public final class OpenSamlAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
AuthenticationProvider
for SAML authentications when receiving a
Response
object containing an Assertion
. This implementation uses
the OpenSAML 3
library.
The OpenSamlAuthenticationProvider
supports Saml2AuthenticationToken
objects
that contain a SAML response in its decoded XML format Saml2AuthenticationToken.getSaml2Response()
along with the information about the asserting party, the identity provider (IDP), as well as
the relying party, the service provider (SP, this application).
The Saml2AuthenticationToken
will be processed into a SAML Response object.
The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.
While a response object can contain a list of assertion, this provider will only leverage
the first valid assertion for the purpose of authentication. Assertions that do not pass validation
will be ignored. If no valid assertions are found a Saml2AuthenticationException
is thrown.
This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
Constructor and Description |
---|
OpenSamlAuthenticationProvider() |
Modifier and Type | Method and Description |
---|---|
Authentication |
authenticate(Authentication authentication)
Performs authentication with the same contract as
AuthenticationManager.authenticate(Authentication)
. |
void |
setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Sets the
Converter used for extracting assertion attributes that
can be mapped to authorities. |
void |
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
Sets the
GrantedAuthoritiesMapper used for mapping assertion attributes
to a new set of authorities which will be associated to the Saml2Authentication . |
void |
setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Sets the duration for how much time skew an assertion may tolerate during
timestamp, NotOnOrBefore and NotOnOrAfter, validation.
|
boolean |
supports(java.lang.Class<?> authentication)
Returns
true if this AuthenticationProvider supports the
indicated Authentication object. |
public void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Converter
used for extracting assertion attributes that
can be mapped to authorities.authoritiesExtractor
- the Converter
used for mapping the
assertion attributes to authoritiespublic void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
GrantedAuthoritiesMapper
used for mapping assertion attributes
to a new set of authorities which will be associated to the Saml2Authentication
.
Note: This implementation is only retrievingauthoritiesMapper
- the GrantedAuthoritiesMapper
used for mapping the user's authoritiespublic void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
responseTimeValidationSkew
- duration for skew tolerancepublic Authentication authenticate(Authentication authentication) throws AuthenticationException
AuthenticationProvider
AuthenticationManager.authenticate(Authentication)
.authenticate
in interface AuthenticationProvider
authentication
- the authentication request object, must be of type
Saml2AuthenticationToken
Saml2Authentication
if the assertion is validAuthenticationException
- if a validation exception occurspublic boolean supports(java.lang.Class<?> authentication)
true
if this AuthenticationProvider
supports the
indicated Authentication
object.
Returning true
does not guarantee an
AuthenticationProvider
will be able to authenticate the presented
instance of the Authentication
class. It simply indicates it can
support closer evaluation of it. An AuthenticationProvider
can still
return null
from the AuthenticationProvider.authenticate(Authentication)
method to
indicate another AuthenticationProvider
should be tried.
Selection of an AuthenticationProvider
capable of performing
authentication is conducted at runtime the ProviderManager
.
supports
in interface AuthenticationProvider
true
if the implementation can more closely evaluate the
Authentication
class presented