 Hello Java developers, my name is Matt Ravel and today I'd like to show you how to get started with Spring Boot and SAML. Let's give it a up! Screencast is based on a blog post that we published back in August of 2022, but I just updated it recently to use Spring Boot 3.06 because that August blog post actually used Spring Boot 3.0 Snapchat. None of the code changed, just it's nice to use release dependencies. So if you scroll down in the blog post you can read about everything I'm going to show you today, but also there's a video from my colleague Nick Gamm that shows a developer's guide to SAML. So if you want to dive deeper into SAML and see how it all works, I recommend watching that video. And if you click on the code link up at the top here, it'll take you to the GitHub repo that has all the code in it. And in here there's a demo.adoc, adoc for ASCII doc, and if I click on the raw version, you'll see I get a nice little view here. So I'm going to put that on the left there. And one of my favorite projects in Spring is Spring Security. In most cases it simplifies Web Security to just a few lines of code. It supports HTTBasic, JDBC, JWT, OpenID Connect and OAuth, just to name a few. And you might notice that I didn't mention SAML in there. And that's because I don't really recommend it. The specification for SAML 2.0 was published in March of 2005 before smartphones and smart devices even existed. So it works great on the web, you know, to do a single sign-on in a browser, but not for apps, not for smart TVs or anything like that. And so using SAML in 2023 is kind of like implementing a web service using WSstar instead of REST. So my recommendation, use OpenID Connective if you can. If you must use SAML, well, that's what this guide is for and the screencast. And it'll be quick and easy, I promise you. So check the description below this video for links back to the blog post as well as this demo script and the GitHub repo so you can do it all yourself if you like. So first of all, you'll need Java 17 installed. I'm going to put this on the right here, Java 17, I do have it installed. And STKman.io, the place to get STKman. STKman allows you to switch between Java versions very easily, so I highly recommend that if you have that need. So if we look at our table of contents here, we're going to add a SAML application on Okta. We're going to create a Spring Boot app with SAML support, run the app and authenticate add a logout feature, customize authorities so we actually take the groups from Okta and translate them into Spring Security authorities. Then we'll do the same thing on OS Xero. It's actually a little bit simpler on OS Xero. And then I'll deploy it to Heroku in the end to show you what you need to change for production. So the brackets at the end of some of the steps will indicate IntelliJ Live templates that I've pre-recorded that allow me to just type a few characters and spit out a bunch of code. So if you want those live templates, go to github.com slash mrable slash idea live templates. And you can also expand the file names in the code that I'll be showing here in this demo script. And that will show you the code as well so you don't have to use those shortcuts. So begin, you'll need an Okta developer account and I already have one. But if you don't, you can create one at developer.okta.com slash sign up or install the Okta CLI which is available at cli.okta.com and run Okta register. So I'm going to go ahead and log into my account here, open up a new browser, this on the right here, and go to my account which I need one password for because I forget what the name is. Dev177, there it is. And so we'll just copy the password, open and fill here. We're on our way, logging us in. Remember as my credentials, now I'm logged in and I'm going to want to go to applications and create a new application. So right under here, applications and create an app integration. Select SAML 2.0. Go next and then we'll name it Spring Boot SAML. Click Next. And then we'll need to fill out the single sign on URL. So that's this value right here on the left. And this is standard for Spring Security so they have mapped, you know, a endpoint to login SAML SSO Okta. After you've configured it appropriately, make sure you leave this box checked there and then put in the SP identity ID or the audience URI. Scroll down to the bottom, click Next. And then I'm an Okta customer adding an internal app and this is an internal app that we have created. All right, I'm going to assign it to the everyone group. So assign to groups. So everyone can log in, click Done. And then if we go to the sign on tab and scroll down here and get the SHA-2 actions view IDP metadata. So if you click on that, it's got the whole URL right in your browser there and you can copy that and then we'll save it for later. So I'm going to leave that on my clipboard. I'll use it in a few minutes. So we've assigned it to the everyone group. We already did that. And now we'll create a Spring Boot app using start.spring.io. So I'm going to open my terminal here, clear it. And you can use, you know, start.spring.io to do it. You can use this URL right here that I have or you can use HTTP IE. So start.spring.io slash starter. So I'm going to copy this right here and we'll do it in the Downloads directory. Make sure nothing's in there. And then we're going to hit that endpoint, Spring Boot version 306. The dependencies are Spring MVC, Spring Security and Timelief. It's going to be a Gradle project and we expand it into that Spring Boot SAML directory. So then we'll open this up in IntelliJ. And the first thing is to add a home controller. And this is so when it comes back to our application, we don't get a 404, which is default from Spring Boot because there's nothing mapped to the home or slash endpoint. So I'm just going to create something so it's mapped there. And we're going to call this home controller. And you can see things aren't quite compiling yet. Well, you notice when we created the app, it didn't actually have any SAML dependencies for Spring Security, so we'll get to those in a minute. But you'll see here, this is the home controller and you can also expand that code, copy and paste it out of there as well. And so we'll create a Timelief template called home as well. And this is SAML. Old HTML is my shortcut. So this basically just says welcome. And then if you're authenticated, it shows your email address, your authorities, and all your different attributes, as well as the logout button. And then we'll need to modify build.gradle to pull in Spring Security SAML dependencies. So first of all, add a new repository here and then set up some constraints. So it pulls in the proper version of open SAML and then add the implementation for Spring Security SAML service provider down here. All right, now if we refresh our Gradle build, go back to our home controller, you'll see everything's compiling now. And if you look at that, a little easy to read that way. And so now we can run our app from our IDE right here. And for it to go to localhost 8080, you'll see it defaults to user and password authentication. That's because I haven't done everything that I was supposed to. So go back to my instructions. It's basically because I missed a step in my instructions on renaming application properties to application YAML and putting that metadata URL in there. So go here, rename this, put that in there. And then we need to get that metadata URL. You can see Github Copalis trying to guess at it for me, but it's from him. So grab it from here, go back here, paste it in. And now if we restart, it'll come up to the authentication with Okta rather than doing it in Spring Security locally. So localhost 8080 again, redirects to Okta and we're successfully logged in, right? Because we already logged into the Okta dashboard. So if we try to log out, that doesn't work because there's a little more setup you need to do for log out. So we'll edit our application on Okta. I think I got that right here. And we'll go to the general tab, SAML settings and edit. Click next here, configure SAML, show advanced settings and then scroll down to the enable single logout. And you need to enable that, but first you have to upload a signature certificate. So you can create a private key and a certificate using open SSL. And then you have to answer at least one of the questions. So do that in a terminal here. And country name is the one I'll answer. And I live in Colorado, how about those nuggets? And then we'll keep going. And now we have two files in this project, local cert, local key, put those in the resources directory here. And then we'll need to modify our application configuration and add some more information here for the logout. And so we got those credentials with the private key location, certificate location and the single logout configuration. So now we need to upload that certificate. So browse it right here and learn downloads and boot SAML, source main resources. There we are. And we can enable single logout and then the single logout URL is this one. And service provider issuer or SP issuer is that one. And then we can click next, finish. And back to our Spring Boot app, we can restart it. And now if we go to localhost 8080, we're logged in and we can log out, right? That takes us back to log in again since we're securing all paths in our Spring Boot app by default. So that's all working. Now we can customize just to show you, you might have noticed when it comes in here and you log in, your authorities are role user except this user actually has many groups assigned to it. It's got the everyone group, it's got a role user and a role admin. And so those aren't coming from octa and getting translated properly. So we need to edit our octa SAML settings. Again, right here in general, SAML settings to fill in the group attributes section. So click next and down here, group attributes, we can add groups, name format, just leave it as is, matches regex. So basically include all the groups that this user is a part of. And then above that, we can add other attributes. All right, and then save those changes by a next, next finish, or next finish. And now we'll create a security configuration class and this will override the default configuration that comes with Spring Security and use a converter to translate those values in the groups attribute into Spring Security authorities. So back to our project right here, security configuration, and you'll see it uses a security filter change just like most, you know, Spring Security configurations. But then it has open SAML as well here for an authentication provider. So it configures that in the new provider manager. Everything must be authenticated here. And then it does SAML to log out. And this converter right here basically gets those groups and then maps them to simple granted authorities and adds them all. So, you know, SAML to authentication will have all that information in there. So now we can restart our app again. There we are, we're back up and running. And now localhost8080, log in, and you can see our authorities actually match what our groups are. All right, and we have those other attributes as well. So that's all working. And now we can add Sporth via Auth0 for the same app. So we're gonna log into our Auth0 account or log in with your existing one. So if you don't have one, Auth0.com slash sign up or log into manage.auth0.com, I got a browser open here on the right. We'll open that up. GitHub, I got one password here. And copy it. And then need to do the GitHub mobile dance with my phone. All right, then we're in. And then I need to use my UB key. Remember for 30 days, touch it. Now we're in. That can create a new application and it'll call it Spring Boot Sample. It's a regular web application. And we'll need to add localhost slash log in, SAML2 slash SSO slash Auth0 as an allowed callback. So right under allowed callback URIs. And then scroll to the bottom, advanced settings, end points, and you can get your metadata URI. So I'm just gonna save that here. So everything will work if we were to copy that metadata URI into our application and start using it. But log out's not gonna work until you go here and turn on SAML2. So I do think it's kind of neat how Auth0 actually has OIDC working by default and the metadata URIs already configured from an OIDC app. So it's kind of cool that you can have OIDC hand SAML on the same app. So you'll want to go into the settings tab here and then change, or best buy, because this is all just commented out showing you a bunch of examples. Say log out, callback is this and single log out enabled is true. So you can go back to the bottom, click enable. And then we'll change our application in the animal to use Auth0 instead of octa. So right here, Auth0. And then we need to grab that metadata URI from here and we'll put it right there. Pre-start our app and you should be able to log in with Auth0 now. Access to Auth0, again, one password. Yep, now I'm logged in. You can see that the email address still isn't coming through and our authorities aren't quite right, but there's a whole bunch of attributes that are available by default and they have these names for them. So a little bit more information there. So what we can do is update the groups converter to allow both octa and Auth0 username. So that's in security configuration and so groups, just right after it, if the groups is null, let's assume it's Auth0 and use those instead. And now we'll need to configure Auth0 to actually populate the user's groups. So log back into your application details and we'll need to add an action for that. So if we go to Lows and log in, no tour needed here, we'll create a custom action and we'll call it add roles and everything else can be the defaults and then we'll change the on execute post login to basically if the event is an authorization event, set custom claims. So this will work for OIDC but it'll also work for SAML, which is pretty cool, right? So we're just setting the preferred username and the roles and then you can deploy it. Now after you've deployed it, you have to go to your flows, login and then drag and drop it in and then make sure and hit apply or it won't actually be using this. And we're gonna modify the home controller since it isn't just email like we typed in for octa, we're gonna need to modify if the email is null, go ahead and use a different or assume it's Auth0. So I didn't grab all that correctly. So let's grab all this right here. So currently we're using email address like this and we're gonna change it to grabbing that email if it's not present, try out zero and hopefully that'll work. So now control function F5. Now we're back at our app here, print out the login again and hit refresh and hey, it's SSO so it logs us right in, right? Now we have the correct email address here and we have the correct authorities coming in. So on Auth0 I happened to be assigned to the same groups that was a J-Hipster configuration that I did, but basically everything's working as expected. So the cool thing is you can actually support both Auth0 and octa in your app at the same time if you want. So under application YAML, you have Auth0 here but you can change it so you have octa down at the bottom here, right? So make sure we're doing our YAML correctly. And the cool thing is there's ways of using YAML to say, hey, this is referenceable and then it's referenceable down there, right? So same thing with our logout settings here. And so dry, do not repeat yourself and a little more slick that way. And then we'll grab our metadata URL from there and we'll paste it in here for octa, right? And so everything should be good as long as our YAML lines up and we can again, control function aside. Now we refresh or we just go to localhost 8080 it'll actually prompt us for both, right? So Auth0, log in and log out, octa, log in and log out. So, prove they're both working, vio.zero, prompt you to log in again, because we logged out, octa, same way. So pretty slick. Now we can deploy it to production. So I like Heroku, I realize it's a bit data but it works awesome for a Java app. So it's one of the easiest to deploy to so I'm just gonna do it. So to do that, you can use Heroku create from the command line. So we'll stop this one. You will need the Heroku CLI installed so if you don't have it, go here to dev center and the Heroku CLI, show you the whole URL up there so you can grab it. And then you'll basically do a few things. First, you'll create a new app on Heroku and put this back on left. So the Heroku create, create a new app for us and then we can create a new app on Heroku we can create a system.properties file in the root directory to force Java 17, Java runtime version 17 and then a proc file that tells Heroku how to run it. So it just uses Java, sets a memory to more than the defaults and then runs our jar because make jar not work. Okay, and then we'll commit our changes. Get in it. Get add, get commit and then we can do Heroku, get remote and add and scroll up to get that name. Mysterious peak 21987. Once we've set that, then if you do get remote-v you can see it's there and we can set Heroku config set gradle task because the default is not correct or it just builds it, right? It doesn't run it. So this is actually running it and so we wanna get push or not running it but building it, right? Boot jar builds it, boot run runs it. So get push Heroku main and so while that's doing it we do have the URL of our app or what it will be, right? That's back up here. That's this mysterious peak. So let's put that. Okay, we'll need to update octa ANOS 0 to use that Heroku app URL because we have localhost 8080 and a number of spots. So we'll go back to octa here and first of all in general you'll see all these right here. So next and we need to change this one to Heroku, okay? Make sure you don't have double slashes in there and then this one as well and then show advanced settings and the single log out URL. And the SP issuer. So now hit next, finish and then on the OS zero, go to applications and the cool thing about OS zero is you can actually have multiple on octa. I didn't see it was possible to have multiple like callbacks or logout URL. So I can do this then add the login SAML SSO to the end. Make sure we have that. Save it. Oh, I think it was up on the add-ons. So settings. We can add a second one here. Lisa's worked on it, tried it earlier. Can't guarantee it's gonna work now but I think it will. Long as I get my URLs, right? Yep. So then scroll down, click save. Now let's see if it's deployed. So it looks like it is. We can go here. It'll prompt us to login with OS zero and we can sure enough do that. Oh, what is that? Hey, I guess Google doesn't like Heroku. It's totally worked. I did it early. What the heck? Deceptive side head. All right. Well, what do you do when Chrome doesn't work? You try Firefox, right? So let's try Firefox, not now. And OS zero and that works. And so whatever Chrome, that worked great, right? Like we're logged in and we're on Heroku and everything so we can log out. Oh, it's still going. So I guess it didn't work, right? You can see it's got both URLs in there so we need to go back here and actually update this to remove this one. Save it, back to Firefox here and maybe we can just do it ourselves. Yay. All right. And then try Octa and we can log in there. Didn't like that we're going to log out. Maybe it was trying to save that. So now Octa's working. Let's try it again to make sure. All right. So both Octa and OS zero work with Spring Boot Samo. So I hope you had fun and enjoyed this Spring Boot demo. And if you love Spring Security as much as I do, hopefully you can use it to secure your ops as well and it'll just work awesome. So you can find all the source code for this on GitHub if you scroll to the bottom here at OctaDev OctaSpring Boot Sample or Example. If you click on that, you can get to the blog post up here in the top right as well. Thanks for watching. I hope you learned something from this screencast. If you'd like to see when I publish more screencast, follow me on Twitter at MRABLE. I'm also on LinkedIn since Twitter's kind of rocky these days. Find me there at MRABLE as well. Follow my whole team on Twitter at OctaDev and of course, subscribe to our YouTube channel so you can watch more awesome videos like this one. Hope you have a great day. Cheers.