Class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<T,B>
org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,Saml2WebSsoAuthenticationFilter>
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer<B>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,B>
public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
extends AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,Saml2WebSsoAuthenticationFilter>
An
AbstractHttpConfigurer for SAML 2.0 Login, which leverages the SAML 2.0 Web
Browser Single Sign On (WebSSO) Flow.
SAML 2.0 Login provides an application with the capability to have users log in by using their existing account at an SAML 2.0 Identity Provider.
Defaults are provided for all configuration options with the only required
configuration being
relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository) .
Alternatively, a RelyingPartyRegistrationRepository @Bean may be
registered instead.
Security Filters
The followingFilter's are populated:
Shared Objects Created
The following shared objects are populated:RelyingPartyRegistrationRepository(required)
Shared Objects Used
The following shared objects are used:RelyingPartyRegistrationRepository(required)DefaultLoginPageGeneratingFilter- ifloginPage(String)is not configured andDefaultLoginPageGeneratingFilteris available, than a default login page will be made available
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionauthenticationConverter(AuthenticationConverter authenticationConverter) Use thisAuthenticationConverterwhen converting incoming requests to anAuthentication.authenticationManager(AuthenticationManager authenticationManager) Allows a configuration of aAuthenticationManagerto be used during SAML 2 authentication.authenticationRequestResolver(Saml2AuthenticationRequestResolver authenticationRequestResolver) Use thisSaml2AuthenticationRequestResolverfor generating SAML 2.0 Authentication Requests.authenticationRequestUri(String authenticationRequestUri) Customize the URL that the SAML Authentication Request will be sent to.voidConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.protected RequestMatchercreateLoginProcessingUrlMatcher(String loginProcessingUrl) Create theRequestMatchergiven a loginProcessingUrlvoidInitialize theSecurityBuilder.Specifies the URL to send users to if login is required.loginProcessingUrl(String loginProcessingUrl) Specifies the URL to validate the credentials.Sets theRelyingPartyRegistrationRepositoryof relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
authenticationDetailsSource, defaultSuccessUrl, defaultSuccessUrl, failureHandler, failureUrl, getAuthenticationEntryPoint, getAuthenticationEntryPointMatcher, getAuthenticationFilter, getFailureUrl, getLoginPage, getLoginProcessingUrl, isCustomLoginPage, permitAll, permitAll, registerAuthenticationEntryPoint, registerDefaultAuthenticationEntryPoint, securityContextRepository, setAuthenticationFilter, successHandler, updateAccessDefaults, updateAuthenticationDefaultsMethods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessorMethods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
Constructor Details
-
Saml2LoginConfigurer
public Saml2LoginConfigurer()
-
-
Method Details
-
authenticationConverter
public Saml2LoginConfigurer<B> authenticationConverter(AuthenticationConverter authenticationConverter) Use thisAuthenticationConverterwhen converting incoming requests to anAuthentication. By default theSaml2AuthenticationTokenConverteris used.- Parameters:
authenticationConverter- theAuthenticationConverterto use- Returns:
- the
Saml2LoginConfigurerfor further configuration - Since:
- 5.4
-
authenticationManager
Allows a configuration of aAuthenticationManagerto be used during SAML 2 authentication. If none is specified, the system will create one inject it into theSaml2WebSsoAuthenticationFilter- Parameters:
authenticationManager- the authentication manager to be used- Returns:
- the
Saml2LoginConfigurerfor further configuration - Throws:
IllegalArgumentException- if authenticationManager is null configure the default manager- Since:
- 5.3
-
relyingPartyRegistrationRepository
public Saml2LoginConfigurer<B> relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository repo) Sets theRelyingPartyRegistrationRepositoryof relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.- Parameters:
repo- the repository of relying parties- Returns:
- the
Saml2LoginConfigurerfor further configuration
-
loginPage
Description copied from class:AbstractAuthenticationFilterConfigurerSpecifies the URL to send users to if login is required. If used with
EnableWebSecuritya default login page will be generated when this attribute is not specified.If a URL is specified or this is not being used in conjunction with
EnableWebSecurity, users are required to process the specified URL to generate a login page.- Overrides:
loginPagein classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter>
-
authenticationRequestResolver
public Saml2LoginConfigurer<B> authenticationRequestResolver(Saml2AuthenticationRequestResolver authenticationRequestResolver) Use thisSaml2AuthenticationRequestResolverfor generating SAML 2.0 Authentication Requests.- Parameters:
authenticationRequestResolver-- Returns:
- the
Saml2LoginConfigurerfor further configuration - Since:
- 5.7
-
authenticationRequestUri
Customize the URL that the SAML Authentication Request will be sent to.- Parameters:
authenticationRequestUri- the URI to use for the SAML 2.0 Authentication Request- Returns:
- the
Saml2LoginConfigurerfor further configuration - Since:
- 6.0
-
loginProcessingUrl
Specifies the URL to validate the credentials. If specified a custom URL, consider specifying a customAuthenticationConverterviaauthenticationConverter(AuthenticationConverter), since the defaultAuthenticationConverterimplementation relies on the{registrationId}path variable to be present in the URL- Overrides:
loginProcessingUrlin classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Parameters:
loginProcessingUrl- the URL to validate the credentials- Returns:
- the
Saml2LoginConfigurerfor additional customization - See Also:
-
createLoginProcessingUrlMatcher
Description copied from class:AbstractAuthenticationFilterConfigurerCreate theRequestMatchergiven a loginProcessingUrl- Specified by:
createLoginProcessingUrlMatcherin classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Parameters:
loginProcessingUrl- creates theRequestMatcherbased upon the loginProcessingUrl- Returns:
- the
RequestMatcherto use based upon the loginProcessingUrl
-
init
Initialize theSecurityBuilder. Here only shared state should be created and modified, but not properties on theSecurityBuilderused for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)method uses the correct shared objects when building. Configurers should be applied here.Initializes this filter chain for SAML 2 Login. The following actions are taken:
- The WebSSO endpoint has CSRF disabled, typically
/login/saml2/sso - A
is configured - The
loginProcessingUrlis set - A custom login page is configured, or
- A default login page with all SAML 2.0 Identity Providers is configured
- An
AuthenticationProvideris configured
- Specified by:
initin interfaceSecurityConfigurer<DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>> - Overrides:
initin classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Throws:
Exception
- The WebSSO endpoint has CSRF disabled, typically
-
configure
Configure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.During the
configurephase, aSaml2WebSsoAuthenticationRequestFilteris added to handle SAML 2.0 AuthNRequest redirects- Specified by:
configurein interfaceSecurityConfigurer<DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>> - Overrides:
configurein classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Throws:
Exception
-