Package org.springframework.security.config.annotation.web.configurers.saml2

Class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>

java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<T,B>
org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer<B>
All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B>
public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
An AbstractHttpConfigurer for SAML 2.0 Login, which leverages the SAML 2.0 Web Browser Single Sign On (WebSSO) Flow.

SAML 2.0 Login provides an application with the capability to have users log in by using their existing account at an SAML 2.0 Identity Provider.

Defaults are provided for all configuration options with the only required configuration being relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository) . Alternatively, a RelyingPartyRegistrationRepository @Bean may be registered instead.

Security Filters

The following Filter's are populated:
  • Saml2WebSsoAuthenticationFilter
  • Saml2WebSsoAuthenticationRequestFilter

Shared Objects Created

The following shared objects are populated:
  • RelyingPartyRegistrationRepository (required)

Shared Objects Used

The following shared objects are used:
  • RelyingPartyRegistrationRepository (required)
  • DefaultLoginPageGeneratingFilter - if loginPage(String) is not configured and DefaultLoginPageGeneratingFilter is available, than a default login page will be made available
Since:
5.2
See Also:

  • Constructor Details

    • Saml2LoginConfigurer

      public Saml2LoginConfigurer()

  • Method Details

    • authenticationConverter

      public Saml2LoginConfigurer<B> authenticationConverter(org.springframework.security.web.authentication.AuthenticationConverter authenticationConverter)
      Use this AuthenticationConverter when converting incoming requests to an Authentication. By default the Saml2AuthenticationTokenConverter is used.
      Parameters:
      authenticationConverter - the AuthenticationConverter to use
      Returns:
      the Saml2LoginConfigurer for further configuration
      Since:
      5.4

    • authenticationManager

      public Saml2LoginConfigurer<B> authenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)
      Allows a configuration of a AuthenticationManager to be used during SAML 2 authentication. If none is specified, the system will create one inject it into the Saml2WebSsoAuthenticationFilter
      Parameters:
      authenticationManager - the authentication manager to be used
      Returns:
      the Saml2LoginConfigurer for further configuration
      Throws:
      IllegalArgumentException - if authenticationManager is null configure the default manager
      Since:
      5.3

    • relyingPartyRegistrationRepository

      public Saml2LoginConfigurer<B> relyingPartyRegistrationRepository(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository repo)
      Sets the RelyingPartyRegistrationRepository of relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.
      Parameters:
      repo - the repository of relying parties
      Returns:
      the Saml2LoginConfigurer for further configuration

    • loginPage

      public Saml2LoginConfigurer<B> loginPage(String loginPage)
      Description copied from class: AbstractAuthenticationFilterConfigurer

      Specifies the URL to send users to if login is required. If used with EnableWebSecurity a default login page will be generated when this attribute is not specified.

      If a URL is specified or this is not being used in conjunction with EnableWebSecurity, users are required to process the specified URL to generate a login page.

      Overrides:
      loginPage in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>

    • authenticationRequestResolver

      public Saml2LoginConfigurer<B> authenticationRequestResolver(org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver authenticationRequestResolver)
      Use this Saml2AuthenticationRequestResolver for generating SAML 2.0 Authentication Requests.
      Parameters:
      authenticationRequestResolver -
      Returns:
      the Saml2LoginConfigurer for further configuration
      Since:
      5.7

    • authenticationRequestUri

      public Saml2LoginConfigurer<B> authenticationRequestUri(String authenticationRequestUri)
      Customize the URL that the SAML Authentication Request will be sent to.
      Parameters:
      authenticationRequestUri - the URI to use for the SAML 2.0 Authentication Request
      Returns:
      the Saml2LoginConfigurer for further configuration
      Since:
      6.0

    • loginProcessingUrl

      public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl)
      Specifies the URL to validate the credentials. If specified a custom URL, consider specifying a custom AuthenticationConverter via authenticationConverter(AuthenticationConverter), since the default AuthenticationConverter implementation relies on the {registrationId} path variable to be present in the URL
      Overrides:
      loginProcessingUrl in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
      Parameters:
      loginProcessingUrl - the URL to validate the credentials
      Returns:
      the Saml2LoginConfigurer for additional customization
      See Also:
      • Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI

    • createLoginProcessingUrlMatcher

      protected org.springframework.security.web.util.matcher.RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingUrl)
      Description copied from class: AbstractAuthenticationFilterConfigurer
      Create the RequestMatcher given a loginProcessingUrl
      Specified by:
      createLoginProcessingUrlMatcher in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
      Parameters:
      loginProcessingUrl - creates the RequestMatcher based upon the loginProcessingUrl
      Returns:
      the RequestMatcher to use based upon the loginProcessingUrl

    • init

      public void init(B http) throws Exception
      Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

      Initializes this filter chain for SAML 2 Login. The following actions are taken:

      • The WebSSO endpoint has CSRF disabled, typically /login/saml2/sso
      • A is configured
      • The loginProcessingUrl is set
      • A custom login page is configured, or
      • A default login page with all SAML 2.0 Identity Providers is configured
      • An AuthenticationProvider is configured
      Specified by:
      init in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>>
      Overrides:
      init in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
      Throws:
      Exception

    • configure

      public void configure(B http) throws Exception
      Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

      During the configure phase, a Saml2WebSsoAuthenticationRequestFilter is added to handle SAML 2.0 AuthNRequest redirects

      Specified by:
      configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>>
      Overrides:
      configure in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter>
      Throws:
      Exception