Saml2 support overriding the SAMLRequest parameters #9199
Comments
ghost
added
status: waiting-for-triage
jzheaux
added
in: saml2
|
If these values are the same all the time, then the easiest way is to register your own custom Or, if the value needs to be changed on a per-request basis, you can register your own Will either of those work in your case? |
|
Awesome that would work for me. Maybe in the future if there are multiple requests we could expose it as a property that can be configured? |
|
Yes, @Adi-devops, that's a good point. ForceAuthn and AuthnContextClassRef have been requested a few times now. Could you elaborate on what you mean by "expose it as a property"? I'm not sure it's common enough for a Boot property, but I could imagine a scenario where adding properties to |
|
My bad I did not know |
|
No problem, @Adi-devops. You are correct that adding something to What I think could be done is to add these properties to @Bean
public Saml2AuthenticationRequestContextResolver
authenticationRequestContextResolver(RelyingPartyRegistrationRepository relyingParties) {
DefaultRelyingPartyRegistrationResolver resolver =
new DefaultRelyingPartyRegistrationResolver(relyingParties);
return (request) -> Optional.of(request).map(this.resolver::resolve)
.map((relyingParty) -> Saml2AuthenticationRequestContext.builder().relyingParty(relyingParty)
.forceAuthn(true)
// etc
).orElse(null);
}I like that since it reduces a three-step process to a one-step process for these more common settings. Would you be able to contribute a PR that adds these properties to |
|
Absolutely can I give it a try? If I have any doubts can we use this same issue thread to discuss the implementation too? |
|
Sounds great, @Adi-devops. |
ghost
mentioned this issue
|
@jzheaux I have created an initial PR by adding new properties in |
|
Good question, @Adi-devops. Since the defaults are passive, I believe that |
|
Also ability to set the NameIDPolicy format would be great and useful. By experience with AuthnContextClassRef, this is something that we are used to configure to be able to connect to various saml idp. |
|
Thanks for the feedback, @amergey. I believe that could be inferred from metadata, so I think a good start would be to add it to If you agree, would you add some detail to that ticket (#9115) and indicate whether you are able to contribute a PR? |
|
BTW, the example at https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-saml2login-opensaml-customization does not even compile and doesn't show how to actually register the custom AuthnRequestMarshaller (I guess through the factory param that is not used). |
|
Also, while the converter is useful, I think that what most people will want is a hook into the default AuthnRequest before it is sent, in order to override parameters, instead of having to recreate an entire request from the saml context. |
|
Hi, is there a way to override these parameters while using an XML-based configuration? |
Expected Behavior
As a service provider, it would be great if we could override the following parameter in a SAMLRequest
Current Behavior
Currently, we are having the default values configured which is
Context
As a service provider, we want to enforce the user is always prompted for authentication while access some sensitive service so we would like to set the following values.
saml:AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
ForceAuthn =true
The text was updated successfully, but these errors were encountered: