org.springframework.security.saml2.provider.service.authentication

Class OpenSamlAuthenticationProvider

java.lang.Object

org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider

All Implemented Interfaces:

AuthenticationProvider

public final class OpenSamlAuthenticationProvider
extends java.lang.Object
implements AuthenticationProvider

Implementation of AuthenticationProvider for SAML authentications when receiving a Response object containing an Assertion. This implementation uses the OpenSAML 3 library.

The OpenSamlAuthenticationProvider supports Saml2AuthenticationToken objects that contain a SAML response in its decoded XML format Saml2AuthenticationToken.getSaml2Response() along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).

The Saml2AuthenticationToken will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.

While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a Saml2AuthenticationException is thrown.

This provider supports two types of encrypted SAML elements

• EncryptedAssertion
• EncryptedID

If the assertion is encrypted, then signature validation on the assertion is no longer required.

This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.

Since:

5.2

See Also:

SAML 2 StatusResponse, OpenSAML 3

Constructor Summary

Constructors

Constructor and Description
OpenSamlAuthenticationProvider()

Method Summary

Modifier and Type	Method and Description
Authentication	authenticate(Authentication authentication) Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication) .
void	setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor) Sets the Converter used for extracting assertion attributes that can be mapped to authorities.
void	setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) Sets the GrantedAuthoritiesMapper used for mapping assertion attributes to a new set of authorities which will be associated to the Saml2Authentication.
void	setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew) Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.
boolean	supports(java.lang.Class<?> authentication) Returns true if this AuthenticationProvider supports the indicated Authentication object.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OpenSamlAuthenticationProvider

public OpenSamlAuthenticationProvider()

Method Detail

setAuthoritiesExtractor

public void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)

Sets the Converter used for extracting assertion attributes that can be mapped to authorities.

Parameters:

authoritiesExtractor - the Converter used for mapping the assertion attributes to authorities

setAuthoritiesMapper

public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)

Sets the GrantedAuthoritiesMapper used for mapping assertion attributes to a new set of authorities which will be associated to the Saml2Authentication. Note: This implementation is only retrieving

Parameters:

authoritiesMapper - the GrantedAuthoritiesMapper used for mapping the user's authorities

setResponseTimeValidationSkew

public void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)

Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.

Parameters:

responseTimeValidationSkew - duration for skew tolerance

authenticate

public Authentication authenticate(Authentication authentication)
                            throws AuthenticationException

Description copied from interface: AuthenticationProvider

Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication) .

Specified by:

authenticate in interface AuthenticationProvider

Parameters:

authentication - the authentication request object, must be of type Saml2AuthenticationToken

Returns:

Saml2Authentication if the assertion is valid

Throws:

AuthenticationException - if a validation exception occurs

supports

public boolean supports(java.lang.Class<?> authentication)

Returns true if this AuthenticationProvider supports the indicated Authentication object.

Returning true does not guarantee an AuthenticationProvider will be able to authenticate the presented instance of the Authentication class. It simply indicates it can support closer evaluation of it. An AuthenticationProvider can still return null from the AuthenticationProvider.authenticate(Authentication) method to indicate another AuthenticationProvider should be tried.

Selection of an AuthenticationProvider capable of performing authentication is conducted at runtime the ProviderManager.

Specified by:

supports in interface AuthenticationProvider

Returns:

true if the implementation can more closely evaluate the Authentication class presented