This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.2! |
Saml 2.0 Metadata
Spring Security can parse asserting party metadata to produce an AssertingPartyDetails
instance as well as publish relying party metadata from a RelyingPartyRegistration
instance.
Parsing <saml2:IDPSSODescriptor>
metadata
You can parse an asserting party’s metadata using RelyingPartyRegistrations
.
When using the OpenSAML vendor support, the resulting AssertingPartyDetails
will be of type OpenSamlAssertingPartyDetails
.
This means you’ll be able to do get the underlying OpenSAML XMLObject by doing the following:
-
Java
-
Kotlin
OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();
Producing <saml2:SPSSODescriptor>
Metadata
You can publish a metadata endpoint by adding the Saml2MetadataFilter
to the filter chain, as you’ll see below:
-
Java
-
Kotlin
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
http
// ...
.saml2Login(withDefaults())
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
relyingPartyRegistrationResolver,
OpenSamlMetadataResolver()
)
http {
//...
saml2Login { }
addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}
You can use this metadata endpoint to register your relying party with your asserting party. This is often as simple as finding the correct form field to supply the metadata endpoint.
By default, the metadata endpoint is /saml2/service-provider-metadata/{registrationId}
.
You can change this by calling the setRequestMatcher
method on the filter:
-
Java
-
Kotlin
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))
Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a registrationId
hint, like so:
-
Java
-
Kotlin
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))
Changing the Way a RelyingPartyRegistration
Is Looked Up
To apply a custom RelyingPartyRegistrationResolver
to the metadata endpoint, you can provide it directly in the filter constructor like so:
-
Java
RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());
// ...
http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...; val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver()); // ... http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);
In the event that you are applying a RelyingPartyRegistrationResolver
to remove the registrationId
from the URI, you must also change the URI in the filter like so:
-
Java
metadata.setRequestMatcher("/saml2/metadata")
metadata.setRequestMatcher("/saml2/metadata")