public final class OpenSamlAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
AuthenticationProvider
for SAML authentications when
receiving a Response
object containing an Assertion
. This
implementation uses the OpenSAML 3
library.
The OpenSamlAuthenticationProvider
supports Saml2AuthenticationToken
objects that contain a SAML response in its decoded XML format
Saml2AuthenticationToken.getSaml2Response()
along with the information about
the asserting party, the identity provider (IDP), as well as the relying party, the
service provider (SP, this application).
The Saml2AuthenticationToken
will be processed into a SAML Response object. The
SAML response object can be signed. If the Response is signed, a signature will not be
required on the assertion.
While a response object can contain a list of assertion, this provider will only
leverage the first valid assertion for the purpose of authentication. Assertions that
do not pass validation will be ignored. If no valid assertions are found a
Saml2AuthenticationException
is thrown.
This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
Modifier and Type | Class and Description |
---|---|
static class |
OpenSamlAuthenticationProvider.AssertionToken
A tuple containing an OpenSAML
Assertion and its associated authentication
token. |
static class |
OpenSamlAuthenticationProvider.ResponseToken
A tuple containing an OpenSAML
Response and its associated authentication
token. |
Constructor and Description |
---|
OpenSamlAuthenticationProvider()
Creates an
OpenSamlAuthenticationProvider |
Modifier and Type | Method and Description |
---|---|
Authentication |
authenticate(Authentication authentication)
Performs authentication with the same contract as
AuthenticationManager.authenticate(Authentication)
. |
static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> |
createDefaultAssertionValidator()
Construct a default strategy for validating each SAML 2.0 Assertion and associated
Authentication token |
static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> |
createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Construct a default strategy for validating each SAML 2.0 Assertion and associated
Authentication token |
static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,Saml2Authentication> |
createDefaultResponseAuthenticationConverter()
Construct a default strategy for converting a SAML 2.0 Response and
Authentication token into a Saml2Authentication |
void |
setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Set the
Converter to use for validating each Assertion in the SAML
2.0 Response. |
void |
setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Deprecated.
Use
setResponseAuthenticationConverter(Converter) instead |
void |
setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
Deprecated.
Use
setResponseAuthenticationConverter(Converter) instead |
void |
setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,? extends AbstractAuthenticationToken> responseAuthenticationConverter)
|
void |
setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Deprecated.
Use
setAssertionValidator(Converter) instead |
boolean |
supports(java.lang.Class<?> authentication)
Returns
true if this AuthenticationProvider supports the
indicated Authentication object. |
public OpenSamlAuthenticationProvider()
OpenSamlAuthenticationProvider
public void setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Converter
to use for validating each Assertion
in the SAML
2.0 Response.
You can still invoke the default validator by delgating to
createDefaultAssertionValidator()
, like so:
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator(assertionToken -> { Saml2ResponseValidatorResult result = createDefaultAssertionValidator() .convert(assertionToken) return result.concat(myCustomValidator.convert(assertionToken)); });You can also use this method to configure the provider to use a different
ValidationContext
from the default, like so:
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator( createDefaultAssertionValidator(assertionToken -> { Map<String, Object> params = new HashMap<>(); params.put(CLOCK_SKEW, 2 * 60 * 1000); // other parameters return new ValidationContext(params); }));Consider taking a look at
createValidationContext(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.AssertionToken, java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>)
to see how it constructs
a ValidationContext
.
It is not necessary to delegate to the default validator. You can safely replace it
entirely with your own. Note that signature verification is performed as a separate
step from this validator.
This method takes precedence over setResponseTimeValidationSkew(java.time.Duration)
.assertionValidator
- public void setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,? extends AbstractAuthenticationToken> responseAuthenticationConverter)
Converter
to use for converting a validated Response
into
an AbstractAuthenticationToken
.
You can delegate to the default behavior by calling
createDefaultResponseAuthenticationConverter()
like so:
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<ResponseToken, Saml2Authentication> authenticationConverter = createDefaultResponseAuthenticationConverter(); provider.setResponseAuthenticationConverter(responseToken -> { Saml2Authentication authentication = authenticationConverter.convert(responseToken); User user = myUserRepository.findByUsername(authentication.getName()); return new MyAuthentication(authentication, user); });This method takes precedence over
setAuthoritiesExtractor(Converter)
and
setAuthoritiesMapper(GrantedAuthoritiesMapper)
.responseAuthenticationConverter
- the Converter
to usepublic void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
setResponseAuthenticationConverter(Converter)
insteadConverter
used for extracting assertion attributes that can be
mapped to authorities.authoritiesExtractor
- the Converter
used for mapping the assertion
attributes to authoritiespublic void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
setResponseAuthenticationConverter(Converter)
insteadGrantedAuthoritiesMapper
used for mapping assertion attributes to
a new set of authorities which will be associated to the
Saml2Authentication
. Note: This implementation is only retrievingauthoritiesMapper
- the GrantedAuthoritiesMapper
used for mapping the
user's authoritiespublic void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
setAssertionValidator(Converter)
insteadresponseTimeValidationSkew
- duration for skew tolerancepublic static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator()
Authentication
tokenpublic static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Authentication
tokencontextConverter
- the conversion strategy to use to generate a
ValidationContext
for each assertion being validatedpublic static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,Saml2Authentication> createDefaultResponseAuthenticationConverter()
Authentication
token into a Saml2Authentication
public Authentication authenticate(Authentication authentication) throws AuthenticationException
AuthenticationProvider
AuthenticationManager.authenticate(Authentication)
.authenticate
in interface AuthenticationProvider
authentication
- the authentication request object, must be of type
Saml2AuthenticationToken
Saml2Authentication
if the assertion is validAuthenticationException
- if a validation exception occurspublic boolean supports(java.lang.Class<?> authentication)
AuthenticationProvider
true
if this AuthenticationProvider
supports the
indicated Authentication
object.
Returning true
does not guarantee an
AuthenticationProvider
will be able to authenticate the presented
instance of the Authentication
class. It simply indicates it can
support closer evaluation of it. An AuthenticationProvider
can still
return null
from the AuthenticationProvider.authenticate(Authentication)
method to
indicate another AuthenticationProvider
should be tried.
Selection of an AuthenticationProvider
capable of performing
authentication is conducted at runtime the ProviderManager
.
supports
in interface AuthenticationProvider
true
if the implementation can more closely evaluate the
Authentication
class presented