Class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
B>
AbstractHttpConfigurer
for SAML 2.0 Login, which leverages the SAML 2.0 Web
Browser Single Sign On (WebSSO) Flow.
SAML 2.0 Login provides an application with the capability to have users log in by using their existing account at an SAML 2.0 Identity Provider.
Defaults are provided for all configuration options with the only required
configuration being
relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository)
.
Alternatively, a RelyingPartyRegistrationRepository
@Bean
may be
registered instead.
Security Filters
The followingFilter
's are populated:
Shared Objects Created
The following shared objects are populated:RelyingPartyRegistrationRepository
(required)
Shared Objects Used
The following shared objects are used:RelyingPartyRegistrationRepository
(required)DefaultLoginPageGeneratingFilter
- ifloginPage(String)
is not configured andDefaultLoginPageGeneratingFilter
is available, than a default login page will be made available
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionauthenticationConverter
(AuthenticationConverter authenticationConverter) Use thisAuthenticationConverter
when converting incoming requests to anAuthentication
.authenticationManager
(AuthenticationManager authenticationManager) Allows a configuration of aAuthenticationManager
to be used during SAML 2 authentication.authenticationRequestResolver
(Saml2AuthenticationRequestResolver authenticationRequestResolver) Use thisSaml2AuthenticationRequestResolver
for generating SAML 2.0 Authentication Requests.authenticationRequestUri
(String authenticationRequestUri) Customize the URL that the SAML Authentication Request will be sent to.void
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.protected RequestMatcher
createLoginProcessingUrlMatcher
(String loginProcessingUrl) Create theRequestMatcher
given a loginProcessingUrlvoid
Initialize theSecurityBuilder
.Specifies the URL to send users to if login is required.loginProcessingUrl
(String loginProcessingUrl) Specifies the URL to validate the credentials.Sets theRelyingPartyRegistrationRepository
of relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer
authenticationDetailsSource, defaultSuccessUrl, defaultSuccessUrl, failureHandler, failureUrl, getAuthenticationEntryPoint, getAuthenticationEntryPointMatcher, getAuthenticationFilter, getFailureUrl, getLoginPage, getLoginProcessingUrl, isCustomLoginPage, permitAll, permitAll, registerAuthenticationEntryPoint, registerDefaultAuthenticationEntryPoint, securityContextRepository, setAuthenticationFilter, successHandler, updateAccessDefaults, updateAuthenticationDefaults
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
Constructor Details
-
Saml2LoginConfigurer
public Saml2LoginConfigurer()
-
-
Method Details
-
authenticationConverter
public Saml2LoginConfigurer<B> authenticationConverter(AuthenticationConverter authenticationConverter) Use thisAuthenticationConverter
when converting incoming requests to anAuthentication
. By default theSaml2AuthenticationTokenConverter
is used.- Parameters:
authenticationConverter
- theAuthenticationConverter
to use- Returns:
- the
Saml2LoginConfigurer
for further configuration - Since:
- 5.4
-
authenticationManager
Allows a configuration of aAuthenticationManager
to be used during SAML 2 authentication. If none is specified, the system will create one inject it into theSaml2WebSsoAuthenticationFilter
- Parameters:
authenticationManager
- the authentication manager to be used- Returns:
- the
Saml2LoginConfigurer
for further configuration - Throws:
IllegalArgumentException
- if authenticationManager is null configure the default manager- Since:
- 5.3
-
relyingPartyRegistrationRepository
public Saml2LoginConfigurer<B> relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository repo) Sets theRelyingPartyRegistrationRepository
of relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.- Parameters:
repo
- the repository of relying parties- Returns:
- the
Saml2LoginConfigurer
for further configuration
-
loginPage
Description copied from class:AbstractAuthenticationFilterConfigurer
Specifies the URL to send users to if login is required. If used with
EnableWebSecurity
a default login page will be generated when this attribute is not specified.If a URL is specified or this is not being used in conjunction with
EnableWebSecurity
, users are required to process the specified URL to generate a login page.- Overrides:
loginPage
in classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,
Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter>
-
authenticationRequestResolver
public Saml2LoginConfigurer<B> authenticationRequestResolver(Saml2AuthenticationRequestResolver authenticationRequestResolver) Use thisSaml2AuthenticationRequestResolver
for generating SAML 2.0 Authentication Requests.- Parameters:
authenticationRequestResolver
-- Returns:
- the
Saml2LoginConfigurer
for further configuration - Since:
- 5.7
-
authenticationRequestUri
Customize the URL that the SAML Authentication Request will be sent to.- Parameters:
authenticationRequestUri
- the URI to use for the SAML 2.0 Authentication Request- Returns:
- the
Saml2LoginConfigurer
for further configuration - Since:
- 6.0
-
loginProcessingUrl
Specifies the URL to validate the credentials. If specified a custom URL, consider specifying a customAuthenticationConverter
viaauthenticationConverter(AuthenticationConverter)
, since the defaultAuthenticationConverter
implementation relies on the{registrationId}
path variable to be present in the URL- Overrides:
loginProcessingUrl
in classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,
Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Parameters:
loginProcessingUrl
- the URL to validate the credentials- Returns:
- the
Saml2LoginConfigurer
for additional customization - See Also:
-
createLoginProcessingUrlMatcher
Description copied from class:AbstractAuthenticationFilterConfigurer
Create theRequestMatcher
given a loginProcessingUrl- Specified by:
createLoginProcessingUrlMatcher
in classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,
Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Parameters:
loginProcessingUrl
- creates theRequestMatcher
based upon the loginProcessingUrl- Returns:
- the
RequestMatcher
to use based upon the loginProcessingUrl
-
init
Initialize theSecurityBuilder
. Here only shared state should be created and modified, but not properties on theSecurityBuilder
used for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared objects when building. Configurers should be applied here.Initializes this filter chain for SAML 2 Login. The following actions are taken:
- The WebSSO endpoint has CSRF disabled, typically
/login/saml2/sso
- A
is configured
- The
loginProcessingUrl
is set - A custom login page is configured, or
- A default login page with all SAML 2.0 Identity Providers is configured
- An
AuthenticationProvider
is configured
- Specified by:
init
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
B extends HttpSecurityBuilder<B>> - Overrides:
init
in classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,
Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Throws:
Exception
- The WebSSO endpoint has CSRF disabled, typically
-
configure
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.During the
configure
phase, aSaml2WebSsoAuthenticationRequestFilter
is added to handle SAML 2.0 AuthNRequest redirects- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
B extends HttpSecurityBuilder<B>> - Overrides:
configure
in classAbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,
Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>, Saml2WebSsoAuthenticationFilter> - Throws:
Exception
-