SpringBoot 2 SSO with OAM using SAML2

Question

I am working on a web application of tech stack contains front end ReactJS and backend SpringBoot 2 Microservices. Now it's time for the SSO integration **(single sign on) using the OAM(Oracle Access Manager) using SAML2 **.

I had a discussion with OAM Team and they had given me below details

1. Entity ID or Issuer ID
2. OAM Entry Point or OAM SSO URL
3. X509 Certificate
4. Assertion consumer URL (ACS URL) which i had given to them to receive SAML Response

online i could find few SSO option with SSOCIRCLE, OKTA, ONEIDENTITY etc but couldn't find any resources with Springboot2 + SSO + OAM.

Please throw some lights or any response on how to start would be greatly appreciated.

Answer 1

You can start with OAM installation:

https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.4/tutorial-oam-install-oam/

Refer to the following link to understand deployment and usage in application: https://docs.oracle.com/en/middleware/idm/access-manager/12.2.1.4/tutorial-oam-protect-wlsapp/#deploy-a-sample-application-to-weblogic-server

Answer 2

You have to integrate below flows

1. Login flow: From your web application (frontend) redirect to the Federation system endpoint (get their login endpoint), this is a browser redirect. Here 2 types of configurations options are available- Either you send the xml Metadata to them when you redirect to their portal OR These configurations can be set at OAM manually and you only have to do a simple browser redirect. (I have tried the 2nd option).

User enters the credentials in Federation page which gets authenticated by IdP and after successful authentication the SP is notified on ACS login url. So your login url will be basically a callback url which will be called by them and they will be sending a SAML response on that callback api. Once you get a notification on your callback you need to redirect the user to your portal.

For this your callback url should set http response status code as 302 and response.headers.location as the endpoint (along with saml response) where you want the user to redirect. Take care of validating saml signature before redirecting user to your portal.

On your frontend code, you will have to check for the SAML response with windows.location.search.

These steps will redirect user back to SP portal.

2. Logout flow: when user clicks on SP logout button, execute your logout api and then redirect user to Federation System's logout url, browser redirection, in this case User's session will also terminate at their(SAML) end and they redirect user to SP portal.

Ensure that user's sessions (both) are in sync. For this keep idle timeout and max session timeout same at both ends.

Hope this helps.