BoxLang 🚀 A New JVM Dynamic Language Learn More...

PresideCMS Extension: SAML2 Single Sign On

v6.0.3+0000238 Preside Extensions

SAML2 Single Sign On for Preside

Build Status

This extension provides single sign on for Preside applications using SAML2.

In its current form, it allows your website, for front-end website users, to be used as an Identity Provider (IDP) and for the Preside application (either front or backend) to act as a Service Provider (SP) with an external IDP.

See the Wiki for full documentation.



  • Stop rendering cert issuers in tags (which can cause layout overflow issues with long issuer strings)


  • Fix issue where Service provider single logout binding was taking too much space in DB and failing db migration
  • Give data migration a name to ensure it happens sooner rather than later during db migration routines


  • Fix issue where organisation short name setting containing spaces would crash server on certificate generation


Extension overhaul:

  • Metadata used only as an import tool
  • Signing certificates produced per provider, with ability to manually regenerate/upload them
  • Debug logging option added
  • Refreshed UI for managing providers (based on data manager)
  • Requires Preside 10.24, or higher


  • Add a rules engine expression to be able to match SAML login requests


  • #15 - Announce interception points on rendering of bad sso request page


  • SAML-8 - Minor styling on SAML redirect pages


  • SAML-7 - Add preSamlSsoLoginResponse interceptor


  • Remove extra testing code for digest algorithm


  • Ensure correct signing algorithm is used to match certificate (RSA SHA-256)
  • Include default namespace when stripping namespace attributes


  • Sign Single Logout Responses
  • Ensure ID attribute on logout responses meets SAML spec and does not start with a number


  • #11 Remove unused private methods (hope to resolve sporadic Lucee bug errors in some environments)


  • Add beta support for SLO when acting as a frontend IdP (add feature flag settings.features.samlSsoProviderSlo.enabled=true)
  • Add beta feature for allowing custom certificates to be input for IdP integrations (add feature flag settings.features.saml2CertificateManager.enabled=true)
  • Add validation of SAML request signatures
  • Add admin ability to specify NameID format used for service provider SAML Assertion responses


  • Hopeful fix, and more useful error information, for "Invalid signature" failures on apparently valid SAML responses.
  • Convert to GH actions flow
  • Fix for later versions of JAVA that drop support for sun.misc.BASE64Encoder


  • Do not read HTTP request body every time we want to check the request method


  • Do not refer to the session scope directly. Use sessionStorage abstraction instead.


  • Return multiple values of SamlResponse attributes if found


  • Fix tests


  • Add ability to download IDP-specific service provider metadata for each registered IDP when Preside is being used as a service Provider


  • Build fixes


  • Version bump


  • Use correct issuer (entity ID) for IDP initiated SSO processes


  • Ensure assertion is valid until 2 minutes AFTER the instance of assertion, not BEFORE!


  • Fix bad reference to isFeatureEnabled() function


  • Fix wrong Issuer instruction in assertion response while adding a feature flag to help patch backward compatibility if SPs are working around our bad ISSUER responses (they should be the entityID, NOT the sso URL)
  • Ensure that we use root URL for entity ID and NOT the org URL
  • Add UI to allow users to see multiline formatted X509 cert
  • Ensure X509 certificate is output on single line and without BEGIN/END cert prefixes
  • Ensure test server runs with correct name
  • Update test runner code to work with latest commandbox


  • Add back the Assertion node to the the response attribute parser


  • Work around apparent jar class conflict where SAML decides to set the default owasp security configuration when it is not already set which subsequently causes issues with the rest of the Java environment that does not have access to the SAML classpath


  • Add fix for Lucee 4 and default namespaces


  • Strip namespaces from all our SAML xml metadata, responses and requests so that we can consistently and easily parse different SAML implementations that choose either different namespaces, or no namespaces at all


  • Setup try catch to handle log error in 10.6


  • Catch incomplete Jumpcloud / SAML2 installation


  • Fix samlResponse name not using friendly name


  • Do not attempt to process or parse entities that are not fully setup whenmatching IDPs


  • Again, fix filter for slug


  • Fix bad filter on slug for IDPs
  • Only wrap certificate strings in header and footer when necessary
  • Add a 'hack' to work with Preside SAML IDPs who are returning entity ID + /saml2/sso/ as entity ID in auth responses
  • Ensure no double slash in issuer ID for responses
  • Remove hardcoded entity ID for service provider
  • Support saml responses that use a SAML xml namespace rather than SAML2


  • Remove the Z at the end of dates in saml responses


  • Second attempt at working around classloader conflict issues


  • Fix for missing log4j jars (that sometimes break when present and system already has jar loaded - pita)


  • Move README to github wiki
  • Update code to make compatible with Preside 10.6
  • Ignore all /saml2/ endpoints when determinig request language
  • Implement actual custom login URL route handling
  • Add a setting to be able to customize the endpoint that will initiate IDP login for external IDPs
  • Allow identity provider title/description to be translatable in the admin
  • Refactor service name to be inline with all the other services in this extension
  • Allow downloading of both SP and IDP metadata
  • Show message when no IDPs configured
  • Rejig admin so that all settings are together in one place
  • Begin to move pieces around for more sensible architecture
  • Make SP initiated SSO work
  • Add SAML2 response handler :)
  • Add ability to activate and edit metadata for an IDP
  • Display configured IDPs in list
  • Add DB configured options for IDPs into retrieval of IDPs from service
  • Add a description field to IDPs
  • Setup tabs for SP configuration
  • Add barebones IDP management page
  • Add a service method to list configured IDPs
  • Add an 'enabled' flag to IDPs so that they can be turned off
  • Scale back ambitions - expect SAML IDPs to be configured in code, with just metadata being editorial
  • Add identity provider object
  • FIx up navigation and wording to properly use SAML language (Service Provider vs Identity Provider) + enable both features to be enabled at once


cec5378 Strip whitespace from X509 cert in SAML response. Causes trouble with some systems


  • Make postlogin URL work for both SP and IDP initiated SSO workflows


  • Apply attribute configuration options to SAML response creation
  • Add fields to allow each service provider to have the attributes return configurable
  • Tweak display of actions grid for SSO consumers
  • Add working IDP initiated SAML assertion
  • Add a custom route for IDP initiated single sign-on
  • Add fields for configuring SSO type and producing a link to initiate SSO for IDP initiated flows


  • Get Javaloader into test suite


  • Use javaloader to load all opensaml classes


  • Ammend regex for detecting bad ms formatted dates


  • Add proper fix instructions for xml document reader bug


  • Update README to include fix instructions for Xerces and Xalan libs


  • Improve documentation around providing custom key management logic
  • Remove redundant function and correct return types
  • Make the SamlKeyStore object wrap all of the security logic around getting public and private certificate credentials for the Saml signing certificate


  • Provide more documentation around customizing authentication and returned data attributes


  • Add a forgebox type to the repo


  • Add a download location so forgebox knows where to go get it


  • Add a build status badge


  • First release

$ box install preside-ext-saml2-sso

No collaborators yet.
  • {{ getFullDate("2016-11-11T07:42:54Z") }}
  • {{ getFullDate("2024-04-24T12:08:14Z") }}
  • 4,635
  • 147,971