Class OpenSamlAuthenticationProvider
- java.lang.Object
-
- org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider
-
- All Implemented Interfaces:
AuthenticationProvider
public final class OpenSamlAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
Implementation ofAuthenticationProvider
for SAML authentications when receiving aResponse
object containing anAssertion
. This implementation uses theOpenSAML 3
library.The
OpenSamlAuthenticationProvider
supportsSaml2AuthenticationToken
objects that contain a SAML response in its decoded XML formatSaml2AuthenticationToken.getSaml2Response()
along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).The
Saml2AuthenticationToken
will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a
Saml2AuthenticationException
is thrown.This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
- Since:
- 5.2
- See Also:
- SAML 2 StatusResponse, OpenSAML 3
-
-
Constructor Summary
Constructors Constructor Description OpenSamlAuthenticationProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Authentication
authenticate(Authentication authentication)
Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.void
setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Sets theConverter
used for extracting assertion attributes that can be mapped to authorities.void
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
Sets theGrantedAuthoritiesMapper
used for mapping assertion attributes to a new set of authorities which will be associated to theSaml2Authentication
.void
setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.boolean
supports(java.lang.Class<?> authentication)
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.
-
-
-
Method Detail
-
setAuthoritiesExtractor
public void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Sets theConverter
used for extracting assertion attributes that can be mapped to authorities.- Parameters:
authoritiesExtractor
- theConverter
used for mapping the assertion attributes to authorities
-
setAuthoritiesMapper
public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
Sets theGrantedAuthoritiesMapper
used for mapping assertion attributes to a new set of authorities which will be associated to theSaml2Authentication
. Note: This implementation is only retrieving- Parameters:
authoritiesMapper
- theGrantedAuthoritiesMapper
used for mapping the user's authorities
-
setResponseTimeValidationSkew
public void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.- Parameters:
responseTimeValidationSkew
- duration for skew tolerance
-
authenticate
public Authentication authenticate(Authentication authentication) throws AuthenticationException
Description copied from interface:AuthenticationProvider
Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
authentication
- the authentication request object, must be of typeSaml2AuthenticationToken
- Returns:
Saml2Authentication
if the assertion is valid- Throws:
AuthenticationException
- if a validation exception occurs
-
supports
public boolean supports(java.lang.Class<?> authentication)
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.Returning
true
does not guarantee anAuthenticationProvider
will be able to authenticate the presented instance of theAuthentication
class. It simply indicates it can support closer evaluation of it. AnAuthenticationProvider
can still returnnull
from theAuthenticationProvider.authenticate(Authentication)
method to indicate anotherAuthenticationProvider
should be tried.Selection of an
AuthenticationProvider
capable of performing authentication is conducted at runtime theProviderManager
.- Specified by:
supports
in interfaceAuthenticationProvider
- Returns:
true
if the implementation can more closely evaluate theAuthentication
class presented
-
-