Connect Spring Security to RH-SSO (Keycloak)
This repo extends from:
And is based on documentation:
My Demo RH-SSO endpoint:
Other relevant info:
Be sure not to use the separately packaged releases that were deprecated in favor of Spring Security subpackages:
Use:
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>5.6.2</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-saml2-service-provider</artifactId> <version>5.6.2</version> </dependency>
Instead of:
<dependency> <groupId>org.springframework.security.extensions</groupId> <artifactId>spring-security-saml2-core</artifactId> <version>1.0.0.RELEASE</version> </dependency>
Example to convert the standard PKCS7 format pem found in RH-SSO to the PKCS8 format requested by this Spring project:
echo MIIEowIBAAKCAQEAuLbdEqfeuJAhi/AHl16pf+WYEL5fSZwSDi6jEd6Y9OAOrniKwvkz4u0QbqQZJAyV8ziPj6BdUke0U1aCdrjw+V9ckQ7Pul+la79wrFHwoRGiQT5OwfZLmLsH4zl29dKOIBTKmQARvxTXqCJT/uYB1FD4XmqI1OOzD/b87MV3VMxx8aDMFZoMO4mh6YOU+JdJElEodEYwbO24pRzkBM0BCCuAd9ip2lIOSi+SDQYX5bL/SPxnHRQaDWLvZXPxrUCZbVExVl6cgQHKwLC1/oTf6GplooB492sE40hretEpGGyUyXJ2hxvyeR+LXwwteQlQy5UT9NNrjC+DxN7GlncUywIDAQABAoIBAFn3NtXPTXs3OB+gWRIw2P2iJd6B2odPrLubm3Eoqfca6guwSmWMWuk77bT12Ajm2GIOOl4KDWn14q50hDau/S94cu1z+VkdHMTOCWLkxf6tSAne/x0ZiNhqv/y8EGTKmM6nUcYTcpFO5XrOvXp5LIrspQvXd624+Y3dDnOD+gsicps0dDYzbyacjD921aFKaiEa973LWLjXxRbyLPacajWacnk5t+coNz90mtYIYlNRtnEdsYFzkeap/ZwP7T+BK8LxO2jmgM/gR/cB5qJxXRcELPBi7a2LY/ubh3YvQOsKQxX0Xbs1tYRlW2MQfe5TpOAkpuOxG8o4NEOcaJuLawECgYEA+vYaUKziW2+gbbClEgzwyrTbGJe6iNsujeA4vvgjqBB7Sci23zkZDML5/fxkIYZW18IrOJriJR1AptsdaL2evIFimJ8maB3ZPWJAF8UgKOkpmsIzVXJHhyLDi+itywHjnGcvE2u+C11cJoW0gzsfo6BW16yVCcAS/FDDvxDsy0kCgYEAvGxDPyQiBpAFBtQc1Z9Mk9ShXQpUzy/Vgu+QUeQqTai703Zx2sqKgKHu6126RrxcNFYFpNPENzKjFUq17lBmGnuMDzPumVMcCs7l7BSATru/B0dYD8E/lMssb4h10iLDoL0u04Tyfg+dJ/UXwNX111sonwW1mKC0/IQDEE/eq3MCgYB1w0BL9SRu5a2xaz+6faoMZNue6awVhkyNNNdL/aK1va4szGvLyb5Qd7nZjjLqbGCZ9DpV4JAX/GcXJSDiwoAXUtuSZLQgDUmgfVc4ED9sEyV7wn9WLD8WUaDTKUdMSMGm5eB4S4mtSYzxYrJ3FipdnOLDZ++z2JbQIZIJOYb0SQKBgGK4km8lnlIz6P5P6h+ey/90W2sk+5RmKobkv4e4dNWlf2tm1nZcwj5tGYHl5LAlBmZBX8mhTl/hPwLr1vBa3XQooRRiEDPzEHE1P8/2WddmlMrafXAbvxVVch2psJl9r2OrWzploKudwKhryJs3PwwrbdgLpL6oDMt02yoTvsWzAoGBAIoDqjVarW7BCHXij0ow1LSEULKLeq1N9LF2dPpWyUzkK9iaqlRupA2yHiDToxEFv8ZupbrPeThSsWACgxdI41aFTVg5WkjlNtvMM+xZYbh3A8JUNZ0KmQ8LWaz4pnSMaQRsFqksdLzSC3i935Kz8/x2+JFcko9Xtk5jEOd1XR9a | base64 -d | openssl rsa -in - -inform der -outform pem | openssl pkcs8 -topk8 -inform pem -in - -nocrypt
The above decodes the one line PEM (found this way in RH-SSO client keys) into DER format so that it can be reformatted into a clean PEM PKCS7 format with standard headers, which then gets reformatted to PKCS8 with standard headers. This requires Bash 4 to work with pipe redirection. :-)
Example to convert the PKCS7 format one-line PEM found in RH-SSO to a standard PKCS7 with headers format PEM.
echo MIICpTCCAY0CBgGACpHgITANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtzZWN1cmVkLWFwcDAeFw0yMjA0MDgxOTA0MzNaFw0zMjA0MDgxOTA2MTNaMBYxFDASBgNVBAMMC3NlY3VyZWQtYXBwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuLbdEqfeuJAhi/AHl16pf+WYEL5fSZwSDi6jEd6Y9OAOrniKwvkz4u0QbqQZJAyV8ziPj6BdUke0U1aCdrjw+V9ckQ7Pul+la79wrFHwoRGiQT5OwfZLmLsH4zl29dKOIBTKmQARvxTXqCJT/uYB1FD4XmqI1OOzD/b87MV3VMxx8aDMFZoMO4mh6YOU+JdJElEodEYwbO24pRzkBM0BCCuAd9ip2lIOSi+SDQYX5bL/SPxnHRQaDWLvZXPxrUCZbVExVl6cgQHKwLC1/oTf6GplooB492sE40hretEpGGyUyXJ2hxvyeR+LXwwteQlQy5UT9NNrjC+DxN7GlncUywIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBagC1nHBI8ICwmR92zhJCaNxXb0FrJBED0jsdN7dWO30NvTaSjKAk/Yuvh3dIGwpc1oLQBBxRrp0C2RkamEzjrwWyvLjyVHY7mlo/9GSCCUM9NkQ0InmSdt0lWanqiPBGXXsLvzg5knxmgk4Jkfrin/qFkDOLwgBy8vbKo/sKxO6X/n0Pdu02uRZTkts2BG6JnmSxBfCnqukcbXUqSaN1QsOZeZsCDYiVO4OheuoYj+I34TIQzcxd46l9Qgqv6Jzp+wg5kACLIWZ0de20eeVH2I/hYz6M4pqJg+VKjDv8eAhKlKLfNVa76ct8a+UlGdoUvz4duDQpXzvIu43kLbnQy | base64 -d | openssl x509 -in - -inform der -outform pem