Search code examples
single-sign-onsamlsaml-2.0pingfederatespring-saml

Configuring Spring SAML for SSO with PingFederate


We have decided to use Ping Federate to be our SSO solution. I have searched many examples but have not found a spring configuration that clearly describes how I need to set up my SP and/or IdP on the PingFederate side. I have not found a Spring document that describes what I need exactly to implement this.

Any help, much appreciated.


Solution

  • Currently there's no step-by-step guide on establishing federation between Spring SAML and Ping, but the steps are very similar to what's described in the quick start guide of Spring SAML.

    The best approach is to start with the sample application included inside Spring SAML, configure it to work with Ping and then transfer the configuration to your current Spring application.

    The high level steps are:

    • deploy Spring SAML sample application
    • download its SP metadata from https://server:port/context/saml/metadata (just open browser to the URL and store all content it returns)
    • configure Ping by creating new "SP Connection", as part of the process you import metadata which you stored earlier, to start with you can use defaults on most of the settings
    • when done, export the IDP metadata from Ping using Administrative functions -> Metadata Export for the connection you created in the previous step
    • import the IDP metadata to your Spring SAML (examples are in the manual)

    This establishes federation between the two and enables you to start authenticating your users through Ping.

    The metadata configuration (bean metadata) should look as follows in your case:

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
                        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                            <constructor-arg>
                                <value type="java.io.File">classpath:security/idp.xml</value>
                            </constructor-arg>
                            <property name="parserPool" ref="parserPool"/>
                        </bean>
                    </constructor-arg>
                    <constructor-arg>
                        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
                    </constructor-arg>
                    <property name="metadataTrustCheck" value="false"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>
    

    Make sure to replace resources/security/idp.xml with metadata from PF. You can remove all unused instances of ExtendedMetadata beans (like the one for SSO Circle). The reason metadata bean can contain multiple "links" is that it can support many IDPs at the same time.