Package org.codelibs.fess.sso.saml
Class SamlAuthenticator
java.lang.Object
org.codelibs.fess.sso.saml.SamlAuthenticator
- All Implemented Interfaces:
SsoAuthenticator
Authenticator for SAML 2.0.
This authenticator enables Single Sign-On (SSO) using SAML 2.0 protocol with Identity Providers such as Okta, Azure AD, OneLogin, etc.
Required Configuration
Add the following properties to system.properties:
# Enable SAML SSO sso.type=saml # Identity Provider settings (obtain from your IdP) saml.idp.entityid=http://www.okta.com/xxxxx saml.idp.single_sign_on_service.url=https://your-domain.okta.com/app/xxxxx/sso/saml saml.idp.x509cert=MIIDqjCCApKgAwIBAgIGAYMwfYAwMA0G...
Service Provider URL Configuration
By default, the SP URLs use http://localhost:8080 as the base URL.
For production or when the IdP is configured with a different URL, you should
set one of the following:
Option 1: Set base URL (recommended for simplicity)
# All SP URLs will be derived from this base URL saml.sp.base.url=https://your-fess-server.example.com
Option 2: Set individual SP URLs
# SP Entity ID (Audience URI in IdP) saml.sp.entityid=https://your-fess-server.example.com/sso/metadata # Assertion Consumer Service URL saml.sp.assertion_consumer_service.url=https://your-fess-server.example.com/sso/ # Single Logout Service URL saml.sp.single_logout_service.url=https://your-fess-server.example.com/sso/logout
Complete Configuration Example (Okta)
sso.type=saml # IdP settings from Okta SAML setup instructions saml.idp.entityid=http://www.okta.com/your-app-id saml.idp.single_sign_on_service.url=https://your-domain.okta.com/app/your-app/your-app-id/sso/saml saml.idp.x509cert=MIIDqjCCApKg... (your IdP certificate) # SP base URL (must match Audience URI configured in Okta) saml.sp.base.url=https://your-fess-server.example.com
Optional Configuration
# User attribute mapping saml.attribute.group.name=groups saml.attribute.role.name=roles # Default groups/roles for authenticated users saml.default.groups=user saml.default.roles=user
Security Settings (Production)
For production environments, consider enabling these security features:
saml.security.authnrequest_signed=true saml.security.want_messages_signed=true saml.security.want_assertions_signed=true
- See Also:
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected StringbuildDefaultUrl(String path) Builds a default URL for SAML endpoints.protected org.lastaflute.web.login.credential.LoginCredentialcreateLoginCredential(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.codelibs.saml2.Auth auth) Creates a login credential.org.lastaflute.web.login.credential.LoginCredentialGets the login credential for SSO authentication.protected org.lastaflute.web.response.ActionResponseGets the logout response.protected org.lastaflute.web.response.ActionResponseGets the metadata response.org.lastaflute.web.response.ActionResponsegetResponse(SsoResponseType responseType) Gets the action response for the specified SSO response type.protected org.codelibs.saml2.core.settings.Saml2SettingsGets the SAML settings.voidinit()Initializes the SamlAuthenticator.logout(org.codelibs.fess.mylasta.action.FessUserBean user) Performs logout for the specified user.voidResolves credential using the provided resolver.
-
Field Details
-
SAML_PREFIX
The prefix for SAML properties.- See Also:
-
SAML_STATE
The key for the SAML state in the session.- See Also:
-
SAML_SP_BASE_URL
The property key for the SAML SP base URL.- See Also:
-
-
Constructor Details
-
SamlAuthenticator
public SamlAuthenticator()Constructor.
-
-
Method Details
-
init
@PostConstruct public void init()Initializes the SamlAuthenticator. -
buildDefaultUrl
Builds a default URL for SAML endpoints. Uses the configured base URL or defaults to http://localhost:8080 for compatibility with common SAML IdP configurations.- Parameters:
path- the path to append to the base URL- Returns:
- the complete URL
-
getSettings
protected org.codelibs.saml2.core.settings.Saml2Settings getSettings()Gets the SAML settings.- Returns:
- The SAML settings.
-
getLoginCredential
public org.lastaflute.web.login.credential.LoginCredential getLoginCredential()Description copied from interface:SsoAuthenticatorGets the login credential for SSO authentication.- Specified by:
getLoginCredentialin interfaceSsoAuthenticator- Returns:
- The login credential.
-
createLoginCredential
protected org.lastaflute.web.login.credential.LoginCredential createLoginCredential(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.codelibs.saml2.Auth auth) Creates a login credential.- Parameters:
request- The HTTP request.response- The HTTP response.auth- The SAML authentication.- Returns:
- The login credential.
-
resolveCredential
Description copied from interface:SsoAuthenticatorResolves credential using the provided resolver.- Specified by:
resolveCredentialin interfaceSsoAuthenticator- Parameters:
resolver- The login credential resolver.
-
logout
Description copied from interface:SsoAuthenticatorPerforms logout for the specified user.- Specified by:
logoutin interfaceSsoAuthenticator- Parameters:
user- The user to logout.- Returns:
- The logout URL or null if not applicable.
-
getResponse
Description copied from interface:SsoAuthenticatorGets the action response for the specified SSO response type.- Specified by:
getResponsein interfaceSsoAuthenticator- Parameters:
responseType- The type of SSO response required.- Returns:
- The action response.
-
getMetadataResponse
protected org.lastaflute.web.response.ActionResponse getMetadataResponse()Gets the metadata response.- Returns:
- The metadata response.
-
getLogoutResponse
protected org.lastaflute.web.response.ActionResponse getLogoutResponse()Gets the logout response.- Returns:
- The logout response.
-