still not working

fda-authentication-service/.gitignore

@@ -6,7 +6,7 @@ target/
 
 ### Generated ###
 ready
-*.jks
+*.pem
 
 ### STS ###
 .apt_generated

fda-authentication-service/README.md

@@ -9,4 +9,4 @@ use TU Wien SSO
 
 ## Development
 
-Context metadata for IdP: `http://localhost:9097/context/saml/metadata`
+Context metadata for IdP: `http://localhost:9097/saml/metadata`
\ No newline at end of file

fda-authentication-service/pom.xml

@@ -33,19 +33,6 @@
     </properties>
 
     <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security.extensions</groupId>
-            <artifactId>spring-security-saml2-core</artifactId>
-            <version>${spring-saml.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-validation</artifactId>
@@ -60,6 +47,16 @@
             <artifactId>javax.ws.rs-api</artifactId>
             <version>${javax-rs.version}</version>
         </dependency>
+        <!-- SAML -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security.extensions</groupId>
+            <artifactId>spring-security-saml2-core</artifactId>
+            <version>${spring-saml.version}</version>
+        </dependency>
         <!-- Entity and API -->
         <dependency>
             <groupId>at.tuwien</groupId>
@@ -74,6 +71,11 @@
             <scope>compile</scope>
         </dependency>
         <!-- Testing -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

fda-authentication-service/rest-service/src/main/java/at/tuwien/FdaAuthenticationServiceApplication.java

@@ -5,11 +5,11 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
 import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration;
 import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration;
-import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import springfox.documentation.oas.annotations.EnableOpenApi;
 
-@EnableWebMvc
 @EnableOpenApi
+@EnableWebSecurity
 @SpringBootApplication(exclude = {DataSourceAutoConfiguration.class,
         DataSourceTransactionManagerAutoConfiguration.class, HibernateJpaAutoConfiguration.class})
 public class FdaAuthenticationServiceApplication {

fda-authentication-service/rest-service/src/main/java/at/tuwien/endpoints/AuthenticationEndpoint.java

 package at.tuwien.endpoints;
 
-import io.swagger.annotations.ApiOperation;
-import io.swagger.annotations.ApiResponse;
-import io.swagger.annotations.ApiResponses;
-import lombok.extern.log4j.Log4j2;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.saml.metadata.MetadataManager;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Set;
-
-/**
- * https://www.baeldung.com/spring-security-saml
- */
-@Log4j2
-@RestController
-@CrossOrigin(origins = "*")
-@ControllerAdvice
-@RequestMapping("/api/auth")
+@RestController("/api/auth")
 public class AuthenticationEndpoint {
 
-    private final MetadataManager metadataManager;
-
-    @Autowired
-    public AuthenticationEndpoint(MetadataManager metadataManager) {
-        this.metadataManager = metadataManager;
+    @RequestMapping("/")
+    public String index() {
+        return "index";
     }
 
-//    @GetMapping
-//    @ApiOperation(value = "Check user authentication", notes = "Check if the user is authenticated")
-//    @ApiResponses({
-//            @ApiResponse(code = 202, message = "User is authenticated."),
-//            @ApiResponse(code = 401, message = "The user is not authenticated"),
-//    })
-//    public ResponseEntity<?> status() {
-//        final Authentication auth = SecurityContextHolder.getContext()
-//                .getAuthentication();
-//        if (auth.isAuthenticated()) {
-//            return ResponseEntity.status(HttpStatus.ACCEPTED)
-//                    .build();
-//        }
-//        return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
-//                .build();
-//    }
-//
-    @RequestMapping(value = "/discovery", method = RequestMethod.GET)
-    public String idpSelection(HttpServletRequest request) {
-        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-        if (auth == null) {
-            log.debug("Current authentication instance from security context is null");
-        } else {
-            log.debug("Current authentication instance from security context: {}", this.getClass().getSimpleName());
-        }
-        if (auth == null || (auth instanceof AnonymousAuthenticationToken)) {
-            final Set<String> idps = metadataManager.getIDPEntityNames();
-            for (String idp : idps) {
-                log.debug("Configured Identity Provider for SSO: {}", idp);
-            }
-            return "pages/discovery";
-        } else {
-            log.warn("The current user is already logged.");
-            return "redirect:/landing";
-        }
+    @RequestMapping("/hello")
+    public String hello() {
+        return "hello";
     }
 
 }
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/application-docker.yml

@@ -16,9 +16,6 @@ eureka:
 fda:
   ready.path: /ready
   identity.provider:
-    discovery:
-      url: http://localhost:9097/context/saml/discovery
-      response: http://localhost:9097/context/saml/login
     metadata: https://idp.zid.tuwien.ac.at/saml2
     issuer:
     cert: /okta.crt

fda-authentication-service/rest-service/src/main/resources/application.yml

@@ -6,6 +6,7 @@ spring:
     loadbalancer.ribbon.enabled: false
   security:
     saml2:
+      metadata: ./rest-service/src/main/resources/saml/metadata.xml
       relyingparty:
         registration:
           okta-saml:
@@ -15,7 +16,14 @@ spring:
                 - certificate-location: "classpath:x509/okta.crt"
               singlesignon.url: https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml
               singlesignon.sign-request: false
-server.port: 9097
+server:
+  port: 9097
+  ssl.enabled: true
+  ssl:
+    key-alias: dbrepo
+    key-store: classpath:saml/dbrepo.p12
+    key-store-password: dbrepo
+    key-store-type: pkcs12
 logging:
   pattern.console: "%d %highlight(%-5level) %msg%n"
   level:
@@ -26,13 +34,3 @@ eureka:
   client.serviceUrl.defaultZone: http://localhost:9090/eureka/
 fda:
   ready.path: ./ready
\ No newline at end of file
-  identity.provider:
-    metadata: ./rest-service/src/main/resources/idp_metadata.xml
-    discovery:
-      url: http://localhost:9097/context/saml/discovery
-      response: http://localhost:9097/context/saml/login
-  saml:
-    keystore:
-      location: ./dbrepo.jks
-      alias: dbrepo
-      password: dbrepo
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/idp_metadata.xml → fda-authentication-service/rest-service/src/main/resources/saml/idp_metadata.xml

@@ -34,4 +34,24 @@
         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                 Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
     </md:IDPSSODescriptor>
+    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                     Location="https://dbrepo.ossdip.at/api/auth"
+                                     index="1" />
+
+    </md:SPSSODescriptor>
+    <md:Organization>
+        <md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
+        <md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
+        <md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
+    </md:Organization>
+    <md:ContactPerson contactType="technical">
+        <md:GivenName>Martin Weise</md:GivenName>
+        <md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>
+    </md:ContactPerson>
+    <md:ContactPerson contactType="support">
+        <md:GivenName>Andreas Rauber</md:GivenName>
+        <md:EmailAddress>andreas.rauber@tuwien.ac.at</md:EmailAddress>
+    </md:ContactPerson>
 </md:EntityDescriptor>
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/saml/metadata.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor entityID="http://www.okta.com/exk26nye6eBAomvJW5d7"
+                     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+    <md:IDPSSODescriptor WantAuthnRequestsSigned="false"
+                         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:X509Data>
+                    <ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAXxuFWkiMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG
+                        A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+                        MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xMzk1MzkxNTEcMBoGCSqGSIb3DQEJ
+                        ARYNaW5mb0Bva3RhLmNvbTAeFw0yMTEwMTEwNjQwMDlaFw0zMTEwMTEwNjQxMDlaMIGUMQswCQYD
+                        VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
+                        A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi0xMzk1MzkxNTEc
+                        MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+                        ggEBAIZny5u9B0ooc5OigsxXv9MisZZzvXdoiIUtkF3Lvd2wEsdEcl8JPeZ0Id9xskaxkVhvvVeW
+                        W+R0yADi4mmDkqrKfOkSKqBSFlaHAlH1OZyfWLTLmMwxTuVNCu200ok33p/iyJ5dff914YEuQRVw
+                        1u+t9UVwtSrNoDaJG8vxh1JsZ1zXceGRENvD/NdzV/PherPNmKnnr2r10uKTDrc03NJt22AOGxY0
+                        s0NDHU2hqm8xNiGnztZxlcrjTKtUljOQnAsaqY+AugH1Ov40VABotgg+r69uz+lYpbDiDtpZbPfK
+                        gwCcQwWeX0VaYDeK+ESXxo55eM8qxeMbC6CrKIALLw0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+                        WgUI3wswTBZa7zkF90KTnlb7+qnks4rdV8c6Guxpj5TIqsAZjDYv573Dqqpsp5QJBSfUwO1iRdXf
+                        ueO6r8haLY2ukk5vjZd31GboH+e+py6nVATUZ5xL2JxMhDgG8Hh9Gg/rl04O4Uk12f9YJF1k5Qko
+                        ZQ3Kaxf/5nKw3mJL4wzmJz3ezeEn4M5VyC6BfhIcIC+asScsEgjRNQQ/SrgG7ywl0C3i+P41Nw9x
+                        cWXQ6pepnLVR9q1aaLv2cyZ7RiN0JyKxruWdZPAluPODEp65TpfKbfCBXM00Bikm4MW76rXH2sjI
+                        uUmMDfGSFmR+urDPJdc8kL26X0kwUrbEXXsT3g==
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                                Location="https://dev-13953915.okta.com/app/dev-13953915_testtusaml_1/exk26nye6eBAomvJW5d7/sso/saml"/>
+    </md:IDPSSODescriptor>
+    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                     Location="http://localhost:9097/api/auth"
+                                     index="1" />
+
+    </md:SPSSODescriptor>
+    <md:Organization>
+        <md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
+        <md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
+        <md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
+    </md:Organization>
+    <md:ContactPerson contactType="technical">
+        <md:GivenName>Martin Weise</md:GivenName>
+        <md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>
+    </md:ContactPerson>
+    <md:ContactPerson contactType="support">
+        <md:GivenName>Andreas Rauber</md:GivenName>
+        <md:EmailAddress>andreas.rauber@tuwien.ac.at</md:EmailAddress>
+    </md:ContactPerson>
+</md:EntityDescriptor>
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/sp_metadata.xml → fda-authentication-service/rest-service/src/main/resources/saml/sp_metadata.xml

 <?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-                     validUntil="2021-10-13T10:33:48Z"
+                     validUntil="2021-10-13T15:46:10Z"
                      cacheDuration="PT604800S"
                      entityID="at:tuwien:dbrepo:auth">
     <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
         <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
         <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-                                     Location="http://localhost:9097/api/auth"
+                                     Location="https://dbrepo.ossdip.at/api/auth"
                                      index="1" />
 
     </md:SPSSODescriptor>
+    <md:Organization>
+        <md:OrganizationName xml:lang="en-US">Technische Universität Wien</md:OrganizationName>
+        <md:OrganizationDisplayName xml:lang="en-US">TU Wien</md:OrganizationDisplayName>
+        <md:OrganizationURL xml:lang="en-US">https://tuwien.ac.at</md:OrganizationURL>
+    </md:Organization>
     <md:ContactPerson contactType="technical">
         <md:GivenName>Martin Weise</md:GivenName>
         <md:EmailAddress>martin.weise@tuwien.ac.at</md:EmailAddress>

fda-authentication-service/rest-service/src/main/resources/x509/dev-ossdip-at-chain.pem

+-----BEGIN CERTIFICATE-----
+MIIFITCCBAmgAwIBAgISBEh169kOMeYh+SgBdP8KFL2fMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMTEwMTIwNzA4NTVaFw0yMjAxMTAwNzA4NTRaMBgxFjAUBgNVBAMT
+DWRldi5vc3NkaXAuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
+vl9NZd4qV53j8U1irMwR0RXR2tl0i3FqXUxGYUHabIADLciAzl83vFnPMmJFeubn
+DBGfkP2Z7Q+96fgwuxhXVVovT4uCwNcUGW66LzwemYJKnauy6muPooyllLO/mHAe
+hhtdber7H9dwj8gdTjIDGRgw/owElsMGYOt1XxXRpnmh6QzvprT38Lt7OTfRlvlz
+//p0PoYzfeI295fSGuIAl2rVAOQJq/n/Nl3dbTQ4KdLn0raf5am1ah+S904br34J
+FyDfziswLGNRQ4SuYxFUXmfyV8TsxmJeRRfBa6JFofbAsuvzJ/TcJDiaLcsWjbWz
+KQTz8tWhTA1U5McU0sLTAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
+VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+BBYEFIDkQgQxxpq9cTecpFYY97S7ClRyMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
+Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
+MBgGA1UdEQQRMA+CDWRldi5vc3NkaXAuYXQwTAYDVR0gBEUwQzAIBgZngQwBAgEw
+NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
+cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgBByMqx3yJGShDGoToJ
+QodeTjGLGwPr60vHaPCQYpYG9gAAAXxzjB5xAAAEAwBHMEUCIQCYOtWFJnGtJ2kC
+E+De2h/eWKrQPf6guJq/tCWz3XdCPQIgdPKdERwSqECytmCG2jPXLMSxL+LrIPtY
+Zl/cZSePFzkAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXxz
+jCKvAAAEAwBIMEYCIQCb1vdGOZx4MU72UABM5WOdUNKLZyuqmRYY8MWCiEnuMgIh
+AL1Q3SAtogxxJh61qIk9/9R+0n1xQ+xxPkq81uid+l8cMA0GCSqGSIb3DQEBCwUA
+A4IBAQADxwr9oAA5hCyqqzcmqgk0fk6wv3r/hzki+mZ/CjiIN9HdcOP5rP+B29Xu
+WvN+8j/nIOuwGg1vI/vQn3XUg/ICsaVDTqnN6FiK6+08Vp1A90j0hhExFMWWNIbA
+OIE/KYHnqpu0jFBKRA7XhRAXCyl1JGbfhxdHJHt2oZ9RKB85b9NogUB4II9A2rE2
+BUyS4fpUAFWJOWrkvc6uV2gWfMfr85L6rnpBl6xBuEr/9zOK87jjiqyq86MBTvPu
+6Pyd0m0OA9fiP/8XzrdOtmUX0yXxCpUzT7VzW/85oFU8HG1dbfu0QqGmYgYKEgwe
+r8US8fgeAoSkCQJmQC6z8/PRtkI0
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/x509/dev-ossdip-at-key.pem

+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCmvl9NZd4qV53j
+8U1irMwR0RXR2tl0i3FqXUxGYUHabIADLciAzl83vFnPMmJFeubnDBGfkP2Z7Q+9
+6fgwuxhXVVovT4uCwNcUGW66LzwemYJKnauy6muPooyllLO/mHAehhtdber7H9dw
+j8gdTjIDGRgw/owElsMGYOt1XxXRpnmh6QzvprT38Lt7OTfRlvlz//p0PoYzfeI2
+95fSGuIAl2rVAOQJq/n/Nl3dbTQ4KdLn0raf5am1ah+S904br34JFyDfziswLGNR
+Q4SuYxFUXmfyV8TsxmJeRRfBa6JFofbAsuvzJ/TcJDiaLcsWjbWzKQTz8tWhTA1U
+5McU0sLTAgMBAAECggEALFYeXSQjCLs3Xm7BFuW/dVVVKfG5NIYHaDLanzQpIH0N
+JMs9rxIwu083yiIpgzQExZat8PHKnO0t7F+UANEezcoCKuZJwECqb8u7Z4I7yB8l
+R9XY27/9Tbn5D+YUTXOpDFS4XgVmH9P9ow54NWKfZbd8eTqV3HqB7OZEdXcNBCuD
+1RPpEB+UJx+7HMfqRfyjSF0fKOEPjq2aBw3DfYuwiU2O/L9n5KftU05AQA8FTGe+
+gOnnGjEIPvwykspB8pgKri9TB3RAs22mrho1L7j3ThEBa+sauvUWsKG72WjHjzKJ
+07WGa28uW2qhXxGZD5aAbOmLHHV2d9F81OpeRnM7kQKBgQDZO9cBdO2lvGVsnAVi
+O0G1gSficX/jFUEKb15EzvyEuEElCFcIOWZgvmn+9Zr4TAJLzgSUgGTlREvLM4Zf
+mh2RR2fXRMbmPiI+37+E/841Aa5b/pfJj4kolz2Y3FmlrztPTlPkx8kFckdW4HSH
+WHM3VlIfWSWdGQye8EuPC5+mXQKBgQDEf+4M8q16q4SxnX2Yci46cZbnS98n7QG/
+HnuVElmnodxV7OOc773x7/nyoW8j3hhD9GWQkPjQMbT5c8pMix5+/AG2vvjtzhJW
+klnYz7iw2k6+OY1oMSPu+f/wBpXOhJCniAFjPJCXwpSA+h0KuaxfOhxxOZl++E8c
+gEmbc1Ua7wKBgQChBt6F0esnY9O7ApxrCInYxXiPPpsR9XtVBODYGKbOqtZ/YQNC
+sWnWZM+lkuHhFFbPYlO60MH5wPp+Eh+VVmR8gHXU+MKHgZ9ZA/qv1/8/A5P/1WUm
+oCOH1zRtz0kUrCRG0UUW3ZGBXAjNuWwnt8UQTAhr/GUJYrwcRPt9eZxKcQKBgQDE
+P3RTUCd8RULQVRczoo2S5xEsTbVA3c8Jvnr0hhAugFRbKKymdzXAJMj/zsT+EHkx
+nSu2d2NYIty46jDXw3WgozVe+1oHvvDHr4C2LbcqQc205CvbLIDT0rEPWrRRPkpu
+V0Hzh3BtcPL54VIR/SAvNw1i84Des0XnlCRvcX9E1wKBgQC8DgYnsMEGFpVBp1xT
+0ER0XSq5njl6vAoUCkw3jN+dkWxYjI9sWQtP5pyrE0kWDG8h9/mbRG5rTFK7PzK6
+Vilqp7hws3NuKec3uRBtoeZI2wIBVfBihTLM7AhUROsrbf2ocP1jfEvl7yd49UYI
+i/dStaqfpozr864eytU8Pzct3g==
+-----END PRIVATE KEY-----
\ No newline at end of file

fda-authentication-service/services/src/main/java/at/tuwien/config/SamlConfig.java

 package at.tuwien.config;
 
-import at.tuwien.service.UserService;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
 import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.saml2.metadata.provider.*;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.xml.parse.ParserPool;
 import org.opensaml.xml.parse.StaticBasicParserPool;
 import org.springframework.beans.factory.DisposableBean;
 import org.springframework.beans.factory.InitializingBean;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
@@ -48,42 +48,26 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import java.io.File;
 import java.util.*;
 
-/**
- *
- */
 @Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(securedEnabled = true)
 public class SamlConfig extends WebSecurityConfigurerAdapter implements InitializingBean, DisposableBean {
 
-    private final UserService userService;
-
     private Timer backgroundTaskTimer;
     private MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager;
 
-    @Autowired
-    public SamlConfig(UserService userService) {
-        this.userService = userService;
-    }
+    @Value("${spring.security.saml2.metadata}")
+    private String serviceMetadataPath;
 
-    @Value("${fda.saml.keystore.location}")
+    @Value("${server.ssl.key-store}")
     private String samlKeystoreLocation;
 
-    @Value("${fda.saml.keystore.alias}")
+    @Value("${server.ssl.key-alias}")
     private String samlKeystoreAlias;
 
-    @Value("${fda.saml.keystore.password}")
+    @Value("${server.ssl.key-store-password}")
     private String samlKeystorePassword;
 
-    @Value("${fda.identity.provider.metadata}")
-    private String identityProviderMetadataPath;
-
-    @Value("${fda.identity.provider.discovery.url}")
-    private String identityProviderDiscoveryUrl;
-
-    @Value("${fda.identity.provider.discovery.response}")
-    private String identityProviderDiscoveryResponseUrl;
-
     /* The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there */
     @Bean
     public MetadataDisplayFilter metadataDisplayFilter() {
@@ -121,7 +105,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
     /* Processing filter for WebSSO profile messages */
     @Bean
     public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
-        SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
+        final SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
         samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
         samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
         samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
@@ -151,8 +135,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
         return logoutHandler;
     }
 
-    /* Filter processing incoming logout messages. First argument determines URL user will be redirected to after
-    successful global logout */
+    /* Filter processing incoming logout messages */
     @Bean
     public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
         return new SAMLLogoutProcessingFilter(successLogoutHandler(),
@@ -217,39 +200,24 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
         return new SAMLProcessorImpl(bindings);
     }
 
-    /**
-     * Define the security filter chain in order to support SSO Auth by using SAML 2.0
-     *
-     * @return Filter chain proxy
-     * @throws Exception
-     */
+    /* Define the security filter chain in order to support SSO Auth by using SAML 2.0 */
     @Bean
     public FilterChainProxy samlFilter() throws Exception {
         List<SecurityFilterChain> chains = new ArrayList<>();
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/login/**"),
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
+                samlWebSSOProcessingFilter()));
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
+                samlDiscovery()));
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
                 samlEntryPoint()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/logout/**"),
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
                 samlLogoutFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/metadata/**"),
-                metadataDisplayFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SSO/**"),
-                samlWebSSOProcessingFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SSOHoK/**"),
-                samlWebSSOHoKProcessingFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/SingleLogout/**"),
+        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
                 samlLogoutProcessingFilter()));
-        chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/context/saml/discovery/**"),
-                samlDiscovery()));
         return new FilterChainProxy(chains);
     }
 
-    /**
-     * Returns the authentication manager currently used by Spring.
-     * It represents a bean definition with the aim allow wiring from
-     * other classes performing the Inversion of Control (IoC).
-     *
-     * @throws Exception
-     */
+    /* Returns the authentication manager currently used by Spring. */
     @Bean
     @Override
     public AuthenticationManager authenticationManagerBean() throws Exception {
@@ -258,9 +226,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
 
     /**
      * Defines the web based security configuration.
-     *
-     * @param http It allows configuring web based security for specific http requests.
-     * @throws Exception
      */
     @Override
     protected void configure(HttpSecurity http) throws Exception {
@@ -282,9 +247,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
 
     /**
      * Sets a custom authentication provider.
-     *
-     * @param auth SecurityBuilder used to create an AuthenticationManager.
-     * @throws Exception
      */
     @Override
     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
@@ -326,7 +288,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
     @Qualifier("idp-ssocircle")
     public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException {
         final FilesystemMetadataProvider filesystemMetadataProvider = new FilesystemMetadataProvider(
-                new File(identityProviderMetadataPath));
+                new File(serviceMetadataPath));
         filesystemMetadataProvider.setParserPool(parserPool());
         final ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(filesystemMetadataProvider,
                 extendedMetadata());
@@ -338,10 +300,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
 
     /* IDP Discovery Service */
     @Bean
-    public SAMLDiscovery samlDiscovery() {
-        SAMLDiscovery idpDiscovery = new SAMLDiscovery();
-        idpDiscovery.setIdpSelectionPath("/api/auth/discovery");
-        return idpDiscovery;
+    public SAMLDiscovery samlDiscovery() throws MetadataProviderException {
+        return new SAMLDiscovery();
     }
 
     /* Setup advanced info about metadata */
@@ -350,8 +310,6 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
         ExtendedMetadata extendedMetadata = new ExtendedMetadata();
         extendedMetadata.setLocal(true);
         extendedMetadata.setIdpDiscoveryEnabled(true);
-        extendedMetadata.setIdpDiscoveryURL(identityProviderDiscoveryUrl);
-        extendedMetadata.setIdpDiscoveryResponseURL(identityProviderDiscoveryResponseUrl);
         extendedMetadata.setSignMetadata(true);
         extendedMetadata.setEcpEnabled(true);
         return extendedMetadata;
@@ -360,23 +318,23 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
     /* Entry point to initialize authentication, default values taken from properties file */
     @Bean
     public SAMLEntryPoint samlEntryPoint() {
-        SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+        final SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
         samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
         return samlEntryPoint;
     }
 
     @Bean
     public WebSSOProfileOptions defaultWebSSOProfileOptions() {
-        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
+        final WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
         webSSOProfileOptions.setIncludeScoping(false);
         return webSSOProfileOptions;
     }
 
     @Bean
     public KeyManager keyManager() {
-        DefaultResourceLoader loader = new DefaultResourceLoader();
-        Resource storeFile = loader.getResource(samlKeystoreLocation);
-        Map<String, String> passwords = new HashMap<>();
+        final DefaultResourceLoader loader = new DefaultResourceLoader();
+        final Resource storeFile = loader.getResource(samlKeystoreLocation);
+        final Map<String, String> passwords = new HashMap<>();
         passwords.put(samlKeystoreAlias, samlKeystorePassword);
         return new JKSKeyManager(storeFile, samlKeystorePassword, passwords, samlKeystoreAlias);
     }
@@ -429,8 +387,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter implements Initiali
     /* SAML Authentication Provider responsible for validating of received SAML messages */
     @Bean
     public SAMLAuthenticationProvider samlAuthenticationProvider() {
-        SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
-        samlAuthenticationProvider.setUserDetails(userService);
+        final SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
+//        samlAuthenticationProvider.setUserDetails(userService);
         samlAuthenticationProvider.setForcePrincipalAsString(false);
         return samlAuthenticationProvider;
     }

fda-authentication-service/services/src/main/java/at/tuwien/service/UserService.java

-package at.tuwien.service;
-
-import lombok.extern.log4j.Log4j2;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.saml.SAMLCredential;
-import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
-import org.springframework.stereotype.Service;
-
-import java.util.ArrayList;
-import java.util.List;
-
-@Log4j2
-@Service
-public class UserService implements SAMLUserDetailsService {
-
-    @Override
-    public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
-        final String userID = credential.getNameID().getValue();
-        log.debug("Logged in user {}", userID);
-        List<GrantedAuthority> authorities = new ArrayList<>();
-        GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER");
-        authorities.add(authority);
-        return new User(userID, "<abc123>", true, true, true, true, authorities);
-    }
-
-}