Spring Authentication Examples

I started this playground project because I had a few problems configuring SAML2 with Keycloak and Spring Security SAML 2.0. Thomas Darimonts article How to secure a Spring Boot app with SAML and Keycloak and the corresponding spring-boot-security-saml-sample helped me a lot to get started.

Keycloak SAML authentication examples

Keycloak realm configuration (required by this examples)

Documentation

Keycloak Installation and Configuration

  • docker-compose up
  • Import realm
  • Create user in DemoRealm
  • Start example
  • Login

Metadata URLs

IDP Metadata URL

SP Metadata URLs

They are configurable, but currently the registrationId needs to be part of the URL.

About Keycloak Configuration

In a Keycloak SAML client configuration it is possible to manage signing and encryption keys.
Keycloak does not need to know the signing an encryption private keys.
It is possible to Generate new keys, Import and Export keys.
If you generate new keys, keycloak stores both, the public and the private key, so that you can later export it as either JKS or PKCS12 keystore.
If you import existing keystores, only the public key will be stored.

Signing Key

This key has to be configured if Client Signature Required is true.
The client uses the private key to sign a SAML-Request and Keycloak uses the public key to verify it.
Keycloak does not need to know the private key.

Encryption Key

This key has to be configured if Encrypt Assertions is true.
Keycloak encrypts the SAML-Assertion with the clients public key, and the client uses its private key to decrypt the SAML-Assertion.
Keycloak does not need to know the private key.