springSecurityFilterChain bean missing

[bap-dev]

on a kubernetes cluster when enabling saml with:

saml:
            enabled: true

we are getting

SCHWERWIEGEND: Ausnahme beim Starten des Filters [springSecurityFilterChain]             
 org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' available                                                                                                                              org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:893)                                                                                                                org.springframework.beans.factory.support.AbstractBeanFactory.getMergedLocalBeanDefinition(AbstractBeanFactory.java:1316)                                                                                                                  org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:299)                                                                                                                                      org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:204)                                                                                                                                        org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1172
org.springframework.web.filter.DelegatingFilterProxy.initDelegate(DelegatingFilterProxy.java:332)                                                                                                                                          
org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(DelegatingFilterProxy.java: 240)      
...

please provide some documentation!

[torsten-simon]

Hi,

in order to use SSO, please also provide the relevant config in the lightbend config files. You can do this BEFORE enabling saml via Admin Tools / System Config or directly via helm configs:

edusharing_repository:
    edusharing_repository_service:
        config:
            override:
                config:
                    application:
                        settings: |
                          spring.profiles.active=samlEnabled
                          security.sso.saml{
                              useHomeApplicationKeys: true
                              idp: {
                                  metadata: {
                                      url: "http://"
                                  }
                              }
                          }

Details on what is possible to be overriden (additional parameters) can be found in the default config file:
https://github.com/edu-sharing/edu-sharing-community-repository/blob/maven/fixes/9.0/config/defaults/src/main/resources/edu-sharing.reference.conf

Best Regards
Torsten

[bap-dev]

Hi Torsten and thanks for your quick response!
We are trying to set up an external shibboleth SP so the question is if we even need that setting?.. One thing which we found interesting is that when setting saml:enabled:true the error occurs and persists when setting the value back to false 'till setting spring.profiles.active=basic explicitly.
Could u please advise us on how and what to setup for an external shibb connection, since it seems that some env variables in the env-configmap and statefulset are missing compared to the docker version...

[torsten-simon]

Hi!

As stated in the first answer, you need to set the "url" in the config to the desired discovery url of your IDP. All metadata will be fetched from there.

[bap-dev]

Ah, I see. And are those env not needed at all, when using the internal shibboleth:

  REPOSITORY_SERVICE_AUTH_EXTERNAL
  REPOSITORY_SERVICE_AUTH_EXTERNAL_LOGIN
  REPOSITORY_SERVICE_HOME_AUTH_EXTERNAL_LOGIN_PROVIDERS_URL
  REPOSITORY_SERVICE_HOME_AUTH_EXTERNAL_LOGIN_PROVIDER_TARGET_URL
  REPOSITORY_SERVICE_AUTH_EXTERNAL_LOGOUT
  REPOSITORY_SERVICE_HOME_AUTH_EXTERNAL_LOGOUT_REDIRECT_URL
  REPOSITORY_SERVICE_HOME_AUTH_EXTERNAL_LOGOUT_REDIRECT

And I suppose this is also meant to be used with the internal shibboleth:

spring.profiles.active=samlEnabled
                        security.sso.saml{
                            useHomeApplicationKeys: true
                            idp: {
                                metadata: {
                                    url: "http://"
                                }
                            }
                        }

What about using an external Shibboleth SP (shibd) that also functions as a reverse proxy? Would this be a better approach in terms of microservices? What would you recommend?

Thanks a lot!

[elrudi]

Hi,

edu-sharing is currently not supporting the use of an external shibboleth service provider in k8s environment.
Please use the embedded saml service provider that can be configured with lightbend.

Best Regards

[bap-dev]

Thank you for your response! Unfortunately, this is a pity... Do you have any plans for when the feature will be supported?