Class SamlAuthenticator

java.lang.Object
org.codelibs.fess.sso.saml.SamlAuthenticator
All Implemented Interfaces:
SsoAuthenticator

public class SamlAuthenticator extends Object implements SsoAuthenticator
Authenticator for SAML 2.0.

This authenticator enables Single Sign-On (SSO) using SAML 2.0 protocol with Identity Providers such as Okta, Azure AD, OneLogin, etc.

Required Configuration

Add the following properties to system.properties:

 # Enable SAML SSO
 sso.type=saml

 # Identity Provider settings (obtain from your IdP)
 saml.idp.entityid=http://www.okta.com/xxxxx
 saml.idp.single_sign_on_service.url=https://your-domain.okta.com/app/xxxxx/sso/saml
 saml.idp.x509cert=MIIDqjCCApKgAwIBAgIGAYMwfYAwMA0G...
 

Service Provider URL Configuration

By default, the SP URLs use http://localhost:8080 as the base URL. For production or when the IdP is configured with a different URL, you should set one of the following:

 # All SP URLs will be derived from this base URL
 saml.sp.base.url=https://your-fess-server.example.com
 

Option 2: Set individual SP URLs

 # SP Entity ID (Audience URI in IdP)
 saml.sp.entityid=https://your-fess-server.example.com/sso/metadata

 # Assertion Consumer Service URL
 saml.sp.assertion_consumer_service.url=https://your-fess-server.example.com/sso/

 # Single Logout Service URL
 saml.sp.single_logout_service.url=https://your-fess-server.example.com/sso/logout
 

Complete Configuration Example (Okta)

 sso.type=saml

 # IdP settings from Okta SAML setup instructions
 saml.idp.entityid=http://www.okta.com/your-app-id
 saml.idp.single_sign_on_service.url=https://your-domain.okta.com/app/your-app/your-app-id/sso/saml
 saml.idp.x509cert=MIIDqjCCApKg... (your IdP certificate)

 # SP base URL (must match Audience URI configured in Okta)
 saml.sp.base.url=https://your-fess-server.example.com
 

Optional Configuration

 # User attribute mapping
 saml.attribute.group.name=groups
 saml.attribute.role.name=roles

 # Default groups/roles for authenticated users
 saml.default.groups=user
 saml.default.roles=user
 

Security Settings (Production)

For production environments, consider enabling these security features:

 saml.security.authnrequest_signed=true
 saml.security.want_messages_signed=true
 saml.security.want_assertions_signed=true
 
See Also:
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected static final String
    The prefix for SAML properties.
    protected static final String
    The property key for the SAML SP base URL.
    protected static final String
    The key for the SAML state in the session.
  • Constructor Summary

    Constructors
    Constructor
    Description
    Constructor.
  • Method Summary

    Modifier and Type
    Method
    Description
    protected String
    Builds a default URL for SAML endpoints.
    protected org.lastaflute.web.login.credential.LoginCredential
    createLoginCredential(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.codelibs.saml2.Auth auth)
    Creates a login credential.
    org.lastaflute.web.login.credential.LoginCredential
    Gets the login credential for SSO authentication.
    protected org.lastaflute.web.response.ActionResponse
    Gets the logout response.
    protected org.lastaflute.web.response.ActionResponse
    Gets the metadata response.
    org.lastaflute.web.response.ActionResponse
    Gets the action response for the specified SSO response type.
    protected org.codelibs.saml2.core.settings.Saml2Settings
    Gets the SAML settings.
    void
    Initializes the SamlAuthenticator.
    logout(org.codelibs.fess.mylasta.action.FessUserBean user)
    Performs logout for the specified user.
    void
    Resolves credential using the provided resolver.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

  • Constructor Details

    • SamlAuthenticator

      public SamlAuthenticator()
      Constructor.
  • Method Details

    • init

      @PostConstruct public void init()
      Initializes the SamlAuthenticator.
    • buildDefaultUrl

      protected String buildDefaultUrl(String path)
      Builds a default URL for SAML endpoints. Uses the configured base URL or defaults to http://localhost:8080 for compatibility with common SAML IdP configurations.
      Parameters:
      path - the path to append to the base URL
      Returns:
      the complete URL
    • getSettings

      protected org.codelibs.saml2.core.settings.Saml2Settings getSettings()
      Gets the SAML settings.
      Returns:
      The SAML settings.
    • getLoginCredential

      public org.lastaflute.web.login.credential.LoginCredential getLoginCredential()
      Description copied from interface: SsoAuthenticator
      Gets the login credential for SSO authentication.
      Specified by:
      getLoginCredential in interface SsoAuthenticator
      Returns:
      The login credential.
    • createLoginCredential

      protected org.lastaflute.web.login.credential.LoginCredential createLoginCredential(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.codelibs.saml2.Auth auth)
      Creates a login credential.
      Parameters:
      request - The HTTP request.
      response - The HTTP response.
      auth - The SAML authentication.
      Returns:
      The login credential.
    • resolveCredential

      public void resolveCredential(FessLoginAssist.LoginCredentialResolver resolver)
      Description copied from interface: SsoAuthenticator
      Resolves credential using the provided resolver.
      Specified by:
      resolveCredential in interface SsoAuthenticator
      Parameters:
      resolver - The login credential resolver.
    • logout

      public String logout(org.codelibs.fess.mylasta.action.FessUserBean user)
      Description copied from interface: SsoAuthenticator
      Performs logout for the specified user.
      Specified by:
      logout in interface SsoAuthenticator
      Parameters:
      user - The user to logout.
      Returns:
      The logout URL or null if not applicable.
    • getResponse

      public org.lastaflute.web.response.ActionResponse getResponse(SsoResponseType responseType)
      Description copied from interface: SsoAuthenticator
      Gets the action response for the specified SSO response type.
      Specified by:
      getResponse in interface SsoAuthenticator
      Parameters:
      responseType - The type of SSO response required.
      Returns:
      The action response.
    • getMetadataResponse

      protected org.lastaflute.web.response.ActionResponse getMetadataResponse()
      Gets the metadata response.
      Returns:
      The metadata response.
    • getLogoutResponse

      protected org.lastaflute.web.response.ActionResponse getLogoutResponse()
      Gets the logout response.
      Returns:
      The logout response.