaml lines up and we can again Control Function assign now we refresh or we just go to localhost 8080 it'll actually prompt us for both right so us0 login and log out OCTA login and log out so you know prove they're both working via DOT zero you know prompt you to log in again because we logged out talk to same way so pretty slick now we can deploy it to production so I like Heroku I realize it's a bit data but it works awesome for a Java app so you know it's one of the easiest to play to so I'm just gonna do it so to do that you can use uh Heroku create from the command line so we'll stop this one uh you're gonna need the Roku CLI installed so if you don't have it go here to Dev Center and the Roku CLI show you the whole URL up there so you can grab it and then you'll basically do a few things first you'll create a new app on Heroku and put this back in the left so the Heroku create creates a new app for us and then we can create a system.properties file in the root directory to force java17 Java runtime version 17 and then a proc file that tells Heroku how to run it so it just uses Java sets a memory to more than the defaults and then runs our jar because make jar not work okay and then we'll commit our changes get init git add git commit and then we can do Heroku kit remote and add and scroll up to get that name mysterious Peak 21987 once we've set that then if you do get remote Dash B you can see it's there and we can set Heroku config set Gradle task because the default is not correct or it just builds it right it doesn't run it so this is actually running it and so we want to get push we're not running it but building it right boot jar builds it boot run runs it so get push Roku Main and so while that's doing it we do have the URL of our app or what it will be right that's back up here that's this mysterious Peak so let's put that okay we'll need to update OCTA and off zero to use that Heroku app URL because we have localhost 8080 in the number of spots so we'll go back to OCTA here and first of all in general you'll see all these right here so next to change this one to Roku hey make sure you don't have double slashes in there and then this one as well and then show advanced settings and the single log out URL and the SP issuer so now hit next finish and then on off zero go to Applications and the cool thing about r0 is you can actually have multiple on octite and see it was possible to have multiple like callbacks or log out URLs so I can do this and then add the login saml SSO to the end make sure we have that save it oh I think it was up on add-ons so settings we can add a second one here Lisa's worked on I tried it earlier I can't guarantee it's gonna work now but I think it will as long as I get my URLs right yep so then scroll down click save now let's see if it's deployed so it looks like it is we can go here it'll prompt us to log in without zero and we can sure enough do that [Music] oh what is that foreign what the heck deceptive side head all right well what are you doing uh chrome doesn't work you try Firefox right so let's try Firefox not now and uh Sarah and that works and so whatever Chrome uh that worked great right like we're logged in and we're on Heroku and everything so we can log out oh it's still going so I guess it didn't work right you can see it's got both URLs in there so we need to go back here and actually update this to remove this one save it and now back back with Firefox here and uh maybe we can just do it ourselves yay all right and then try OCTA and we can log in there um didn't like that we were going to log out maybe I was trying to save that so now octa's working let's try it again to make sure all right so both OCTA and r0 work with spring boot sample so I hope you had fun uh and enjoyed this spring boot demo and if you love Spring Security as much as I do hopefully you can use it to secure your Ops as well and it'll just work awesome so you can find all the source code for this on GitHub if you scroll to the bottom here at octadev OCTA spring boot sample or example if you click on that you can get to the blog post up here in the top right as well thanks for watching I hope you learned something from the screencast if you'd like to see when I publish more screencasts follow me on Twitter at M Rabel I'm also on LinkedIn since Twitter's kind of Rocky these days uh find me there damn rainbow as well follow my whole team on Twitter at octodev and of course subscribe to our YouTube channel so you can watch more awesome videos like this one hope you have a great day cheers

Info

Channel: OktaDev

Views: 9,020

Rating: undefined out of 5

Keywords: Spring Boot, SAML, Security Assertion Markup Language, authentication, single sign-on, SSO, identity management, identity federation, Spring Security, tutorial, Java, web development, secure authentication, secure authorization, identity provider, service provider, SAML attributes, identity verification, hands-on tutorial, web security, secure login, identity, security, okta, auth0, js, spring boot 3, matt raible, screencast, developer, how-to, secuirty, securing your apps, adding saml

Id: UsXcWXg216E

Channel Id: undefined

Length: 27min 26sec (1646 seconds)

Published: Thu Jun 08 2023