public final class OpenSamlAuthenticationProvider extends java.lang.Object implements AuthenticationProvider
AuthenticationProviderfor SAML authentications when receiving a
Responseobject containing an
Assertion. This implementation uses the
that contain a SAML response in its decoded XML format
along with the information about the asserting party, the identity provider (IDP), as well as
the relying party, the service provider (SP, this application).
Saml2AuthenticationToken will be processed into a SAML Response object.
The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.
While a response object can contain a list of assertion, this provider will only leverage
the first valid assertion for the purpose of authentication. Assertions that do not pass validation
will be ignored. If no valid assertions are found a
Saml2AuthenticationException is thrown.
This provider supports two types of encrypted SAML elements
This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
|Constructor and Description|
|Modifier and Type||Method and Description|
Performs authentication with the same contract as
Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.
public void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends GrantedAuthority>> authoritiesExtractor)
Converterused for extracting assertion attributes that can be mapped to authorities.
Converterused for mapping the assertion attributes to authorities
public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper)
GrantedAuthoritiesMapperused for mapping assertion attributes to a new set of authorities which will be associated to the
Saml2Authentication. Note: This implementation is only retrieving
GrantedAuthoritiesMapperused for mapping the user's authorities
public void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
responseTimeValidationSkew- duration for skew tolerance
public Authentication authenticate(Authentication authentication) throws AuthenticationException
public boolean supports(java.lang.Class<?> authentication)
AuthenticationProvidersupports the indicated
true does not guarantee an
AuthenticationProvider will be able to authenticate the presented
instance of the
Authentication class. It simply indicates it can
support closer evaluation of it. An
AuthenticationProvider can still
null from the
AuthenticationProvider.authenticate(Authentication) method to
AuthenticationProvider should be tried.
Selection of an
AuthenticationProvider capable of performing
authentication is conducted at runtime the