spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Add a RelyingPartyRegistrationRepository constructor to Saml2MetadataFilter

Open marcusdacoregio opened this issue 3 years ago • 2 comments

To expose the SAML metadata endpoint we have to register a Filter:

DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);

The default URL for that filter is /saml2/service-provider-metadata/{registrationId}. If there is a need to change that URL for something like /saml/metadata, a RelyingPartyRegistrationResolver should be customized to resolve the RelyingPartyRegistration without relying on the registrationId template variable.

RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver((id) -> relyingPartyRegistrationRepository.findByRegistrationId("one"));
Saml2MetadataFilter metadataFilter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());

Given that customizing the RelyingPartyRegistrationResolver is less common, a new constructor that accepts a RelyingPartyRegistrationRepository could be added to Saml2MetadataFilter, simplifying the way we construct it:

public final class Saml2MetadataFilter extends OncePerRequestFilter {

        // ...

	public Saml2MetadataFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository, Saml2MetadataResolver saml2MetadataResolver) {
		this(new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository), saml2MetadataResolver);
	}

        // ...
}

and then

Saml2MetadataFilter metadataFilter = new Saml2MetadataFilter(this.relyingPartyRegistrationRepository, new OpenSamlMetadataResolver());

marcusdacoregio avatar Sep 13 '22 18:09 marcusdacoregio

@marcusdacoregio, thanks for this write-up.

We want to avoid direct references to OpenSaml in classes not named OpenSamlXXX. Given that, I think the constructor will still require two parameters.

jzheaux avatar Sep 13 '22 19:09 jzheaux

Thanks, @jzheaux. The description is now updated.

marcusdacoregio avatar Sep 14 '22 11:09 marcusdacoregio

Hello @marcusdacoregio can I help with this issue?

cotnic avatar Oct 28 '22 18:10 cotnic

Hello @cotnic, of course, it’s now yours. Let us know if you have any difficulties.

marcusdacoregio avatar Oct 28 '22 20:10 marcusdacoregio

@marcusdacoregio I want to start on this issue. I would like to know from which branch onward is this fix going to be included.

cotnic avatar Dec 02 '22 14:12 cotnic

Hi @cotnic, you can use the main branch since this is a new feature.

marcusdacoregio avatar Dec 02 '22 15:12 marcusdacoregio