Correct dependencies for OneLogin SSO integration with Bloomreach 14.6.0

kwarnock · May 8, 2023, 1:36pm

I’ve been struggling to get OneLogin integration working in Bloomreach 14.6.0. I have a feeling that I am using the wrong dependencies .

I added the following to my cms/pom.xml:

groupId: org.springframework.security.extensions
artifactId: spring-security-saml2-core
version: 1.0.10.RELEASE

groupId: xerces
artifactid: xercesImpl
version: 2.12.0

groupId: ca.juliusdavies
artifactid: not-yet-commons-ssl
version: 0.3.9

groupId: org.springframework.security
artifactid: spring-security-core
version: 5.5.0

groupId: org.springframework.security
artifactId: spring-security-web
version: 5.5.0

groupId: org.springframework.security
artifactId: spring-security-config
version: 5.5.0

groupId: org.springframework.security
artifactId: spring-security-taglibs
version: 5.5.0

I updated web.xml to add the following:

<context-param>
    <description>Contains the security details for SAML and SSO</description>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/securityContext.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>com.audacy.common.saml.OptionalDelegatingFilterProxy</filter-class>
</filter>
<filter>
    <filter-name>SSOLoginFilter</filter-name>
    <filter-class>com.audacy.common.saml.SSOLoginFilter</filter-class>
    <init-param>
        <param-name>prefixExclusions</param-name>
        <param-value>/angular, /logging, /skin, /ckeditor, /ping, /xinha, /status, /ws</param-value>
    </init-param>
    <init-param>
        <param-name>suffixExclusions</param-name>
        <param-value>.gif, .jpg, .jpeg, .png, .jsp, .js, .css, .less</param-value>
    </init-param>
    <init-param>
        <param-name>disabled</param-name>
        <param-value>${saml.disabled}</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>SSOLoginFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The current issue that I’m facing is:
Caused by: java.lang.IllegalStateException: Duplicate Filter registration for ‘springSecurityFilterChain’. Check to ensure the Filter is only configured once.

I’m not entirely sure that I’ve used the correct dependencies and when I remove “springSecurityFilterChain” from web.xml I get the error ‘no bean defined for “springFilterSecurityChain”’. If anyone has done a OneLogin integration with version 14.6.0 and has any advice it would be greatly appreciated. If you need any more information I would be happy to gather it for you

jasper.floor · May 8, 2023, 1:41pm

I can’t really help you, but here is an example sso integration that may offer some inspiration:

kwarnock · June 11, 2023, 3:03pm

@jasper.floor Thank you for the reference project. After this being back logged for a bit, I tried configuring my project in the same manner as the example but I am getting the following error which I’m not sure how to debug:

“java.lang.IllegalStateException: Cannot initialize context because there is already a root application context present - check whether you have multiple ContextLoader* definitions in your web.xml!”

Not sure if this changes things a lot but we’re using the enterprise version of BrXM 15.2.0.

Do you have any recommendations for how I can go about troubleshooting the above error? I already tried removing one of the defined ContextLoaders from web.xml but it didn’t change things

jasper.floor · June 12, 2023, 8:19am

Try adding an exclusion on Spring Boot to the hippo-package-cms-dependencies dependency.

see also:

kwarnock · June 15, 2023, 3:37pm

@jasper.floor That did the trick

I was having issues with it because I copied the snippet from the documentation and it had the wrong groupId and I didn’t think anything of it. After fixing that everything worked!

Everything looks super clean with that Okta integration and I was hoping that it could be just as clean using OneLogin but I can’t seem to get the RelyingPartyRegistration to work with OneLogin (I assume I am just misconfiguring things). Does Bloomreach happen to have an example 15.2.0 project with OneLogin integration that I could use for inspiration?

jasper.floor · June 16, 2023, 7:53am

We don’t have any other reference project. Unfortunately, this is an area where each implementation seems to have it’s own peculiarities. If you figure it out, please do share.

kwarnock · June 16, 2023, 2:56pm

@jasper.floor Will do! Thank you again for all of your help

kwarnock · June 21, 2023, 4:16pm

@jasper.floor I got the example setup and working with Okta using a free trial account that I created. The authentication is happening but how do I get the CustomDelegatingSecurityProvider configured? I see the class and the saml.yaml file in the hippo-saml project which referred to it. However, adding that configuration did not cause the class to be picked up. It doesn’t appear to be used in the example project either (I tried setting breakpoints but it didn’t work). Any suggestions are greatly appreciated

kwarnock · June 22, 2023, 3:02pm

Turns out that I just needed to change the internal.yaml to use that CustomDelegatingSecurityProvider and it started getting picked up