Class OpenSaml4AuthenticationProvider
- java.lang.Object
-
- org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider
-
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public final class OpenSaml4AuthenticationProvider extends java.lang.Object implements org.springframework.security.authentication.AuthenticationProvider
Implementation ofAuthenticationProvider
for SAML authentications when receiving aResponse
object containing anAssertion
. This implementation uses theOpenSAML 4
library.The
OpenSaml4AuthenticationProvider
supportsSaml2AuthenticationToken
objects that contain a SAML response in its decoded XML formatSaml2AuthenticationToken.getSaml2Response()
along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).The
Saml2AuthenticationToken
will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a
Saml2AuthenticationException
is thrown.This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
- Since:
- 5.5
- See Also:
- SAML 2 StatusResponse, OpenSAML 3
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
OpenSaml4AuthenticationProvider.AssertionToken
A tuple containing an OpenSAMLAssertion
and its associated authentication token.static class
OpenSaml4AuthenticationProvider.ResponseToken
A tuple containing an OpenSAMLResponse
and its associated authentication token.
-
Constructor Summary
Constructors Constructor Description OpenSaml4AuthenticationProvider()
Creates anOpenSaml4AuthenticationProvider
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description org.springframework.security.core.Authentication
authenticate(org.springframework.security.core.Authentication authentication)
static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult>
createDefaultAssertionValidator()
Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult>
createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,Saml2Authentication>
createDefaultResponseAuthenticationConverter()
Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
void
setAssertionElementsDecrypter(java.util.function.Consumer<OpenSaml4AuthenticationProvider.AssertionToken> assertionDecrypter)
Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
.void
setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response.void
setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
Set theConverter
to use for converting a validatedResponse
into anAbstractAuthenticationToken
.void
setResponseElementsDecrypter(java.util.function.Consumer<OpenSaml4AuthenticationProvider.ResponseToken> responseElementsDecrypter)
Set theConsumer
strategy to use for decrypting elements of a validatedResponse
.boolean
supports(java.lang.Class<?> authentication)
-
-
-
Constructor Detail
-
OpenSaml4AuthenticationProvider
public OpenSaml4AuthenticationProvider()
Creates anOpenSaml4AuthenticationProvider
-
-
Method Detail
-
setResponseElementsDecrypter
public void setResponseElementsDecrypter(java.util.function.Consumer<OpenSaml4AuthenticationProvider.ResponseToken> responseElementsDecrypter)
Set theConsumer
strategy to use for decrypting elements of a validatedResponse
. The default strategy decrypts allEncryptedAssertion
s using OpenSAML'sDecrypter
, adding the results toResponse.getAssertions()
. You can use this method to configure theDecrypter
instance like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseElementsDecrypter((responseToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Response response = responseToken.getResponse(); EncryptedAssertion encrypted = response.getEncryptedAssertions().get(0); try { Assertion assertion = decrypter.decrypt(encrypted); response.getAssertions().add(assertion); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom decryption interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<EncryptedAssertion, Assertion> myService = ... provider.setResponseDecrypter((responseToken) -> { Response response = responseToken.getResponse(); response.getEncryptedAssertions().stream() .map(service::decrypt).forEach(response.getAssertions()::add); });
This is valuable when using an external service to perform the decryption.- Parameters:
responseElementsDecrypter
- theConsumer
for decrypting response elements- Since:
- 5.5
-
setAssertionValidator
public void setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response. You can still invoke the default validator by delgating tocreateAssertionValidator(java.lang.String, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.saml2.assertion.SAML20AssertionValidator>, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, org.opensaml.saml.common.assertion.ValidationContext>)
, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator(assertionToken -> { Saml2ResponseValidatorResult result = createDefaultAssertionValidator() .convert(assertionToken) return result.concat(myCustomValidator.convert(assertionToken)); });
You can also use this method to configure the provider to use a differentValidationContext
from the default, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator( createDefaultAssertionValidator(assertionToken -> { Map<String, Object> params = new HashMap<>(); params.put(CLOCK_SKEW, 2 * 60 * 1000); // other parameters return new ValidationContext(params); }));
Consider taking a look atcreateValidationContext(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.AssertionToken, java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>)
to see how it constructs aValidationContext
. It is not necessary to delegate to the default validator. You can safely replace it entirely with your own. Note that signature verification is performed as a separate step from this validator.- Parameters:
assertionValidator
- the validator to use- Since:
- 5.4
-
setAssertionElementsDecrypter
public void setAssertionElementsDecrypter(java.util.function.Consumer<OpenSaml4AuthenticationProvider.AssertionToken> assertionDecrypter)
Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
. You can use this method to configure theDecrypter
used like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseDecrypter((assertionToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); try { NameID name = decrypter.decrypt(encrypted); assertion.getSubject().setNameID(name); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); MyDecryptionService myService = ... provider.setResponseDecrypter((responseToken) -> { Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); NameID name = myService.decrypt(encrypted); assertion.getSubject().setNameID(name); });
- Parameters:
assertionDecrypter
- theConsumer
for decrypting assertion elements- Since:
- 5.5
-
setResponseAuthenticationConverter
public void setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
Set theConverter
to use for converting a validatedResponse
into anAbstractAuthenticationToken
. You can delegate to the default behavior by callingcreateDefaultResponseAuthenticationConverter()
like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<ResponseToken, Saml2Authentication> authenticationConverter = createDefaultResponseAuthenticationConverter(); provider.setResponseAuthenticationConverter(responseToken -> { Saml2Authentication authentication = authenticationConverter.convert(responseToken); User user = myUserRepository.findByUsername(authentication.getName()); return new MyAuthentication(authentication, user); });
- Parameters:
responseAuthenticationConverter
- theConverter
to use- Since:
- 5.4
-
createDefaultAssertionValidator
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator()
Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Returns:
- the default assertion validator strategy
-
createDefaultAssertionValidator
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Parameters:
contextConverter
- the conversion strategy to use to generate aValidationContext
for each assertion being validated- Returns:
- the default assertion validator strategy
-
createDefaultResponseAuthenticationConverter
public static org.springframework.core.convert.converter.Converter<OpenSaml4AuthenticationProvider.ResponseToken,Saml2Authentication> createDefaultResponseAuthenticationConverter()
Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
- Returns:
- the default response authentication converter strategy
-
authenticate
public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
- Specified by:
authenticate
in interfaceorg.springframework.security.authentication.AuthenticationProvider
- Parameters:
authentication
- the authentication request object, must be of typeSaml2AuthenticationToken
- Returns:
Saml2Authentication
if the assertion is valid- Throws:
org.springframework.security.core.AuthenticationException
- if a validation exception occurs
-
supports
public boolean supports(java.lang.Class<?> authentication)
- Specified by:
supports
in interfaceorg.springframework.security.authentication.AuthenticationProvider
-
-