<html class="no-js" lang="en" dir="ltr">

<script>

var searchDomain = 'https://developer.okta.com';

var isProduction = window.location.hostname === 'developer.okta.com';

if (isProduction) {

// TypeKit

(function(d) {

var config = {

kitId: 'jff5neq',

scriptTimeout: 3000,

async: true

},

h=d.documentElement,t=setTimeout(function(){h.className=h.className.replace(/bwf-loadingb/g,"")+" wf-inactive";},config.scriptTimeout),tk=d.createElement("script"),f=false,s=d.getElementsByTagName("script")[0],a;h.className+=" wf-loading";tk.src='https://use.typekit.net/'+config.kitId+'.js';tk.async=true;tk.onload=tk.onreadystatechange=function(){a=this.readyState;if(f||a&&a!="complete"&&a!="loaded")return;f=true;clearTimeout(t);try{Typekit.load(config)}catch(e){}};s.parentNode.insertBefore(tk,s)

})(document);

// Google analytics

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){

(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)

})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-15777010-3', 'auto');

ga('send', 'pageview');

// START Google Tag Manager

(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':

new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],

j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=

'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);

})(window,document,'script','dataLayer','GTM-TJ45R6');

// END Google Tag Manager

}

</script>

<meta charset="utf-8">

<meta http-equiv="x-ua-compatible" content="IE=edge,chrome=1">

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="viewport" content="width=device-width, initial-scale=1">

<link type="text/css" rel="stylesheet" href="https://developer.okta.com/sites/all/themes/developer/css/master.css" media="all" />

<meta class="swiftype" name="title" data-type="string" content="Spring Security SAML | Okta Developer" />

<meta class="swiftype" name="summary" data-type="string" content="Guidance on how to SAML-enable your application using open source Spring Security library." />

<link type="text/css" rel="stylesheet" href="/assets/animate-ec43d72c3ed45e08a460b8a2966d8dba6006aebfa0530935c3973fa493a8771f.css">

<link type="text/css" rel="stylesheet" href="/assets/okta-e0a2f1567b2617a1ac64c3cfe8f94086456f3fb4e1a8ae52fe18398b4ad2ee3f.css">

<link rel="shortcut icon" type="image/vnd.microsoft.icon" href="/favicon.ico">

<title>Spring Security SAML | Okta Developer</title>

<meta name="description" content="Guidance on how to SAML-enable your application using open source Spring Security library.">

<link rel="canonical" href="https://developer.okta.com/code/java/spring_security_saml">

<link rel="alternate" type="application/rss+xml" title="Okta Developer" href="https://developer.okta.com/feed.xml"><!-- GA -->

<div class="Page Page--docs-page">

<!-- START Header -->

<header class="Header is-fixed">

<div class="Wrap">

<a class="Logo" href="https://developer.okta.com">

<svg version="1.1" id="OktaLogo" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 431.9 151.4" style="enable-background:new 0 0 431.9 151.4;" xml:space="preserve"><g><g><g><path d="M102.2,41.4c-21,0-38.1,17.1-38.1,38.1s17.1,38.1,38.1,38.1s38.1-17.1,38.1-38.1l0,0C140.3,58.5,123.2,41.4,102.2,41.4z M102.2,98.5c-10.5,0-19-8.5-19-19s8.5-19,19-19s19,8.5,19,19c0.1,10.5-8.4,19-18.9,19.1C102.3,98.6,102.2,98.6,102.2,98.5L102.2,98.5z"/><path d="M169.1,92.3c0-1.9,1.5-3.4,3.4-3.4c0.9,0,1.8,0.4,2.4,1c9.5,9.7,25.3,26.3,25.4,26.4c0.4,0.5,0.8,0.8,1.4,0.9l1.6,0.2h17.2c1.8,0,3.3-1.4,3.4-3.2c0-0.8-0.3-1.5-0.8-2.2l-28.6-29.2l-1.5-1.5c-3.2-3.9-2.9-5.4,0.8-9.3l22.6-25.1c1.1-1.4,0.8-3.5-0.6-4.6c-0.6-0.4-1.3-0.7-2-0.7h-17c-0.6,0.2-1.1,0.5-1.5,0.9L175,64.4c-1.3,1.4-3.4,1.5-4.8,0.2c-0.7-0.6-1.1-1.5-1.1-2.5V18.9c0-1.7-1.3-3-3-3c-0.1,0-0.2,0-0.3,0h-12.7c-2.2,0-3.3,1.5-3.3,2.8v95.8c0,2.2,1.8,2.8,3.3,2.8h12.7c1.7,0.1,3.2-1.2,3.3-2.9c0,0,0,0,0,0V92.3z"/><path d="M273,114l-1.4-12.8c-0.2-1.7-1.7-2.9-3.4-2.7c0,0,0,0-0.1,0l-2.9,0.2c-10.1,0-18.5-7.9-19-18c0-0.3,0-0.7,0-1V64.2c-0.1-2,1.5-3.6,3.5-3.7c0,0,0,0,0,0h17c1.7-0.1,3.1-1.5,3-3.2c0,0,0-0.1,0-0.1v-12c0-2.3-1.5-3.6-2.8-3.6h-17.1c-1.9,0.1-3.5-1.5-3.6-3.4c0,0,0,0,0,0V18.9c-0.1-1.7-1.5-3.1-3.2-3c0,0-0.1,0-0.1,0h-12.7c-1.6-0.1-3,1.1-3.1,2.7c0,0.1,0,0.1,0,0.2c0,0,0,61.7,0,62c0.5,21,17.9,37.6,38.9,37c1.4,0,2.9-0.2,4.3-0.3C272,117.2,273.2,115.7,273,114z"/></g><path d="M364.7,98c-10.8,0-12.4-3.8-12.4-18.3l0,0V44.8c0-1.8-1.4-3.2-3.2-3.2c0,0-0.1,0-0.1,0h-12.8c-1.8,0-3.2,1.4-3.3,3.2v1.6C314.6,36,291.3,42.5,281,60.8c-10.4,18.3-3.9,41.6,14.4,51.9c14,7.9,31.4,6.2,43.5-4.2c3.6,5.5,9.3,9.1,18.3,9.1c1.5,0,9.7,0.3,9.7-3.5v-13.6C367,99.2,366,98.1,364.7,98z M314.2,98.6c-10.5,0-19-8.5-19-19s8.5-19,19-19s19,8.5,19,19l0,0C333.2,90.1,324.7,98.6,314.2,98.6z"/></g><path d="M19.4,74c2.2-1.9,4.1-4.1,5.7-6.6c3.5-5.3,5.4-11.5,5.2-17.9V27c0-4.9,0.9-8.4,2.7-10.5c1.8-2.1,4.8-3,9.2-3h12.6c1.2,0,2.1-0.9,2.2-2.1l0,0V2.2C57,1,56,0,54.8,0c0,0,0,0,0,0H41.5c-7.8,0-12.9,2.1-18,7.6s-7.1,12.3-7.1,21.7v14.2c0,2.2-0.1,4-0.2,5.7v2.2c-0.5,3.2-1.8,6.2-3.6,8.9C9.4,64.7,5.1,70.9,0.9,74l0,0l-0.3,0.3l0,0l-0.2,0.3H0.2v0.3l0,0c-0.1,0.3-0.1,0.7,0,1l0,0v0.3h0.1l0.2,0.3l0,0l0.3,0.3l0,0c4.2,3.1,8.5,9.3,11.3,13.7c1.8,2.7,3.1,5.7,3.6,8.9v2.2c0.1,1.6,0.2,3.5,0.2,5.7v14.3c0,9.4,2.4,16.7,7.1,21.7s10.2,7.6,18,7.6h13.8c1.2,0,2.2-1,2.2-2.2V140l0,0c0-1.2-1-2.2-2.2-2.2H42.2c-4.4,0-7.5-1-9.2-3s-2.7-5.6-2.7-10.5v-22.4c0.2-6.4-1.7-12.6-5.2-17.9c-1.6-2.5-3.5-4.7-5.7-6.6l0,0c-0.9-0.7-1.1-2-0.4-2.9C19.2,74.3,19.3,74.2,19.4,74L19.4,74z"/><path d="M412.5,74c-2.2-1.9-4.1-4.1-5.7-6.6c-3.5-5.3-5.4-11.5-5.2-17.9V27c0-4.9-0.9-8.4-2.7-10.5s-4.8-3-9.2-3h-12.6c-1.2,0-2.2-1-2.2-2.2c0,0,0,0,0,0l0,0V2.2c0-1.2,1-2.2,2.2-2.2c0,0,0,0,0,0h13.4c7.8,0,12.9,2.1,18,7.6s7.1,12.3,7.1,21.7v14.2c0,2.2,0.1,4,0.2,5.7v2.2c0.5,3.2,1.8,6.2,3.6,8.9c2.8,4.5,7.1,10.7,11.3,13.7l0,0l0.3,0.3l0,0l0.2,0.3h0.1v0.3l0,0c0.1,0.3,0.1,0.7,0,1l0,0v0.3h-0.1l-0.2,0.3l0,0l-0.3,0.3l0,0c-4.2,3.1-8.5,9.3-11.3,13.7c-1.8,2.7-3.1,5.7-3.6,8.9v2.2c-0.1,1.6-0.2,3.5-0.2,5.7v14.3c0,9.4-2.4,16.7-7.1,21.7s-10.2,7.6-18,7.6h-13.4c-1.2,0-2.2-1-2.2-2.2c0,0,0,0,0,0V140l0,0c0-1.2,1-2.2,2.2-2.2l0,0h12.7c4.4,0,7.5-1,9.2-3s2.7-5.6,2.7-10.5v-22.4c-0.2-6.3,1.6-12.6,5.1-17.9c1.6-2.5,3.5-4.7,5.7-6.6l0,0c0.9-0.7,1.1-2,0.4-2.9C412.7,74.3,412.6,74.2,412.5,74L412.5,74z"/></g></svg>

</a>

<nav class="Header-nav PrimaryNav">

<ul class="menu">

<li class="first leaf">

<a href="https://developer.okta.com/product/">Product</a>

</li>

<li class="leaf">

<a href="https://developer.okta.com/pricing/">Pricing</a>

</li>

<li class="leaf">

<a href="/blog/">Blog</a>

</li>

<li class="leaf">

<a href="/documentation/" class="active">Docs</a>

</li>

<li class="last expanded">

<span class="nolink">Support</span>

<ul class="menu">

<li class="first leaf"><a href="https://devforum.okta.com/">Okta Developer Forums</a></li>

<li class="last leaf"><a href="mailto:developers@okta.com">developers@okta.com</a></li>

</ul>

</li>

</ul>

<a class="PrimaryNav-toggle" href="#">

<svg width="20px" height="20px" viewBox="0 0 20 20" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<g class="MenuIcon" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd" stroke-linecap="round">

<path d="M1,16 L19,16" class="MenuIcon-line1" stroke="#FFFFFF" stroke-width="2"></path>

<path d="M1,4 L19,4" class="MenuIcon-line2" stroke="#FFFFFF" stroke-width="2"></path>

<path d="M1,10 L19,10" class="MenuIcon-line3" stroke="#FFFFFF" stroke-width="2"></path>

<path d="M1,10 L19,10" class="MenuIcon-line4" stroke="#FFFFFF" stroke-width="2"></path>

</g>

</svg>

<svg class="CloseIcon" width="16px" height="16px" viewBox="0 0 16 16" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<g id="ALl-Boards" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">

<g id="Desktop" transform="translate(-915.000000, -235.000000)" fill="#FFFFFF">

<g id="Search-bar-Active" transform="translate(30.000000, 26.000000)">

<polygon id="Icon/Cross" points="901 210.6 899.4 209 893 215.4 886.6 209 885 210.6 891.4 217 885 223.4 886.6 225 893 218.6 899.4 225 901 223.4 894.6 217"></polygon>

</g>

</g>

</g>

</svg>

</a>

<div class="PrimaryNav-cta">

<a href="https://developer.okta.com/signup/" class="Button--red">Sign up</a>

</div>

<a class="SearchIcon" href="#"></a>

<form id="form_search" class="SearchBar Formisimo_clocked_69929" method="get" action="https://developer.okta.com/search/" name="form_search" __bizdiag="-784164280" __biza="WJ__">

<input type="text" name="stq" autocomplete="off" id="st-search-input-auto" class="st-search-input" placeholder="Search">

<input type="submit" name="submit" value="GO">

</form>

</nav>

</div>

<!-- END Header -->

<!-- START Page Center w/Sub Nav & Content -->

<section class="PageContent DynamicSidebar has-tableOfContents">

<!-- START Fixed sidebar -->

<aside class="Sidebar">

<h2 class="Sidebar-location Sidebar-toggle h6">Navigation</h2>

<div class="Sidebar-close Sidebar-toggle"></div>

<div>

<h3 class="Sidebar-title">Client Integrations</h3>

<ul class="Sidebar-nav">

<li >

<a href="/code/angular/">ANGULAR</a>

</li>

<li >

<a href="/code/ios/">IOS</a>

</li>

<li >

<a href="/code/javascript/">JAVASCRIPT</a>

</li>

<li >

<a href="/code/react/">REACT</a>

</li>

</ul>

<h3 class="Sidebar-title">Server Integrations</h3>

<ul class="Sidebar-nav">

<li >

<a href="/code/dotnet/">.NET</a>

</li>

<li >

<a href="/code/java/">JAVA</a>

</li>

<li >

<a href="/code/nodejs/">NODE.JS</a>

</li>

<li >

<a href="/code/php/">PHP</a>

</li>

<li >

<a href="/code/python/">PYTHON</a>

</li>

</ul>

</div>

</aside>

<!-- END Fixed sidebar -->

<!-- START Page Content -->

<div class="PageContent-main">

<h1 id="overview">Overview</h1>

<p>This guide describes how to use Spring Security SAML to add support

for Okta (via SAML) to Java applications that use the Spring framework.

In this guide, you will learn how to install and configure an Okta

SAML application.</p>

<p>This guide assumes that you are familiar

with the basics of Java software development: editing text files,

using the command line, and running Tomcat, Maven or Gradle.</p>

<p>If you’re already familiar with Okta and Spring, you can skip to

the section titled “Configuring Spring Security SAML to work with Okta”.</p>

<ul class="list-unstyled toc" id="markdown-toc">

<li><a href="#overview" id="markdown-toc-overview">Overview</a> <ul>

<li><a href="#requirements" id="markdown-toc-requirements">Requirements</a></li>

<li><a href="#installation" id="markdown-toc-installation">Installation</a></li>

<li><a href="#configuring-okta-to-work-with-spring-security-saml" id="markdown-toc-configuring-okta-to-work-with-spring-security-saml">Configuring Okta to work with Spring Security SAML</a></li>

<li><a href="#configuring-spring-security-saml-to-work-with-okta" id="markdown-toc-configuring-spring-security-saml-to-work-with-okta">Configuring Spring Security SAML to work with Okta</a></li>

<li><a href="#test-the-saml-integration" id="markdown-toc-test-the-saml-integration">Test the SAML integration</a></li>

<li><a href="#next-steps" id="markdown-toc-next-steps">Next Steps</a></li>

</ul>

</li>

<p>Note: The Spring security SAML toolkit you download is not Okta’s toolkit and is not supported by Okta.</p>

<h2 id="requirements">Requirements</h2>

<p>Please make sure the following are installed before starting installation:</p>

<p><a href="http://www.oracle.com/technetwork/java/javase/overview/index.html">Java 1.6+ SDK</a>

- Check using the command below</p>

<div class="highlighter-rouge"><pre class="highlight"><code>java -version

<p><a href="https://maven.apache.org/download.cgi">Apache Maven</a>

- Check using the command below</p>

<div class="highlighter-rouge"><pre class="highlight"><code>mvn --version

<h2 id="installation">Installation</h2>

<p>This section covers what you need to do to install and configure Tomcat from scratch on Mac OS X. If you already have Tomcat on your system, you can skip to Step 2 below.</p>

<p>How to install the Spring Security SAML sample Okta application on Mac OS X:</p>

<li><strong>Installing Tomcat</strong>

<ul>

<li>If it’s not already installed, install Tomcat with Homebrew using these directions: <a href="http://blog.bolshchikov.net/post/50277857673/installing-tomcat-on-macos-with-homebrew">http://blog.bolshchikov.net/post/50277857673/installing-tomcat-on-macos-with-homebrew</a></li>

</ul>

</li>

<li>

<p><strong>Downloading the Spring SAML Extension</strong></p>

<ul>

<li>

<p>Use <code class="highlighter-rouge">git clone</code> to clone the extention locally</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>git clone https://github.com/spring-projects/spring-security-saml.git

</div>

</li>

</ul>

</li>

<li>

<p><strong>Downloading sample application</strong></p>

<ul>

<li>

<p>Use <code class="highlighter-rouge">git clone</code> to clone this repository locally</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>git clone https://github.com/nshobayo/okta-SpringSAML.git

</div>

</li>

<li>

<p>Use the command below to copy the sample Okta application into the Extension’s “src” folder</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>rm -rf spring-security-saml/sample/src/main

cp -r okta-SpringSAML/src/main spring-security-saml/sample/src

</div>

</li>

</ul>

</li>

<li>

<p><strong>Compilation</strong></p>

<ul>

<li>

<p>Make sure your working directory is the <code class="highlighter-rouge">sample</code> subdirectory of the <code class="highlighter-rouge">spring-security-saml</code> directory</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code><span class="nb">cd </span>spring-security-saml/sample

</div>

</li>

<li>

<p>To compile</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>../gradlew build install

</div>

</li>

</ul>

<p>This task compiles, tests, and assembles the code into a <code class="highlighter-rouge">.war</code> file.</p>

<p>A successful build should look something like this: <img src="/assets/spring-security-saml-build-bf8c15ab83699043ebba2431b3cef8dc2f13603ae5413215c2aec2cbad2d43a4.png" alt="successful build" /></p>

<ul>

<li>Your compiled war archive file, <code class="highlighter-rouge">spring-security-SAML2-sample.war</code>, can be found in directory <code class="highlighter-rouge">build/libs/</code></li>

</ul>

</li>

<li>

<p><strong>Deployment</strong></p>

<ul>

<li>

<p>Assuming your current directory is <code class="highlighter-rouge">spring-security-saml/sample</code> Use the command below to copy the compiled <code class="highlighter-rouge">spring-security-SAML2-sample.war</code> file to the Tomcat directory you set up in step one</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code> cp build/libs/spring-security-SAML2-sample.war /Library/Tomcat/webapps/

</div>

</li>

</ul>

</li>

<li>

<p><strong>Starting Tomcat</strong></p>

<ul>

<li>

<p>Use the command below to start Tomcat</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code> /Library/Tomcat/bin/startup.sh

</div>

</li>

</ul>

</li>

<li><strong>Starting Application</strong>

<ul>

<li>Load the Spring SAML application by opening this Link: <a href="http://localhost:8080/spring-security-saml2-sample/saml/discovery?entityID=http%3A%2F%2Flocalhost%3A8080%2Fspring-security-saml2-sample%2Fsaml%2Fmetadata&amp;returnIDParam=idp">Sample App</a></li>

<li><strong>Note:</strong> Links on app will not be functional as of yet because we have not yet configured any IDPs. Full app functionality will be completed after the “Configuring Spring Security SAML to work with Okta” section.</li>

</ul>

<p>Here’s what it should look like: <img src="/assets/spring-security-saml-intro-273fa031bb687da6aee67784113e3ea7398e194e706de6ce7553d70be25434b1.png" alt="App Running" /></p>

</li>

<h2 id="configuring-okta-to-work-with-spring-security-saml">Configuring Okta to work with Spring Security SAML</h2>

<p>Before we can configure Spring Security SAML we need to set up an

application in Okta that will connect to Spring Security SAML.</p>

<p>In SAML terminology, what we are doing here is configuring Okta, our

SAML Identity Provider (SAML IdP), with the details of Spring Security

SAML, the new SAML Service Provider (SAML SP) that you will be creating

next.</p>

<p>Here is how to configure Okta:</p>

<li>

<p>Log in to your Okta organization as a user with administrative

privileges.</p>

<p>If you don’t have an Okta organization, you can create a free Okta

Developer Edition organization here:

<a href="https://developer.okta.com/signup/">https://developer.okta.com/signup/</a></p>

</li>

<li>

<p>Click on the blue “Admin” button <img src="/assets/okta-admin-ui-button-admin-fde86b7da4fe6c58611007a97361ac3c876869ec94ffb2a4093019243b728c39.png" alt="Admin" /></p>

</li>

<li>

<p>Click on the “Add Applications” shortcut <img src="/assets/okta-admin-ui-add-applications-c26bf1ab66282dca1b8ef685ad8b234b88e08ff07270c0401454439ecfd206e4.png" alt="Add Applications" /></p>

</li>

<li>

<p>Click on the green “Create New App” button <img src="/assets/okta-admin-ui-button-create-new-app-9a65dd5f6f48440bba64e3704c297fd8be5361d0608979b3d77c4038edf6c15c.png" alt="Create New App" /></p>

</li>

<li>

<p>In the dialog that opens, select the “SAML 2.0” option, then click

the green “Create” button <img src="/assets/okta-admin-ui-create-new-application-integration-6f0c471b53031d1d5a6fc06fd65d1eba8f0135fb6272375f133c4798b9cadb4d.png" alt="Create a New Application Integration" /></p>

</li>

<li>

<p>In Step 1 “General Settings”, enter “Spring Security SAML” in the

“App name” field, then click the green “Next” button. <img src="/assets/spring-security-saml-okta-general-settings-1a2a1485053b86a40c7f9e7c8deca28410b1a2cecf3c1f047677533e90f83ea9.png" alt="General Settings" /></p>

</li>

<li>

<p>In Step 2 “Configure SAML”,

Paste the URL below into the “Single sign on URL” field:</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>http://localhost:8080/spring-security-saml2-sample/saml/SSO

</div>

<p>Then paste the URL below into the “Audience URI (SP Entity ID)”

field:</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code>http://localhost:8080/spring-security-saml2-sample/saml/metadata

</div>

<p>Attributes of the user to be sent in each SAML assertion can be added under “Attribute Statements” during this step if desired. Theses attribute values can be derived and used from the SP side.</p>

<p>Then click the green “Next” button <img src="/assets/spring-security-saml-settings-e57ff23f79adf4128c3aec89fdcb1cbfa4edda95cdfe4c3c4df0de6eff94cd3b.png" alt="SAML Settings" /></p>

</li>

<li>

<p>In Step 3 “Feedback”, click the checkbox next to the text “This is

an internal application that we created”, then click the green

“Finish” button. <img src="/assets/okta-admin-ui-new-application-step-3-feedback-831346803a6ac5c91d92308b84786541630098c0cbeaec77c3c51a401e1b76d2.png" alt="App type" /></p>

</li>

<li>

<p>You will now see the “Sign On” section of your newly created “Spring

Security SAML” application.</p>

</li>

<li>

<p>Keep this page open it a separate tab or browser window. You will

need to return to this page later in this guide and copy the

“Identity Provider metadata” link. (To copy the that link, right

click on the “Identity Provider metadata” link and select “Copy”) <img src="/assets/okta-admin-ui-identity-provider-metadata-link-312145eacc4d76d493afd1b054f2dbb3dce120dca79e6b645f1155a88dd1b0f1.png" alt="Sign on methods" /></p>

</li>

<li>

<p>Right-click on the “People” section of the “Spring Security SAML”

application and select “Open Link In New Tab” (so that you can come

back to the “Sign On” section later).</p>

<p>In the new tab that opens, click on the “Assign Application” button <img src="/assets/spring-security-saml-okta-assign-people-to-application-08799062da0cb863cdd9cc6f05c95eccb9de352496235e0abe0f649cc15fcf37.png" alt="Assign Application" /></p>

</li>

<li>

<p>A dialog titled “Assign Spring Security SAML to up to 500 people”

will open. Type your username into the search box, select the

checkbox next to your username, then click the green “Next” button <img src="/assets/okta-admin-ui-confirm-assignments-16d648c104dcedd11b4beff3d2e18fba07d65f77021be1d4ab678ac676b97f92.png" alt="People search box" /></p>

</li>

<li>

<p>You will be prompted to “Enter user-specific attributes”. Just click

the green “Confirm Assignments” button to keep the defaults. <img src="/assets/spring-security-saml-okta-confirm-assignments-435c77a884e5acf6b1a3fba08e238770e86af90557d2a4cc38014f56cf3d338c.png" alt="Enter user attributes" /></p>

</li>

<li>

<p>You are now ready to proceed to the next section. Make sure that the

link you copied in step #9 is still in your clipboard, as you will

need it in the next section.</p>

</li>

<h2 id="configuring-spring-security-saml-to-work-with-okta">Configuring Spring Security SAML to work with Okta</h2>

<p>Now that you have configured a “Spring Security SAML” application, you

are ready to configure Spring Security SAML to work with Okta. In this

section we will use the “Identity Provider metadata” link from the

section above to configure Spring Security SAML. Once you’ve completed

these steps, you’ll have a working example of connecting Okta to Spring.</p>

<li>

<p>Open the <code class="highlighter-rouge">securityContext.xml</code> file in your favorite text editor.

If you followed the instructions above for “Installing the Spring

Security SAML sample application” on Mac OS X, this file will be

located here at

<code class="highlighter-rouge">/Library/Tomcat/webapps/spring-security-saml2-sample/WEB-INF/securityContext.xml</code>

(Normally, you would do this step <em>before</em> running Maven or Gradle

to create the .war file you deploy to Tomcat. In this case, I’m

having you edit the file in the Tomcat path directly, since it’s

easier to make small changes and test them this way).</p>

</li>

<li>

<p>Once you’ve opened the <code class="highlighter-rouge">securityContext.xml</code> file, add the XML below

to the end of the tag identified by this CSS selector syntax:

<code class="highlighter-rouge">#metadata &gt; constructor-arg &gt; list</code>.</p>

<div class="language-xml highlighter-rouge"><pre class="highlight"><code><span class="nt">&lt;bean</span> <span class="na">class=</span><span class="s">"org.opensaml.saml2.metadata.provider.HTTPMetadataProvider"</span><span class="nt">&gt;</span>

<span class="c">&lt;!-- URL containing the metadata --&gt;</span>

<span class="nt">&lt;constructor-arg&gt;</span>

<span class="c">&lt;!-- This URL should look something like this: https://{yourOktaDomain}.com/app/abc0defghijK1lmN23o4/sso/saml/metadata --&gt;</span>

<span class="nt">&lt;value</span> <span class="na">type=</span><span class="s">"java.lang.String"</span><span class="nt">&gt;</span>{metadata-url}<span class="nt">&lt;/value&gt;</span>

<span class="nt">&lt;/constructor-arg&gt;</span>

<span class="c">&lt;!-- Timeout for metadata loading in ms --&gt;</span>

<span class="nt">&lt;constructor-arg&gt;</span>

<span class="nt">&lt;value</span> <span class="na">type=</span><span class="s">"int"</span><span class="nt">&gt;</span>5000<span class="nt">&lt;/value&gt;</span>

<span class="nt">&lt;/constructor-arg&gt;</span>

<span class="nt">&lt;property</span> <span class="na">name=</span><span class="s">"parserPool"</span> <span class="na">ref=</span><span class="s">"parserPool"</span><span class="nt">/&gt;</span>

<span class="nt">&lt;/bean&gt;</span>

</div>

</li>

<li>

<p>Make sure to replace the contents of <code class="highlighter-rouge"><span class="p">{</span><span class="err">metdata-url</span><span class="p">}</span></code> with the link

that you copied in step #9 of the “Configuring Okta to work with

Spring Security SAML” instructions above!**</p>

</li>

<li>

<p>Save the <code class="highlighter-rouge">securityContext.xml</code> file, then restart Tomcat</p>

</li>

<li>

<p>If you are using Mac OS X, you can restart Tomcat using the commands

below:</p>

<div class="language-shell highlighter-rouge"><pre class="highlight"><code> /Library/Tomcat/bin/shutdown.sh

/Library/Tomcat/bin/startup.sh

</div>

</li>

<h2 id="test-the-saml-integration">Test the SAML integration</h2>

<p>Now that you’ve set up an application in Okta and configured the Spring

Security SAML example application to use that application, you’re ready

to test it out.</p>

<p>There are two ways to test a SAML application: Starting from the Spring

application (“SP initiated”) and starting from Okta (“IdP initiated”).

You will be testing both methods. In both cases, you will know of the

test worked when you see a screen that looks like the one below: <img src="/assets/spring-security-saml-assert-fdb016601f48ea84b5aacef488453d1dbef4edb2b03620cb4ba4c0cd4563bc78.png" alt="Authenticated user" /></p>

<li>

<p>Login from the Spring Security SAML sample application (This is

known as an “SP initiated” login)</p>

<ul>

<li>

<p>Open the sample application in your browser:

<a href="http://localhost:8080/spring-security-saml2-sample">http://localhost:8080/spring-security-saml2-sample</a></p>

</li>

<li>

<p>Select the Okta IdP from the list

It will be a URL that starts with “http://www.okta.com/”</p>

</li>

<li>

<p>Click the “Start single sign-on” button. <img src="/assets/spring-security-saml-selection-3d1dad32e9379b80d3521b8f5b33031bcc9097687e029e28ef5218285397be07.png" alt="Start single sign-on" /></p>

</li>

</ul>

</li>

<li>

<p>Login from Okta (This is known as an “IdP initiated” login)</p>

<ul>

<li>

<p>Log in to your Okta organization</p>

</li>

<li>

<p>Click the button for the application you created in the

“Configuring Okta to work with Spring Security SAML” section

above: %{ img spring-security-saml-okta-chiclet.png alt:”Spring Security SAML” %}</p>

</li>

</ul>

</li>

<p>If you’re able to get to the “Authenticated User” page using both of the

methods above, then you’re done.</p>

<p>Congratulations on getting Okta working with Spring!</p>

<h2 id="next-steps">Next Steps</h2>

<p>At this point you should be familiar with setting up SAML enabled application to work with an Okta organization and how to configure Spring Security SAML to work with Okta.</p>

<p>After you have Okta working with the example Spring Security SAML application, the next step is to take the example code and move it to your production application. The specifics of how this works is different depending on how your application is set up. Pay special attention to the <code class="highlighter-rouge">securityContext.xml</code> which allows you to add more IDPs to the app as well as control page redirects. Before any changes are made to the <code class="highlighter-rouge">securityContext.xml</code> file, you should consider reading the <a href="http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/">Spring Security SAML reference documents</a> which provides a detailed overview of all the components and features of Spring Security SAML.</p>

<p>If you want to learn more about configuring in SAML and what to consider when writing a SAML application, Okta’s in-depth <a href="/docs/getting_started/saml_guidance.html">SAML guidance</a> is great place to learn more.</p>

</div>

<!-- END Page Content -->

</section>

<!-- END Page Center w/Sub Nav & Content -->

<!-- START Footer -->

<footer class="Footer">

<div class="Wrap">

<div class="Row">

<div class="Column--3 Column--medium-6 Column--xSmall-12">

<a class="Logo" href="https://www.okta.com/" target="_blank" rel="noopener noreferrer">

<img src="https://developer.okta.com/sites/all/themes/developer/images/logo-footer.png" alt="Okta">

Visit okta.com

</a>

</div>

<div class="Column--3 Column--medium-12 Column--xSmall-12">

<h4>Social</h4>

<ul class="Footer-links Footer-links--social">

<li><a class="Footer-links--github" target="_blank" rel="noopener noreferrer" href="http://github.com/oktadeveloper">Github</a></li>

<li><a class="Footer-links--twitter" target="_blank" rel="noopener noreferrer" href="http://twitter.com/OktaDev">Twitter</a></li>

<li><a class="Footer-links--forum" target="_blank" rel="noopener noreferrer" href="https://devforum.okta.com/">Forum</a></li>

<li><a class="Footer-links--rss" target="_blank" rel="noopener noreferrer" href="http://feeds.feedburner.com/OktaBlog">RSS Blog</a></li>

</ul>

</div>

<div class="Column--3 Column--medium-6 Column--small-12">

<h4>More Info</h4>

<ul class="Footer-links">

<li><a target="_blank" href="https://developer.okta.com/integrate-with-okta/">Integrate with Okta</a></li>

<li><a href="/blog/">Blog</a></li>

<li><a href="/docs/platform-release-notes/platform-release-notes.html">Release Notes</a></li>

<li><a href="/3rd_party_notices/">3rd Party Notices</a></li>

</ul>

</div>

<div class="Column--3 Column--medium-6 Column--small-12">

<h4>Contact &amp; Legal</h4>

<ul class="Footer-links">

<li><a href="/contact/">Contact Sales</a></li>

<li><a target="_blank" rel="noopener noreferrer" href="mailto:developers@okta.com">Contact Support</a></li>

<li><a href="/terms/">Terms &amp; Conditions</a></li>

<li><a href="/privacy/">Privacy Policy</a></li>

</ul>

</div>

</div>

</div>

<script type="text/javascript" src="/assets/master-0365dd27cf276cb2a15c0a43906ca592538204cf1ad4557547bf4e50609b411e.js"></script>

<script type="text/javascript" src="/assets/quickstart-26919e2a466e6346d96282973427a3998da81637fd2a2ceb6917a61da7eaf2a8.js"></script>

<script type="text/javascript" src="/assets/docsIndex-aebe0e7212e0f2974ef463f06967cba7144f5eed4f14bb11c346866f3fd4ecb7.js"></script>

<!-- END Footer -->

</div>

<!-- START Post Footer -->

<!-- START Google Tag Manager -->

<!-- https://support.google.com/tagmanager/answer/6103696?hl=en -->

<noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-TJ45R6" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<!-- END Google Tag Manager -->

<!-- START Google Remarketing Tag -->

<script type="text/javascript">

/* <![CDATA[ */

var google_conversion_id = 1006913831;

var google_custom_params = window.google_tag_params;

var google_remarketing_only = true;

/* ]]> */

</script>

<div style="display:none;"><script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"></script></div>

<noscript><div style="display:inline;"><img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/1006913831/?value=0&amp;guid=ON&amp;script=0"></div></noscript>

<!-- END Google Remarketing Tag -->

<!-- START Crazy Egg Tracking -->

<script type="text/javascript">

setTimeout(function(){var a=document.createElement("script");

var b=document.getElementsByTagName("script")[0];

a.src=document.location.protocol+"//script.crazyegg.com/pages/scripts/0021/9333.js?"+Math.floor(new Date().getTime()/3600000);

a.async=true;a.type="text/javascript";b.parentNode.insertBefore(a,b)}, 1);

</script>

<!-- END Crazy Egg Tracking -->

<!-- END Post Footer -->