Class OpenSamlAuthenticationProvider
- java.lang.Object
-
- org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider
-
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public final class OpenSamlAuthenticationProvider extends java.lang.Object implements org.springframework.security.authentication.AuthenticationProvider
Deprecated.Because OpenSAML 3 has reached End-of-Life, please update toOpenSaml4AuthenticationProvider
Implementation ofAuthenticationProvider
for SAML authentications when receiving aResponse
object containing anAssertion
. This implementation uses theOpenSAML 3
library.The
OpenSamlAuthenticationProvider
supportsSaml2AuthenticationToken
objects that contain a SAML response in its decoded XML formatSaml2AuthenticationToken.getSaml2Response()
along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).The
Saml2AuthenticationToken
will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a
Saml2AuthenticationException
is thrown.This provider supports two types of encrypted SAML elements
If the assertion is encrypted, then signature validation on the assertion is no longer required.This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.
- Since:
- 5.2
- See Also:
- SAML 2 StatusResponse, OpenSAML 3
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
OpenSamlAuthenticationProvider.AssertionToken
Deprecated.A tuple containing an OpenSAMLAssertion
and its associated authentication token.static class
OpenSamlAuthenticationProvider.ResponseToken
Deprecated.A tuple containing an OpenSAMLResponse
and its associated authentication token.
-
Constructor Summary
Constructors Constructor Description OpenSamlAuthenticationProvider()
Deprecated.Creates anOpenSamlAuthenticationProvider
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description org.springframework.security.core.Authentication
authenticate(org.springframework.security.core.Authentication authentication)
Deprecated.static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult>
createDefaultAssertionValidator()
Deprecated.Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult>
createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Deprecated.Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
tokenstatic org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,Saml2Authentication>
createDefaultResponseAuthenticationConverter()
Deprecated.Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
void
setAssertionElementsDecrypter(java.util.function.Consumer<OpenSamlAuthenticationProvider.AssertionToken> assertionDecrypter)
Deprecated.Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
.void
setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Deprecated.Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response.void
setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>> authoritiesExtractor)
Deprecated.UsesetResponseAuthenticationConverter(Converter)
insteadvoid
setAuthoritiesMapper(org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper authoritiesMapper)
Deprecated.UsesetResponseAuthenticationConverter(Converter)
insteadvoid
setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
Deprecated.Set theConverter
to use for converting a validatedResponse
into anAbstractAuthenticationToken
.void
setResponseElementsDecrypter(java.util.function.Consumer<OpenSamlAuthenticationProvider.ResponseToken> responseElementsDecrypter)
Deprecated.Set theConsumer
strategy to use for decrypting elements of a validatedResponse
.void
setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Deprecated.UsesetAssertionValidator(Converter)
insteadboolean
supports(java.lang.Class<?> authentication)
Deprecated.
-
-
-
Constructor Detail
-
OpenSamlAuthenticationProvider
public OpenSamlAuthenticationProvider()
Deprecated.Creates anOpenSamlAuthenticationProvider
-
-
Method Detail
-
setResponseElementsDecrypter
public void setResponseElementsDecrypter(java.util.function.Consumer<OpenSamlAuthenticationProvider.ResponseToken> responseElementsDecrypter)
Deprecated.Set theConsumer
strategy to use for decrypting elements of a validatedResponse
. The default strategy decrypts allEncryptedAssertion
s using OpenSAML'sDecrypter
, adding the results toResponse.getAssertions()
. You can use this method to configure theDecrypter
instance like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseElementsDecrypter((responseToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Response response = responseToken.getResponse(); EncryptedAssertion encrypted = response.getEncryptedAssertions().get(0); try { Assertion assertion = decrypter.decrypt(encrypted); response.getAssertions().add(assertion); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom decryption interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<EncryptedAssertion, Assertion> myService = ... provider.setResponseDecrypter((responseToken) -> { Response response = responseToken.getResponse(); response.getEncryptedAssertions().stream() .map(service::decrypt).forEach(response.getAssertions()::add); });
This is valuable when using an external service to perform the decryption.- Parameters:
responseElementsDecrypter
- theConsumer
for decrypting response elements- Since:
- 5.5
-
setAssertionValidator
public void setAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> assertionValidator)
Deprecated.Set theConverter
to use for validating eachAssertion
in the SAML 2.0 Response. You can still invoke the default validator by delgating tocreateAssertionValidator(java.lang.String, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.AssertionToken, org.opensaml.saml.saml2.assertion.SAML20AssertionValidator>, org.springframework.core.convert.converter.Converter<org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.AssertionToken, org.opensaml.saml.common.assertion.ValidationContext>)
, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator(assertionToken -> { Saml2ResponseValidatorResult result = createDefaultAssertionValidator() .convert(assertionToken) return result.concat(myCustomValidator.convert(assertionToken)); });
You can also use this method to configure the provider to use a differentValidationContext
from the default, like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setAssertionValidator( createDefaultAssertionValidator(assertionToken -> { Map<String, Object> params = new HashMap<>(); params.put(CLOCK_SKEW, 2 * 60 * 1000); // other parameters return new ValidationContext(params); }));
Consider taking a look atcreateValidationContext(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.AssertionToken, java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>)
to see how it constructs aValidationContext
. It is not necessary to delegate to the default validator. You can safely replace it entirely with your own. Note that signature verification is performed as a separate step from this validator. This method takes precedence oversetResponseTimeValidationSkew(java.time.Duration)
.- Parameters:
assertionValidator
- the strategy for validating a given assertion- Since:
- 5.4
-
setAssertionElementsDecrypter
public void setAssertionElementsDecrypter(java.util.function.Consumer<OpenSamlAuthenticationProvider.AssertionToken> assertionDecrypter)
Deprecated.Set theConsumer
strategy to use for decrypting elements of a validatedAssertion
. You can use this method to configure theDecrypter
used like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); provider.setResponseDecrypter((assertionToken) -> { DecrypterParameters parameters = new DecrypterParameters(); // ... set parameters as needed Decrypter decrypter = new Decrypter(parameters); Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); try { NameID name = decrypter.decrypt(encrypted); assertion.getSubject().setNameID(name); } catch (Exception e) { throw new Saml2AuthenticationException(...); } });
Or, in the event that you have your own custom interface, the same pattern applies:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); MyDecryptionService myService = ... provider.setResponseDecrypter((responseToken) -> { Assertion assertion = assertionToken.getAssertion(); EncryptedID encrypted = assertion.getSubject().getEncryptedID(); NameID name = myService.decrypt(encrypted); assertion.getSubject().setNameID(name); });
- Parameters:
assertionDecrypter
- theConsumer
for decrypting assertion elements- Since:
- 5.5
-
setResponseAuthenticationConverter
public void setResponseAuthenticationConverter(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
Deprecated.Set theConverter
to use for converting a validatedResponse
into anAbstractAuthenticationToken
. You can delegate to the default behavior by callingcreateDefaultResponseAuthenticationConverter()
like so:OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); Converter<ResponseToken, Saml2Authentication> authenticationConverter = createDefaultResponseAuthenticationConverter(); provider.setResponseAuthenticationConverter(responseToken -> { Saml2Authentication authentication = authenticationConverter.convert(responseToken); User user = myUserRepository.findByUsername(authentication.getName()); return new MyAuthentication(authentication, user); });
This method takes precedence oversetAuthoritiesExtractor(Converter)
andsetAuthoritiesMapper(GrantedAuthoritiesMapper)
.- Parameters:
responseAuthenticationConverter
- theConverter
to use- Since:
- 5.4
-
setAuthoritiesExtractor
public void setAuthoritiesExtractor(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>> authoritiesExtractor)
Deprecated.UsesetResponseAuthenticationConverter(Converter)
insteadSets theConverter
used for extracting assertion attributes that can be mapped to authorities.- Parameters:
authoritiesExtractor
- theConverter
used for mapping the assertion attributes to authorities
-
setAuthoritiesMapper
public void setAuthoritiesMapper(org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper authoritiesMapper)
Deprecated.UsesetResponseAuthenticationConverter(Converter)
insteadSets theGrantedAuthoritiesMapper
used for mapping assertion attributes to a new set of authorities which will be associated to theSaml2Authentication
. Note: This implementation is only retrieving- Parameters:
authoritiesMapper
- theGrantedAuthoritiesMapper
used for mapping the user's authorities
-
setResponseTimeValidationSkew
public void setResponseTimeValidationSkew(java.time.Duration responseTimeValidationSkew)
Deprecated.UsesetAssertionValidator(Converter)
insteadSets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.- Parameters:
responseTimeValidationSkew
- duration for skew tolerance
-
createDefaultAssertionValidator
public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator()
Deprecated.Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Returns:
- the default assertion validator strategy
- Since:
- 5.4
-
createDefaultAssertionValidator
public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,Saml2ResponseValidatorResult> createDefaultAssertionValidator(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
Deprecated.Construct a default strategy for validating each SAML 2.0 Assertion and associatedAuthentication
token- Parameters:
contextConverter
- the conversion strategy to use to generate aValidationContext
for each assertion being validated- Returns:
- the default assertion validator strategy
- Since:
- 5.4
-
createDefaultResponseAuthenticationConverter
public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,Saml2Authentication> createDefaultResponseAuthenticationConverter()
Deprecated.Construct a default strategy for converting a SAML 2.0 Response andAuthentication
token into aSaml2Authentication
- Returns:
- the default response authentication converter strategy
- Since:
- 5.4
-
authenticate
public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
Deprecated.- Specified by:
authenticate
in interfaceorg.springframework.security.authentication.AuthenticationProvider
- Parameters:
authentication
- the authentication request object, must be of typeSaml2AuthenticationToken
- Returns:
Saml2Authentication
if the assertion is valid- Throws:
org.springframework.security.core.AuthenticationException
- if a validation exception occurs
-
supports
public boolean supports(java.lang.Class<?> authentication)
Deprecated.- Specified by:
supports
in interfaceorg.springframework.security.authentication.AuthenticationProvider
-
-