wip

Co-authored-by: Peter Chen <[email protected]>

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlAuthenticationFilter.java

@@ -0,0 +1,23 @@
+package org.cloudfoundry.identity.uaa.provider.saml;
+
+import javax.servlet.Filter;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
+
+@Configuration
+public class SamlAuthenticationFilter {
+
+    @Autowired
+    private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
+
+    @Bean
+    Filter saml2WebSsoAuthenticationRequestFilter() {
+        Saml2WebSsoAuthenticationRequestFilter saml2WebSsoAuthenticationRequestFilter = new Saml2WebSsoAuthenticationRequestFilter(relyingPartyRegistrationRepository);
+        return saml2WebSsoAuthenticationRequestFilter;
+    }
+
+}

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepository.java

@@ -1,5 +1,6 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
+import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.saml.SamlKey;
 import org.cloudfoundry.identity.uaa.util.KeyWithCert;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -13,6 +14,8 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 
 import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
 
 @Configuration
 public class SamlRelyingPartyRegistrationRepository {
@@ -26,9 +29,12 @@ public class SamlRelyingPartyRegistrationRepository {
     public static final String CLASSPATH_DUMMY_SAML_IDP_METADATA_XML = "classpath:dummy-saml-idp-metadata.xml";
 
     public SamlRelyingPartyRegistrationRepository(@Qualifier("samlEntityID") String samlEntityID,
-                                                  SamlKeyConfigProps samlKeyConfigProps) {
+                                                  SamlKeyConfigProps samlKeyConfigProps,
+                                                  BootstrapSamlIdentityProviderData bootstrapSamlIdentityProviderData
+                                                  ) {
         this.samlEntityID = samlEntityID;
         this.samlKeyConfigProps = samlKeyConfigProps;
+        this.bootstrapSamlIdentityProviderData = bootstrapSamlIdentityProviderData;
     }
 
     private String samlEntityID;
@@ -41,17 +47,36 @@ public SamlRelyingPartyRegistrationRepository(@Qualifier("samlEntityID") String
 
     private SamlKeyConfigProps samlKeyConfigProps;
 
+    private BootstrapSamlIdentityProviderData bootstrapSamlIdentityProviderData;
+
     @Bean
     RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() throws CertificateException {
 
         SamlKey activeSamlKey = samlKeyConfigProps.getActiveSamlKey();
         KeyWithCert keyWithCert = new KeyWithCert(activeSamlKey.getKey(), activeSamlKey.getPassphrase(), activeSamlKey.getCertificate());
 
-        RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
-                .fromMetadataLocation(CLASSPATH_DUMMY_SAML_IDP_METADATA_XML)
+        List<RelyingPartyRegistration> relyingPartyRegistrations = new ArrayList<>();
+
+        List<SamlIdentityProviderDefinition> samlIdpDefinitions = bootstrapSamlIdentityProviderData.getIdentityProviderDefinitions();
+
+        // TODO add some comment about why here:
+        relyingPartyRegistrations.add(buildRelyingPartyRegistration(keyWithCert, CLASSPATH_DUMMY_SAML_IDP_METADATA_XML, "example"));
+
+        for (SamlIdentityProviderDefinition samlIdentityProviderDefinition : samlIdpDefinitions) {
+            String metadataLocation = samlIdentityProviderDefinition.getMetaDataLocation();
+            String idpEntityAlias = samlIdentityProviderDefinition.getIdpEntityAlias();
+            relyingPartyRegistrations.add(buildRelyingPartyRegistration(keyWithCert, metadataLocation, idpEntityAlias));
+        }
+
+        return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistrations);
+    }
+
+    private RelyingPartyRegistration buildRelyingPartyRegistration(KeyWithCert keyWithCert, String metadataLocation, String rpRegstrationId) {
+        return RelyingPartyRegistrations
+                .fromMetadataLocation(metadataLocation)
                 .entityId(samlEntityID)
                 .nameIdFormat(samlSpNameID)
-                .registrationId("example")
+                .registrationId(rpRegstrationId)
                 .assertingPartyDetails(details -> details
                         .wantAuthnRequestsSigned(samlSignRequest)
                 )
@@ -62,7 +87,5 @@ RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() throws C
                         .add(Saml2X509Credential.decryption(keyWithCert.getPrivateKey(), keyWithCert.getCertificate()))
                 )
                 .build();
-
-        return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
     }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java

@@ -38,6 +38,7 @@ protected boolean shouldNotFilter(HttpServletRequest request) {
         final String requestPath = UaaUrlUtils.getRequestPath(request);
         final List<String> pathsWithHtmlInlineScripts = Arrays.asList(
                 "/saml/",
+                "/saml2/",
                 "/login_implicit");
 
         return pathsWithHtmlInlineScripts.stream()

server/src/main/resources/dummy-saml-idp-metadata.xml

@@ -11,6 +11,6 @@
             </ds:KeyInfo>
         </md:KeyDescriptor>
         <md:SingleSignOnService
-                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com"/>
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.cloudfoundry.org"/>
     </md:IDPSSODescriptor>
 </md:EntityDescriptor>

uaa/src/main/resources/uaa.yml

@@ -1,3 +1,7 @@
+logging:
+  level:
+    org.springframework.security: TRACE
+
 # Configuration in this file is overridden by an external file
 # if any of these exist:
 # [$UAA_CONFIG_URL, $UAA_CONFIG_PATH/uaa.yml, $CLOUDFOUNDRY_CONFIG_PATH/uaa.yml]
@@ -413,6 +417,17 @@ login:
       connectionManagerTimeout: 10000
       # URL metadata fetch - read timeout
       soTimeout: 10000
+    providers:
+      okta-saml:
+        idpMetadata: https://dev-73893672.okta.com/app/exk9ojp48mcTeKG9t5d7/sso/saml/metadata
+        metadataTrustCheck: true
+        showSamlLoginLink: true
+        linkText: 'Okta SAML'
+        addShadowUserOnLogin: true
+      simplesaml:
+        idpMetadata: http://simplesamlphp.uaa-acceptance.cf-app.com/saml2/idp/metadata.php
+        linkText: 'Simple SAML'
+
 #BEGIN SAML PROVIDERS
 #    providers:
 #      okta-signed-or-encrypted:

uaa/src/main/webapp/WEB-INF/spring-servlet.xml

@@ -225,6 +225,8 @@
                 <!-- Add in a flag that removes id_token from /oauth/authorize requests-->
                 <entry value-ref="disableIdTokenResponseFilter"
                        key="#{T(org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor.FilterPosition).position(8)}"/>
+                <entry value-ref="saml2WebSsoAuthenticationRequestFilter"
+                       key="#{T(org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor.FilterPosition).position(9)}"/>
                 <!-- Zone switcher goes *after* class OAuth2AuthenticationProcessingFilter as it requires a token to be present to work -->
                 <entry value-ref="identityZoneSwitchingFilter"
                        key="#{T(org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor.FilterPosition).after(@oauth2TokenParseFilter)}"/>