Skip to content

Add Saml2AuthenticationRequestResolver #10355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Oct 8, 2021 · 0 comments
Closed

Add Saml2AuthenticationRequestResolver #10355

jzheaux opened this issue Oct 8, 2021 · 0 comments
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
5.7.0-M2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Oct 8, 2021
edited
Loading

Similar to OAuth2AuthenticationRequestResolver, Saml2AuthenticationRequestResolver would be a convenient way to customize the AuthnRequest based on inputs from the request as well as the RelyingPartyRegistration.

The OpenSAML implementation would have a method setAuthnRequestCustomizer similar to OAuth2AuthenticationRequestResolver#setAuthenticationRequestCustomizer. This method would overcome a limitation in OpenSamlAuthenticationRequestFactory's equivalent method setAuthenticationRequestContextConverter, which is that it does not have access to the HttpServletRequest.

This component would supercede Saml2AuthenticationRequestContextResolver, Saml2AuthenticationRequestContext, and Saml2AuthenticationRequestFactory reducing configuration like:

public class MySaml2AuthenticationRequestContext extends Saml2AuthenticationRequestContext {
    boolean force;

    public MySaml2AuthenticationRequestContext(Saml2AuthenticationRequestContext parent, boolean force) {
        super(parent.getRelyingPartyRegistration(), parent.getIssuer(), 
                parent.getAssertionConsumerServiceUrl(), parent.getRelayState());
        this.force = force;
    }

    public boolean isForce() {
        return this.force;
    }
}

// ...

@Component
public class AuthnRequestConverter implements
        Converter<MySaml2AuthenticationRequestContext, AuthnRequest> {

    private final AuthnRequestBuilder authnRequestBuilder;
    private final IssuerBuilder issuerBuilder;

    // ... constructor

    public AuthnRequest convert(Saml2AuthenticationRequestContext context) {
        MySaml2AuthenticationRequestContext myContext = (MySaml2AuthenticationRequestContext) context;
        Issuer issuer = issuerBuilder.buildObject();
        issuer.setValue(myContext.getIssuer());

        AuthnRequest authnRequest = authnRequestBuilder.buildObject();
        authnRequest.setIssuer(issuer);
        authnRequest.setDestination(myContext.getDestination());
        authnRequest.setAssertionConsumerServiceURL(myContext.getAssertionConsumerServiceUrl());

        // ... additional settings

        authRequest.setForceAuthn(myContext.getForceAuthn());
        return authnRequest;
    }
}

// ...

@Bean
Saml2AuthenticationRequestContextResolver authenticationRequestContextResolver() {
    Saml2AuthenticationRequestContextResolver resolver =
            new DefaultSaml2AuthenticationRequestContextResolver();
    return request -> {
        Saml2AuthenticationRequestContext context = resolver.resolve(request);
        return new MySaml2AuthenticationRequestContext(context, request.getParameter("force") != null);
    };
}

@Bean
Saml2AuthenticationRequestFactory authenticationRequestFactory(
        AuthnRequestConverter authnRequestConverter) {

    OpenSaml4AuthenticationRequestFactory authenticationRequestFactory =
            new OpenSaml4AuthenticationRequestFactory();
    authenticationRequestFactory.setAuthenticationRequestContextConverter(authnRequestConverter);
    return authenticationRequestFactory;
}

to

@Bean
Saml2AuthenticationRequestResolver authenticationRequestResolver(
        RelyingPartyRegistrationResolver registrations) {
    OpenSamlAuthenticationRequestResolver resolver = new OpenSamlAuthenticationRequestResolver(registrations);
    resolver.setAuthnRequestCustomizer((tuple) -> {
        HttpServletRequest request = tuple.getRequest();
        AuthnRequest authnRequest = tuple.getAuthnRequest();
        authnRequest.setForceAuthn(request.getParameter("force") != null);
    });
}

It would also bring the SAML 2.0 support into closer alignment with the OAuth 2.0 support.

Using Saml2AuthenticationRequestContextResolver, Saml2AuthenticationRequestContext, and Saml2AuthenticationRequestFactory will still continue to work and be supported, though moving to Saml2AuthenticationRequestResolver would be encouraged.

A related discussion about motives can be found starting at #8141 (comment). This would also obviate the need for #9209 and would close #9199.
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 8, 2021
@jzheaux jzheaux self-assigned this Oct 8, 2021
@jzheaux jzheaux added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 8, 2021
@jzheaux jzheaux added this to the 5.6.0-RC1 milestone Oct 14, 2021
@jzheaux jzheaux mentioned this issue Oct 14, 2021
Closed
@rwinch rwinch modified the milestones: 5.6.0-RC1, 5.6.0 Oct 19, 2021
@jzheaux jzheaux modified the milestones: 5.6.0, 5.7.x Oct 27, 2021
jzheaux added a commit to jzheaux/spring-security that referenced this issue Nov 19, 2021
@jzheaux
Add Saml2AuthenticationRequestResolver
12f8ea6 
Closes spring-projectsgh-10355
@jzheaux jzheaux modified the milestones: 5.7.x, 5.7.0-M1 Nov 19, 2021
@sjohnr sjohnr modified the milestones: 5.7.0-M1, 5.7.0-M2 Jan 14, 2022
jzheaux added a commit that referenced this issue Jan 24, 2022
@jzheaux
Add Saml2AuthenticationRequestResolver
d538423 
Closes gh-10355
jzheaux added a commit that referenced this issue Jan 24, 2022
@jzheaux
Deprecate Saml2 AuthnRequest Classes
620081e 
Issue gh-10355
jzheaux added a commit that referenced this issue Jan 24, 2022
@jzheaux
Deprecate Saml2 AuthnRequest Classes
df3593f 
Issue gh-10355
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
5.7.0-M2
Development

No branches or pull requests
3 participants
@rwinch @jzheaux @sjohnr