spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Document Custom RelayState Parameter Resolution

Open abhishek-bafna-amdhan opened this issue 2 years ago • 4 comments

I want to set the RelayState parameter so that I can pass a redirectUrl received at runtime from a different request. This was possible in the SAML extension library by overriding the getProfileOptions() method of the SAMLEntryPoint class. However, it is not possible to do the same in Spring Security even with the following XML configuration:

<http>
       <saml2-login relying-party-registration-repository-ref="xxxxx">
</http>

I cannot find a sample application that showcases how to create a relying-party-registration-repository bean where I can pass the relying-party-registrations to its constructor. The relying-party-registrations should allow alias to be used as a reference in some other place.

abhishek-bafna-amdhan avatar Jan 08 '24 11:01 abhishek-bafna-amdhan

An xml sample configuring relying-party-registration-repository-ref will be really helpful.

mohitkumar5 avatar Jan 15 '24 11:01 mohitkumar5

Hi, @abhishek-bafna-amdhan, thanks for reaching out. It sounds like you want to configure a custom way to set the RelayState parameter value.

You can do this by customizing the Saml2AuthenticationRequestResolver like so:

public class RelayStateResolver implements Converter<HttpServletRequest, String> {
    // ... your custom implementation
}

<http>
    <saml2-login authentication-request-resolver-ref="ref" ... />
    ...
</http>

<b:beans name="relayStateResolver" class="RelayStateResolver"/>
<b:beans name="ref" class="org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver"/>
    <b:property name="relayStateResolver" ref="relayStateResolver"/>
</b:beans>

I can see this isn't covered in the reference, so I'll keep this ticket open to update that.

Does that seem sufficient to address your issue?

jzheaux avatar Jan 17 '24 23:01 jzheaux

Hi @jzheaux, thanks for getting back to me. I'm hoping you might be able to clarify something for me about the reference for "relying-party-registration-repository-ref". It appears to be needed because the OpenSaml4AuthenticationRequestResolver needs a RelyingPartyRegistrationResolver, and the default implementation (DefaultRelyingPartyRegistrationResolver) requires a RelyingPartyRegistrationRepository in its constructor.

abhishek-bafna-amdhan avatar Jan 19 '24 10:01 abhishek-bafna-amdhan

@abhishek-bafna-amdhan, this has hopefully been alleviated in 6.1, which introduces a constructor in OpenSaml4AuthenticationRequestResolver for RelyingPartyRegistrationRepository. If that doesn't help, please feel free to open a StackOverflow question and paste the link to it here. We can continue to investigate your question over there.

jzheaux avatar Jan 23 '24 22:01 jzheaux

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Apr 12 '24 20:04 spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

spring-projects-issues avatar Apr 19 '24 20:04 spring-projects-issues

Thank you for looking into this. The resolution provided by https://github.com/spring-projects/spring-security/issues/14487 will resolve this issue.

Thanks again!

abhishek-bafna-amdhan avatar Apr 23 '24 09:04 abhishek-bafna-amdhan