Re-enable SAML 2.0 samples with Okta IdP

Closes gh-55

.idea/misc.xml

@@ -5,4 +5,4 @@
     <file type="web" url="file://$PROJECT_DIR$" />
   </component>
   <component name="ProjectRootManager" version="2" languageLevel="JDK_17" default="true" project-jdk-name="temurin-17" project-jdk-type="JavaSDK" />
-</project>
+</project>

servlet/java-configuration/saml2/login/src/main/java/example/IndexController.java

@@ -31,7 +31,7 @@ public class IndexController {
 
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
-		String emailAddress = principal.getFirstAttribute("emailAddress");
+		String emailAddress = principal.getFirstAttribute("email");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";

servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java

@@ -32,6 +32,7 @@ import org.springframework.security.saml2.provider.service.registration.InMemory
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
@@ -57,13 +58,16 @@ public class SecurityConfiguration {
 	@Bean
 	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
 		RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
-				.fromMetadataLocation("https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php")
+				.fromMetadataLocation("https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata")
 				.registrationId("one")
 				.decryptionX509Credentials(
 						(c) -> c.add(Saml2X509Credential.decryption(this.privateKey, relyingPartyCertificate())))
 				.signingX509Credentials(
 						(c) -> c.add(Saml2X509Credential.signing(this.privateKey, relyingPartyCertificate())))
-				.build();
+				.singleLogoutServiceLocation(
+						"https://dev-05937739.okta.com/app/dev-05937739_springgsecuritysaml2idp_1/exk46xofd8NZvFCpS5d7/slo/saml")
+				.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
+				.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
 
 		return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
 	}

servlet/java-configuration/saml2/login/src/main/resources/templates/index.html

@@ -36,11 +36,6 @@
                 </button>
             </form>
         </li>
-        <li class="nav-item">
-            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
-                AP-initiated Logout
-            </a>
-        </li>
     </ul>
     </div>
     <main role="main" class="container">

servlet/spring-boot/java/saml2/login-single-tenant/build.gradle

@@ -24,7 +24,7 @@ dependencies {
 	implementation 'org.springframework.security:spring-security-saml2-service-provider'
 	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
 
-	testImplementation 'net.sourceforge.htmlunit:htmlunit'
+	testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
 }

servlet/spring-boot/java/saml2/login-single-tenant/src/main/java/example/IndexController.java

@@ -27,7 +27,7 @@ public class IndexController {
 
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
-		String emailAddress = principal.getFirstAttribute("emailAddress");
+		String emailAddress = principal.getFirstAttribute("email");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";

servlet/spring-boot/java/saml2/login-single-tenant/src/main/java/example/SecurityConfiguration.java

@@ -16,13 +16,26 @@
 
 package example;
 
+import java.io.InputStream;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
+import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
@@ -39,7 +52,7 @@ public class SecurityConfiguration {
 			.authorizeHttpRequests((authorize) -> authorize
 				.anyRequest().authenticated()
 			)
-			.saml2Login((saml2) -> saml2.loginProcessingUrl("/login/saml2/sso"))
+			.saml2Login(Customizer.withDefaults())
 			.saml2Logout(Customizer.withDefaults());
 		// @formatter:on
 
@@ -49,7 +62,7 @@ public class SecurityConfiguration {
 	@Bean
 	RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(
 			RelyingPartyRegistrationRepository registrations) {
-		return new DefaultRelyingPartyRegistrationResolver((id) -> registrations.findByRegistrationId("metadata"));
+		return new DefaultRelyingPartyRegistrationResolver((id) -> registrations.findByRegistrationId("two"));
 	}
 
 	@Bean
@@ -65,4 +78,29 @@ public class SecurityConfiguration {
 		return filter;
 	}
 
+	@Bean
+	RelyingPartyRegistrationRepository repository(
+			@Value("classpath:credentials/rp-private.key") RSAPrivateKey privateKey) {
+		RelyingPartyRegistration two = RelyingPartyRegistrations
+				.fromMetadataLocation("https://dev-05937739.okta.com/app/exk4842vmapcMkohr5d7/sso/saml/metadata")
+				.registrationId("two")
+				.signingX509Credentials(
+						(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
+				.singleLogoutServiceLocation(
+						"https://dev-05937739.okta.com/app/dev-05937739_springsecuritysaml2idptwo_1/exk4842vmapcMkohr5d7/slo/saml")
+				.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
+				.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
+		return new InMemoryRelyingPartyRegistrationRepository(two);
+	}
+
+	X509Certificate relyingPartyCertificate() {
+		Resource resource = new ClassPathResource("credentials/rp-certificate.crt");
+		try (InputStream is = resource.getInputStream()) {
+			return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
+		}
+		catch (Exception ex) {
+			throw new UnsupportedOperationException(ex);
+		}
+	}
+
 }

servlet/spring-boot/java/saml2/login-single-tenant/src/main/resources/application.yml

@@ -1,17 +1,2 @@
-spring:
-  security:
-    saml2:
-      relyingparty:
-        registration:
-          metadata:
-            entity-id: "{baseUrl}/saml2/metadata"
-            acs.location: "{baseUrl}/login/saml2/sso"
-            signing.credentials:
-              - private-key-location: classpath:credentials/rp-private.key
-                certificate-location: classpath:credentials/rp-certificate.crt
-            identityprovider:
-              metadata-uri: https://simplesamlphp.apps.pcfone.io/saml2/idp/metadata.php
-
-
 logging.level:
   org.springframework.security: TRACE

servlet/spring-boot/java/saml2/login-single-tenant/src/main/resources/templates/index.html

@@ -36,11 +36,6 @@
                 </button>
             </form>
         </li>
-        <li class="nav-item">
-            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
-                AP-initiated Logout
-            </a>
-        </li>
     </ul>
     </div>
     <main role="main" class="container">

servlet/spring-boot/java/saml2/login/build.gradle

@@ -24,7 +24,7 @@ dependencies {
 	implementation 'org.springframework.security:spring-security-saml2-service-provider'
 	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
 
-	testImplementation 'net.sourceforge.htmlunit:htmlunit'
+	testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
 	testImplementation 'org.awaitility:awaitility:4.2.0'

servlet/spring-boot/java/saml2/login/src/main/java/example/IndexController.java

@@ -27,7 +27,7 @@ public class IndexController {
 
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
-		String emailAddress = principal.getFirstAttribute("emailAddress");
+		String emailAddress = principal.getFirstAttribute("email");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";

servlet/spring-boot/java/saml2/login/src/main/java/example/SecurityConfiguration.java

@@ -16,13 +16,26 @@
 
 package example;
 
+import java.io.InputStream;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
+import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
@@ -59,4 +72,38 @@ public class SecurityConfiguration {
 		return filter;
 	}
 
+	@Bean
+	RelyingPartyRegistrationRepository repository(
+			@Value("classpath:credentials/rp-private.key") RSAPrivateKey privateKey) {
+		RelyingPartyRegistration one = RelyingPartyRegistrations
+				.fromMetadataLocation("https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata")
+				.registrationId("one")
+				.signingX509Credentials(
+						(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
+				.singleLogoutServiceLocation(
+						"https://dev-05937739.okta.com/app/dev-05937739_springgsecuritysaml2idp_1/exk46xofd8NZvFCpS5d7/slo/saml")
+				.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
+				.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
+		RelyingPartyRegistration two = RelyingPartyRegistrations
+				.fromMetadataLocation("https://dev-05937739.okta.com/app/exk4842vmapcMkohr5d7/sso/saml/metadata")
+				.registrationId("two")
+				.signingX509Credentials(
+						(c) -> c.add(Saml2X509Credential.signing(privateKey, relyingPartyCertificate())))
+				.singleLogoutServiceLocation(
+						"https://dev-05937739.okta.com/app/dev-05937739_springsecuritysaml2idptwo_1/exk4842vmapcMkohr5d7/slo/saml")
+				.singleLogoutServiceResponseLocation("http://localhost:8080/logout/saml2/slo")
+				.singleLogoutServiceBinding(Saml2MessageBinding.POST).build();
+		return new InMemoryRelyingPartyRegistrationRepository(one, two);
+	}
+
+	X509Certificate relyingPartyCertificate() {
+		Resource resource = new ClassPathResource("credentials/rp-certificate.crt");
+		try (InputStream is = resource.getInputStream()) {
+			return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
+		}
+		catch (Exception ex) {
+			throw new UnsupportedOperationException(ex);
+		}
+	}
+
 }

servlet/spring-boot/java/saml2/login/src/main/resources/application.yml

@@ -1,20 +1,2 @@
-spring:
-  security:
-    saml2:
-      relyingparty:
-        registration:
-          one:
-            signing.credentials: &rp-metadata
-              - private-key-location: classpath:credentials/rp-private.key
-                certificate-location: classpath:credentials/rp-certificate.crt
-            identityprovider:
-              metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
-          two:
-            signing.credentials: *rp-metadata
-            decryption.credentials: *rp-metadata
-            identityprovider:
-              metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
-
-
 logging.level:
   org.springframework.security: TRACE

servlet/spring-boot/java/saml2/login/src/main/resources/templates/index.html

@@ -36,11 +36,6 @@
                 </button>
             </form>
         </li>
-        <li class="nav-item">
-            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
-                AP-initiated Logout
-            </a>
-        </li>
     </ul>
     </div>
     <main role="main" class="container">

servlet/spring-boot/java/saml2/refreshable-metadata/build.gradle

@@ -24,7 +24,7 @@ dependencies {
 	implementation 'org.springframework.security:spring-security-saml2-service-provider'
 	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'
 
-	testImplementation 'net.sourceforge.htmlunit:htmlunit'
+	testImplementation 'net.sourceforge.htmlunit:htmlunit:2.44.0'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.springframework.security:spring-security-test'
 }

servlet/spring-boot/java/saml2/refreshable-metadata/src/main/java/example/IndexController.java

@@ -27,7 +27,7 @@ public class IndexController {
 
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
-		String emailAddress = principal.getFirstAttribute("emailAddress");
+		String emailAddress = principal.getFirstAttribute("email");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";

servlet/spring-boot/java/saml2/refreshable-metadata/src/main/resources/application.yml

@@ -8,7 +8,7 @@ spring:
               - private-key-location: classpath:credentials/rp-private.key
                 certificate-location: classpath:credentials/rp-certificate.crt
             identityprovider:
-              metadata-uri: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
+              metadata-uri: https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata
 
 logging.level:
   org.springframework.security: TRACE

servlet/spring-boot/java/saml2/refreshable-metadata/src/main/resources/templates/index.html

@@ -36,11 +36,6 @@
                 </button>
             </form>
         </li>
-        <li class="nav-item">
-            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
-                AP-initiated Logout
-            </a>
-        </li>
     </ul>
     </div>
     <main role="main" class="container">

servlet/xml/java/saml2/login-logout/src/integTest/java/example/LocalHostWebClient.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import java.io.IOException;
+
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.Page;
+import com.gargoylesoftware.htmlunit.WebClient;
+
+import org.springframework.core.env.Environment;
+import org.springframework.util.Assert;
+
+/**
+ * {@link WebClient} will automatically prefix relative URLs with
+ * <code>localhost:$&#123;local.server.port&#125;</code>.
+ *
+ * @author Phillip Webb
+ * @since 1.4.0
+ */
+public class LocalHostWebClient extends WebClient {
+
+	private final Environment environment;
+
+	public LocalHostWebClient(Environment environment) {
+		Assert.notNull(environment, "Environment must not be null");
+		this.environment = environment;
+	}
+
+	@Override
+	public <P extends Page> P getPage(String url) throws IOException, FailingHttpStatusCodeException {
+		if (url.startsWith("/")) {
+			String port = this.environment.getProperty("local.server.port", "8080");
+			url = "http://localhost:" + port + url;
+		}
+		return super.getPage(url);
+	}
+
+}

servlet/xml/java/saml2/login-logout/src/integTest/java/example/Saml2XmlITests.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package example;
+
+import com.gargoylesoftware.htmlunit.ElementNotFoundException;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.HtmlElement;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlInput;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlPasswordInput;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.env.Environment;
+import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.htmlunit.MockMvcWebClientBuilder;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration(locations = { "file:src/main/webapp/WEB-INF/spring-servlet.xml",
+		"file:src/main/webapp/WEB-INF/spring/security.xml" })
+@WebAppConfiguration
+public class Saml2XmlITests {
+
+	private MockMvc mvc;
+
+	private WebClient webClient;
+
+	@Autowired
+	WebApplicationContext webApplicationContext;
+
+	@Autowired
+	Environment environment;
+
+	@BeforeEach
+	void setup() {
+		this.mvc = MockMvcBuilders.webAppContextSetup(this.webApplicationContext)
+				.apply(SecurityMockMvcConfigurers.springSecurity()).build();
+		this.webClient = MockMvcWebClientBuilder.mockMvcSetup(this.mvc)
+				.withDelegate(new LocalHostWebClient(this.environment)).build();
+		this.webClient.getCookieManager().clearCookies();
+	}
+
+	@Test
+	void authenticationAttemptWhenValidThenShowsUserEmailAddress() throws Exception {
+		performLogin();
+		HtmlPage home = (HtmlPage) this.webClient.getCurrentWindow().getEnclosedPage();
+		assertThat(home.asText()).contains("You're email address is testuser@spring.security.saml");
+	}
+
+	@Test
+	void logoutWhenRelyingPartyInitiatedLogoutThenLoginPageWithLogoutParam() throws Exception {
+		performLogin();
+		HtmlPage home = (HtmlPage) this.webClient.getCurrentWindow().getEnclosedPage();
+		HtmlElement rpLogoutButton = home.getHtmlElementById("rp_logout_button");
+		HtmlPage loginPage = rpLogoutButton.click();
+		assertThat(loginPage.getUrl().getFile()).isEqualTo("/login?logout");
+	}
+
+	private void performLogin() throws Exception {
+		HtmlPage login = this.webClient.getPage("/");
+		this.webClient.waitForBackgroundJavaScript(10000);
+		HtmlForm form = findForm(login);
+		HtmlInput username = form.getInputByName("username");
+		HtmlPasswordInput password = form.getInputByName("password");
+		HtmlSubmitInput submit = login.getHtmlElementById("okta-signin-submit");
+		username.type("testuser@spring.security.saml");
+		password.type("12345678");
+		submit.click();
+		this.webClient.waitForBackgroundJavaScript(10000);
+	}
+
+	private HtmlForm findForm(HtmlPage login) {
+		for (HtmlForm form : login.getForms()) {
+			try {
+				if (form.getId().equals("form19")) {
+					return form;
+				}
+			}
+			catch (ElementNotFoundException ex) {
+				// Continue
+			}
+		}
+		throw new IllegalStateException("Could not resolve login form");
+	}
+
+}

servlet/xml/java/saml2/login-logout/src/main/java/example/IndexController.java

@@ -34,7 +34,7 @@ public class IndexController {
 
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
-		String emailAddress = principal.getFirstAttribute("emailAddress");
+		String emailAddress = principal.getFirstAttribute("email");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";

servlet/xml/java/saml2/login-logout/src/main/webapp/WEB-INF/spring/security.xml

@@ -4,7 +4,7 @@
 		 xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
 						http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
 
-	<http>
+	<http auto-config="true">
 		<intercept-url pattern="/**" access="authenticated"/>
 		<saml2-login />
 		<saml2-logout />
@@ -14,40 +14,15 @@
 		<user name="user" password="{noop}password" authorities="ROLE_USER" />
 	</user-service>
 
-<!--	<relying-party-registrations>-->
-<!--		<relying-party-registration registration-id="one" metadata-location="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php"-->
-<!--				single-logout-service-location="{baseUrl}/logout/saml2/slo" single-logout-service-response-location="{baseUrl}/logout/saml2/slo">-->
-<!--			<signing-credential certificate-location="classpath:credentials/rp-certificate.crt"-->
-<!--													private-key-location="classpath:credentials/rp-private.key"/>-->
-<!--		</relying-party-registration>-->
-<!--	</relying-party-registrations>-->
-	
 	<relying-party-registrations>
 		<relying-party-registration registration-id="one"
-																entity-id="{baseUrl}/saml2/service-provider-metadata/{registrationId}"
+																metadata-location="https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata"
-																assertion-consumer-service-location="{baseUrl}/login/saml2/sso/{registrationId}"
+																single-logout-service-location="https://dev-05937739.okta.com/app/dev-05937739_springgsecuritysaml2idp_1/exk46xofd8NZvFCpS5d7/slo/saml"
-																assertion-consumer-service-binding="POST"
+																single-logout-service-response-location="{baseUrl}/logout/saml2/slo">
-																single-logout-service-location="{baseUrl}/logout/saml2/slo"
-																single-logout-service-response-location="{baseUrl}/logout/saml2/slo"
-																asserting-party-id="simple-saml">
 			<signing-credential certificate-location="classpath:credentials/rp-certificate.crt"
 													private-key-location="classpath:credentials/rp-private.key"/>
 		</relying-party-registration>
 		
-		<asserting-party asserting-party-id="simple-saml"
-										 entity-id="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php"
-										 single-sign-on-service-location="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php"
-										 single-sign-on-service-binding="REDIRECT"
-										 signing-algorithms="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-										 single-logout-service-location="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php"
-										 single-logout-service-binding="POST"
-										 single-logout-service-response-location="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php"
-										 want-authn-requests-signed="false">
-			<verification-credential private-key-location="classpath:credentials/rp-private.key"
-					certificate-location="classpath:credentials/idp-certificate.crt"/>
-			<encryption-credential private-key-location="classpath:credentials/rp-private.key"
-					certificate-location="classpath:credentials/idp-certificate.crt"/>
-		</asserting-party>
 	</relying-party-registrations>
 
 </b:beans>

servlet/xml/java/saml2/login-logout/src/main/webapp/WEB-INF/templates/index.html

@@ -36,11 +36,6 @@
                 </button>
             </form>
         </li>
-        <li class="nav-item">
-            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
-                AP-initiated Logout
-            </a>
-        </li>
     </ul>
     </div>
     <main role="main" class="container">

settings.gradle

@@ -40,7 +40,7 @@ include ":servlet:java-configuration:hello-mvc-security"
 include ":servlet:java-configuration:hello-security"
 include ":servlet:java-configuration:hello-security-explicit"
 include ":servlet:java-configuration:max-sessions"
-//include ":servlet:java-configuration:saml2:login"
+include ":servlet:java-configuration:saml2:login"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:hello"
@@ -56,9 +56,9 @@ include ":servlet:spring-boot:java:oauth2:resource-server:multi-tenancy"
 include ":servlet:spring-boot:java:oauth2:resource-server:opaque"
 include ":servlet:spring-boot:java:oauth2:resource-server:static"
 include ":servlet:spring-boot:java:oauth2:webclient"
-//include ":servlet:spring-boot:java:saml2:login"
+include ":servlet:spring-boot:java:saml2:login"
-//include ":servlet:spring-boot:java:saml2:login-single-tenant"
+include ":servlet:spring-boot:java:saml2:login-single-tenant"
-//include ":servlet:spring-boot:java:saml2:refreshable-metadata"
+include ":servlet:spring-boot:java:saml2:refreshable-metadata"
 include ":servlet:spring-boot:kotlin:hello-security"
 include ":servlet:xml:java:helloworld"
 include ":servlet:xml:java:preauth"