Class OpenSaml4AuthenticationProvider
- All Implemented Interfaces:
AuthenticationProvider
AuthenticationProvider
for SAML authentications when
receiving a Response
object containing an Assertion
. This
implementation uses the OpenSAML 4
library.
The OpenSaml4AuthenticationProvider
supports Saml2AuthenticationToken
objects that contain a SAML response in its decoded XML format
Saml2AuthenticationToken.getSaml2Response()
along with the information about
the asserting party, the identity provider (IDP), as well as the relying party, the
service provider (SP, this application).
The Saml2AuthenticationToken
will be processed into a SAML Response object. The
SAML response object can be signed. If the Response is signed, a signature will not be
required on the assertion.
While a response object can contain a list of assertion, this provider will only
leverage the first valid assertion for the purpose of authentication. Assertions that
do not pass validation will be ignored. If no valid assertions are found a
Saml2AuthenticationException
is thrown.
This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
- Since:
- 5.5
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
A tuple containing an OpenSAMLAssertion
and its associated authentication token.static class
A tuple containing an OpenSAMLResponse
and its associated authentication token. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionauthenticate
(Authentication authentication) Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,
Saml2ResponseValidatorResult> Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,
Saml2ResponseValidatorResult> createDefaultAssertionValidator
(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.common.assertion.ValidationContext> contextConverter) Deprecated.static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,
Saml2ResponseValidatorResult> createDefaultAssertionValidatorWithParameters
(Consumer<Map<String, Object>> validationContextParameters) Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,
Saml2Authentication> Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,
Saml2ResponseValidatorResult> Construct a default strategy for validating the SAML 2.0 Responsevoid
setAssertionElementsDecrypter
(Consumer<OpenSaml4AuthenticationProvider.AssertionToken> assertionDecrypter) Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
.void
setAssertionValidator
(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken, Saml2ResponseValidatorResult> assertionValidator) Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response.void
setResponseAuthenticationConverter
(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter) void
setResponseElementsDecrypter
(Consumer<OpenSaml4AuthenticationProvider.ResponseToken> responseElementsDecrypter) Set theConsumer
strategy to use for decrypting elements of a validatedResponse
.void
setResponseValidator
(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> responseValidator) Set theConverter
to use for validating the SAML 2.0 Response.boolean
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.
-
Constructor Details
-
OpenSaml4AuthenticationProvider
public OpenSaml4AuthenticationProvider()Creates anOpenSaml4AuthenticationProvider
-
-
Method Details
-
setResponseElementsDecrypter
public void setResponseElementsDecrypter(Consumer<OpenSaml4AuthenticationProvider.ResponseToken> responseElementsDecrypter) Set theConsumer
strategy to use for decrypting elements of a validatedResponse
. The default strategy decrypts allEncryptedAssertion
s using OpenSAML'sDecrypter
, adding the results toResponse.getAssertions()
. You can use this method to configure theDecrypter
instance like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseElementsDecrypter((responseToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Response response = responseToken.getResponse(); EncryptedAssertion encrypted = response.getEncryptedAssertions().get(0); try { Assertion assertion = decrypter.decrypt(encrypted); response.getAssertions().add(assertion); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom decryption interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<EncryptedAssertion, Assertion> myService = ... provider.setResponseDecrypter((responseToken) -> { Response response = responseToken.getResponse(); response.getEncryptedAssertions().stream() .map(service::decrypt).forEach(response.getAssertions()::add); });
This is valuable when using an external service to perform the decryption.- Parameters:
responseElementsDecrypter
- theConsumer
for decrypting response elements- Since:
- 5.5
-
setResponseValidator
public void setResponseValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken, Saml2ResponseValidatorResult> responseValidator) Set theConverter
to use for validating the SAML 2.0 Response. You can still invoke the default validator by delegating tocreateDefaultResponseValidator()
, like so:OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider(); provider.setResponseValidator(responseToken -> { Saml2ResponseValidatorResult result = createDefaultResponseValidator() .convert(responseToken) return result.concat(myCustomValidator.convert(responseToken)); });
- Parameters:
responseValidator
- theConverter
to use- Since:
- 5.6
-
setAssertionValidator
public void setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken, Saml2ResponseValidatorResult> assertionValidator) Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response. You can still invoke the default validator by delgating tocreateAssertionValidator(java.lang.String, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.saml2.assertion.SAML20AssertionValidator>, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.common.assertion.ValidationContext>)
, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator(assertionToken -> { Saml2ResponseValidatorResult result = createDefaultAssertionValidator() .convert(assertionToken) return result.concat(myCustomValidator.convert(assertionToken)); });
You can also use this method to configure the provider to use a differentValidationContext
from the default, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator( createDefaultAssertionValidator(assertionToken -> { Map<String, Object> params = new HashMap<>(); params.put(CLOCK_SKEW, 2 * 60 * 1000); // other parameters return new ValidationContext(params); }));
Consider taking a look atcreateValidationContext(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>)
to see how it constructs aValidationContext
. It is not necessary to delegate to the default validator. You can safely replace it entirely with your own. Note that signature verification is performed as a separate step from this validator.- Parameters:
assertionValidator
- the validator to use- Since:
- 5.4
-
setAssertionElementsDecrypter
public void setAssertionElementsDecrypter(Consumer<OpenSaml4AuthenticationProvider.AssertionToken> assertionDecrypter) Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
. You can use this method to configure theDecrypter
used like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseDecrypter((assertionToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); try { NameID name = decrypter.decrypt(encrypted); assertion.getSubject().setNameID(name); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); MyDecryptionService myService = ... provider.setResponseDecrypter((responseToken) -> { Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); NameID name = myService.decrypt(encrypted); assertion.getSubject().setNameID(name); });
- Parameters:
assertionDecrypter
- theConsumer
for decrypting assertion elements- Since:
- 5.5
-
setResponseAuthenticationConverter
public void setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter) Set theConverter
to use for converting a validatedResponse
into anAbstractAuthenticationToken
. You can delegate to the default behavior by callingcreateDefaultResponseAuthenticationConverter()
like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<ResponseToken, Saml2Authentication> authenticationConverter = createDefaultResponseAuthenticationConverter(); provider.setResponseAuthenticationConverter(responseToken -> { Saml2Authentication authentication = authenticationConverter.convert(responseToken); User user = myUserRepository.findByUsername(authentication.getName()); return new MyAuthentication(authentication, user); });
- Parameters:
responseAuthenticationConverter
- theConverter
to use- Since:
- 5.4
-
createDefaultResponseValidator
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,Saml2ResponseValidatorResult> createDefaultResponseValidator()Construct a default strategy for validating the SAML 2.0 Response- Returns:
- the default response validator strategy
- Since:
- 5.6
-
createDefaultAssertionValidator
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator()Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Returns:
- the default assertion validator strategy
-
createDefaultAssertionValidator
@Deprecated public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.common.assertion.ValidationContext> contextConverter) Deprecated.Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Parameters:
contextConverter
- the conversion strategy to use to generate aValidationContext
for each assertion being validated- Returns:
- the default assertion validator strategy
-
createDefaultAssertionValidatorWithParameters
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidatorWithParameters(Consumer<Map<String, Object>> validationContextParameters) Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Parameters:
validationContextParameters
- a consumer for editing the values passed to theValidationContext
for each assertion being validated- Returns:
- the default assertion validator strategy
- Since:
- 5.8
-
createDefaultResponseAuthenticationConverter
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,Saml2Authentication> createDefaultResponseAuthenticationConverter()Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
- Returns:
- the default response authentication converter strategy
-
authenticate
Description copied from interface:AuthenticationProvider
Performs authentication with the same contract asAuthenticationManager.authenticate(Authentication)
.- Specified by:
authenticate
in interfaceAuthenticationProvider
- Parameters:
authentication
- the authentication request object, must be of typeSaml2AuthenticationToken
- Returns:
Saml2Authentication
if the assertion is valid- Throws:
AuthenticationException
- if a validation exception occurs
-
supports
Description copied from interface:AuthenticationProvider
Returnstrue
if thisAuthenticationProvider
supports the indicatedAuthentication
object.Returning
true
does not guarantee anAuthenticationProvider
will be able to authenticate the presented instance of theAuthentication
class. It simply indicates it can support closer evaluation of it. AnAuthenticationProvider
can still returnnull
from theAuthenticationProvider.authenticate(Authentication)
method to indicate anotherAuthenticationProvider
should be tried.Selection of an
AuthenticationProvider
capable of performing authentication is conducted at runtime theProviderManager
.- Specified by:
supports
in interfaceAuthenticationProvider
- Returns:
true
if the implementation can more closely evaluate theAuthentication
class presented
-
createDefaultAssertionValidatorWithParameters(java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>)
instead