Package org.springframework.security.saml2.provider.service.authentication

Class OpenSaml5AuthenticationProvider

java.lang.Object
org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider
All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public final class OpenSaml5AuthenticationProvider extends Object implements org.springframework.security.authentication.AuthenticationProvider
Implementation of AuthenticationProvider for SAML authentications when receiving a Response object containing an Assertion. This implementation uses the OpenSAML 5 library.

The OpenSaml5AuthenticationProvider supports Saml2AuthenticationToken objects that contain a SAML response in its decoded XML format Saml2AuthenticationToken.getSaml2Response() along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).

The Saml2AuthenticationToken will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.

While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a Saml2AuthenticationException is thrown.

This provider supports two types of encrypted SAML elements

If the assertion is encrypted, then signature validation on the assertion is no longer required.

This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.

Since:
5.5
See Also:

  • Constructor Details

  • Method Details

    • setResponseElementsDecrypter

      public void setResponseElementsDecrypter(Consumer<OpenSaml5AuthenticationProvider.ResponseToken> responseElementsDecrypter)
      Set the Consumer strategy to use for decrypting elements of a validated Response. The default strategy decrypts all EncryptedAssertions using OpenSAML's Decrypter, adding the results to Response.getAssertions(). You can use this method to configure the Decrypter instance like so: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        provider.setResponseElementsDecrypter((responseToken) -> {
            DecrypterParameters parameters = new DecrypterParameters();
            // ... set parameters as needed
            Decrypter decrypter = new Decrypter(parameters);
                Response response = responseToken.getResponse();
        EncryptedAssertion encrypted = response.getEncryptedAssertions().get(0);
        try {
                Assertion assertion = decrypter.decrypt(encrypted);
                response.getAssertions().add(assertion);
        } catch (Exception e) {
                throw new Saml2AuthenticationException(...);
        }
        });
      Or, in the event that you have your own custom decryption interface, the same pattern applies: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        Converter<EncryptedAssertion, Assertion> myService = ...
        provider.setResponseDecrypter((responseToken) -> {
           Response response = responseToken.getResponse();
           response.getEncryptedAssertions().stream()
                        .map(service::decrypt).forEach(response.getAssertions()::add);
        });
      This is valuable when using an external service to perform the decryption.
      Parameters:
      responseElementsDecrypter - the Consumer for decrypting response elements
      Since:
      5.5

    • setResponseValidator

      public void setResponseValidator(org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.ResponseToken,Saml2ResponseValidatorResult> responseValidator)
      Set the Converter to use for validating the SAML 2.0 Response. You can still invoke the default validator by delegating to createDefaultResponseValidator(), like so: 
       OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
 provider.setResponseValidator(responseToken -> {
                Saml2ResponseValidatorResult result = createDefaultResponseValidator()
                        .convert(responseToken)
                return result.concat(myCustomValidator.convert(responseToken));
 });
      Parameters:
      responseValidator - the Converter to use
      Since:
      5.6

    • setAssertionValidator

      public void setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
      Set the Converter to use for validating each Assertion in the SAML 2.0 Response. You can still invoke the default validator by calling OpenSaml5AuthenticationProvider.AssertionValidator.withDefaults(), like so: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
  AssertionValidator validator = AssertionValidator.withDefaults();
  provider.setAssertionValidator(assertionToken -> {
                Saml2ResponseValidatorResult result = validator.validate(assertionToken);
                return result.concat(myCustomValidator.convert(assertionToken));
  });
      You can also use this method to configure the provider to use a different ValidationContext from the default, like so: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
  AssertionValidator validator = AssertionValidator.builder().clockSkew(Duration.ofMinutes(2)).build();
        provider.setAssertionValidator(validator);
      Consider taking a look at OpenSaml5AuthenticationProvider.AssertionValidator.createValidationContext(org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider.AssertionToken) to see how it constructs a ValidationContext. It is not necessary to delegate to the default validator. You can safely replace it entirely with your own. Note that signature verification is performed as a separate step from this validator.
      Parameters:
      assertionValidator - the validator to use
      Since:
      5.4

    • setAssertionElementsDecrypter

      public void setAssertionElementsDecrypter(Consumer<OpenSaml5AuthenticationProvider.AssertionToken> assertionDecrypter)
      Set the Consumer strategy to use for decrypting elements of a validated Assertion. You can use this method to configure the Decrypter used like so: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        provider.setResponseDecrypter((assertionToken) -> {
            DecrypterParameters parameters = new DecrypterParameters();
            // ... set parameters as needed
            Decrypter decrypter = new Decrypter(parameters);
                Assertion assertion = assertionToken.getAssertion();
        EncryptedID encrypted = assertion.getSubject().getEncryptedID();
        try {
                NameID name = decrypter.decrypt(encrypted);
                assertion.getSubject().setNameID(name);
        } catch (Exception e) {
                throw new Saml2AuthenticationException(...);
        }
        });
      Or, in the event that you have your own custom interface, the same pattern applies: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        MyDecryptionService myService = ...
        provider.setResponseDecrypter((responseToken) -> {
                Assertion assertion = assertionToken.getAssertion();
                EncryptedID encrypted = assertion.getSubject().getEncryptedID();
                NameID name = myService.decrypt(encrypted);
                assertion.getSubject().setNameID(name);
        });
      Parameters:
      assertionDecrypter - the Consumer for decrypting assertion elements
      Since:
      5.5

    • setResponseAuthenticationConverter

      public void setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.ResponseToken,? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
      Set the Converter to use for converting a validated Response into an AbstractAuthenticationToken. You can delegate to the default behavior by calling createDefaultResponseAuthenticationConverter() like so: 
              OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        Converter<ResponseToken, Saml2Authentication> authenticationConverter =
                        createDefaultResponseAuthenticationConverter();
        provider.setResponseAuthenticationConverter(responseToken -> {
                Saml2Authentication authentication = authenticationConverter.convert(responseToken);
                User user = myUserRepository.findByUsername(authentication.getName());
                return new MyAuthentication(authentication, user);
        });
      Parameters:
      responseAuthenticationConverter - the Converter to use
      Since:
      5.4

    • setValidateResponseAfterAssertions

      public void setValidateResponseAfterAssertions(boolean validateResponseAfterAssertions)
      Indicate when to validate response attributes, like Destination and Issuer. By default, this value is set to false, meaning that response attributes are validated first. Setting this value to true allows you to use a response authentication converter that doesn't rely on the NameID element in the Response's assertion.
      Parameters:
      validateResponseAfterAssertions - when to validate response attributes
      Since:
      6.5
      See Also:

    • createDefaultResponseValidator

      @Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.ResponseToken,Saml2ResponseValidatorResult> createDefaultResponseValidator()
      Deprecated.
      please use OpenSaml5AuthenticationProvider.ResponseValidator.withDefaults() instead
      Construct a default strategy for validating the SAML 2.0 Response
      Returns:
      the default response validator strategy
      Since:
      5.6

    • createDefaultAssertionValidator

      @Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator()
      Deprecated.
      please use OpenSaml5AuthenticationProvider.AssertionValidator.withDefaults() instead
      Construct a default strategy for validating each SAML 2.0 Assertion and associated Authentication token
      Returns:
      the default assertion validator strategy

    • createDefaultAssertionValidator

      @Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
      Deprecated.
      Use createDefaultAssertionValidatorWithParameters(java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>) instead
      Construct a default strategy for validating each SAML 2.0 Assertion and associated Authentication token
      Parameters:
      contextConverter - the conversion strategy to use to generate a ValidationContext for each assertion being validated
      Returns:
      the default assertion validator strategy

    • createDefaultAssertionValidatorWithParameters

      @Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidatorWithParameters(Consumer<Map<String,Object>> validationContextParameters)
      Deprecated.
      please use OpenSaml5AuthenticationProvider.AssertionValidator.withDefaults() instead
      Construct a default strategy for validating each SAML 2.0 Assertion and associated Authentication token
      Parameters:
      validationContextParameters - a consumer for editing the values passed to the ValidationContext for each assertion being validated
      Returns:
      the default assertion validator strategy
      Since:
      5.8

    • createDefaultResponseAuthenticationConverter

      @Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml5AuthenticationProvider.ResponseToken,Saml2Authentication> createDefaultResponseAuthenticationConverter()
      Deprecated.
      please use OpenSaml5AuthenticationProvider.ResponseAuthenticationConverter instead
      Construct a default strategy for converting a SAML 2.0 Response and Authentication token into a Saml2Authentication
      Returns:
      the default response authentication converter strategy

    • authenticate

      public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Specified by:
      authenticate in interface org.springframework.security.authentication.AuthenticationProvider
      Parameters:
      authentication - the authentication request object, must be of type Saml2AuthenticationToken
      Returns:
      Saml2Authentication if the assertion is valid
      Throws:
      org.springframework.security.core.AuthenticationException - if a validation exception occurs

    • supports

      public boolean supports(Class<?> authentication)
      Specified by:
      supports in interface org.springframework.security.authentication.AuthenticationProvider