Skip to content

Ability to easily read attribute values from SAML response #8661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ghost opened this issue Jun 8, 2020 · 5 comments
Closed

Ability to easily read attribute values from SAML response #8661

ghost opened this issue Jun 8, 2020 · 5 comments
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules status: feedback-provided Feedback has been provided type: enhancement A general enhancement
Milestone
5.4.0-M2

Comments

@ghost
Copy link

ghost commented Jun 8, 2020
edited by ghost
Loading

Expected Behavior
I should be able to read attribute values after SAML response is parsed and validated without parsing it myself.

Current Behavior
As far I can tell OpenSamlAuthenticationProvider parses and validates the response, and then throws away the Assertion object. What I'm left with is encrypted response string.

Context
I want to show the user's first and last name on my website.

I could parse XML myself after successful login, but that doesn't seem very pretty.

I think that in the earlier iterations SecurityContextHolder.getContext().getAuthentication().getCredentials() returned SAMLCredential object with getAttribute methods.

Sorry if this is already possible, please tell me how it's supposed to be done in that case. If it's not possible, what nice workaround I could use?

I know that it's possible to extract roles using custom authorities extractor, but what about other attributes?
@ghost ghost added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 8, 2020
@jzheaux jzheaux self-assigned this Jun 8, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jun 8, 2020

@kostic017 thanks for reaching out; I think adding attributes to the Saml2AuthenticatedPrincipal would be a way to address this.

To add it, it'll be important to maintain Spring Security's independence from OpenSAML, meaning that the resulting authentication shouldn't have any OpenSAML-specific material in it.

One way this could work would be to have OpenSamlAuthenicationProvider iterate through all the attributes and convert them to their corresponding Java types. I think it would be reasonable to add a Map<String, Object> getAttributes() default method to Saml2AuthenticatedPrincipal in that case.

Does that sound like what you are looking for and would you be interested in submitting a PR to add it?

@jzheaux jzheaux added in: saml2 An issue in SAML2 modules status: feedback-provided Feedback has been provided and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 8, 2020
@ghost ghost mentioned this issue Jun 9, 2020
Closed
@ghost
Copy link
Author

ghost commented Jun 9, 2020
edited by ghost
Loading

That should do the job.

As you can probably tell, I've created a pull request... (force push to my branch, looks ugly here)

@fpagliar
Copy link

Thanks so much for raising this issue!!! This is a big blocker for us.

@ghost
Copy link
Author

ghost commented Jun 11, 2020
edited by ghost
Loading

@fpagliar Here you can find a nice workaround until the fix gets released
https://stackoverflow.com/q/62210172/10479742
https://stackoverflow.com/q/58400571/10479742
If your assertion is encrypted, you're gonna need to decrypt it yourself first.

@jzheaux jzheaux mentioned this issue Jun 15, 2020
Closed
jzheaux added a commit that referenced this issue Jun 18, 2020
@jzheaux
Polish SAML Attribute Support
360db53 
Issue gh-8661
jzheaux added a commit that referenced this issue Jun 18, 2020
@jzheaux
Document SAML Attribute Support
8cbdcfe 
Issue gh-8661
@jzheaux jzheaux added this to the 5.4.0-M2 milestone Jun 18, 2020
@fpagliar
Copy link

@kostic017 thank you!
Yeah you can also use the AuthoritiesExtractor to intercept the selected valid decrypted assertion and store what you need. But it is horribly hacky.

danilopiazza added a commit to danilopiazza/spring-boot-saml-login that referenced this issue Jul 16, 2020
@danilopiazza
Support SAML 2 attributes
13e8df9 
Example code from spring-projects/spring-security#8661
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules status: feedback-provided Feedback has been provided type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M2
Development

Successfully merging a pull request may close this issue.

Getting response attributes from Saml2AuthenticatedPrincipal
2 participants
@fpagliar @jzheaux