Package org.springframework.security.saml2.provider.service.authentication

Class OpenSamlAuthenticationProvider

  • All Implemented Interfaces:
    org.springframework.security.authentication.AuthenticationProvider
    public final class OpenSamlAuthenticationProvider
extends java.lang.Object
implements org.springframework.security.authentication.AuthenticationProvider
    Deprecated.
    Because OpenSAML 3 has reached End-of-Life, please update to OpenSaml4AuthenticationProvider
    Implementation of AuthenticationProvider for SAML authentications when receiving a Response object containing an Assertion. This implementation uses the OpenSAML 3 library.

    The OpenSamlAuthenticationProvider supports Saml2AuthenticationToken objects that contain a SAML response in its decoded XML format Saml2AuthenticationToken.getSaml2Response() along with the information about the asserting party, the identity provider (IDP), as well as the relying party, the service provider (SP, this application).

    The Saml2AuthenticationToken will be processed into a SAML Response object. The SAML response object can be signed. If the Response is signed, a signature will not be required on the assertion.

    While a response object can contain a list of assertion, this provider will only leverage the first valid assertion for the purpose of authentication. Assertions that do not pass validation will be ignored. If no valid assertions are found a Saml2AuthenticationException is thrown.

    This provider supports two types of encrypted SAML elements

    If the assertion is encrypted, then signature validation on the assertion is no longer required.

    This provider does not perform an X509 certificate validation on the configured asserting party, IDP, verification certificates.

    Since:
    5.2
    See Also:
    SAML 2 StatusResponse, OpenSAML 3

    • Method Detail

      • setResponseElementsDecrypter

        public void setResponseElementsDecrypter​(java.util.function.Consumer<OpenSamlAuthenticationProvider.ResponseToken> responseElementsDecrypter)
        Deprecated.
        Set the Consumer strategy to use for decrypting elements of a validated Response. The default strategy decrypts all EncryptedAssertions using OpenSAML's Decrypter, adding the results to Response.getAssertions(). You can use this method to configure the Decrypter instance like so: 
                OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        provider.setResponseElementsDecrypter((responseToken) -> {
            DecrypterParameters parameters = new DecrypterParameters();
            // ... set parameters as needed
            Decrypter decrypter = new Decrypter(parameters);
                Response response = responseToken.getResponse();
        EncryptedAssertion encrypted = response.getEncryptedAssertions().get(0);
        try {
                Assertion assertion = decrypter.decrypt(encrypted);
                response.getAssertions().add(assertion);
        } catch (Exception e) {
                throw new Saml2AuthenticationException(...);
        }
        });
        Or, in the event that you have your own custom decryption interface, the same pattern applies: 
                OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        Converter<EncryptedAssertion, Assertion> myService = ...
        provider.setResponseDecrypter((responseToken) -> {
           Response response = responseToken.getResponse();
           response.getEncryptedAssertions().stream()
                        .map(service::decrypt).forEach(response.getAssertions()::add);
        });
        This is valuable when using an external service to perform the decryption.
        Parameters:
        responseElementsDecrypter - the Consumer for decrypting response elements
        Since:
        5.5

      • setAssertionElementsDecrypter

        public void setAssertionElementsDecrypter​(java.util.function.Consumer<OpenSamlAuthenticationProvider.AssertionToken> assertionDecrypter)
        Deprecated.
        Set the Consumer strategy to use for decrypting elements of a validated Assertion. You can use this method to configure the Decrypter used like so: 
                OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        provider.setResponseDecrypter((assertionToken) -> {
            DecrypterParameters parameters = new DecrypterParameters();
            // ... set parameters as needed
            Decrypter decrypter = new Decrypter(parameters);
                Assertion assertion = assertionToken.getAssertion();
        EncryptedID encrypted = assertion.getSubject().getEncryptedID();
        try {
                NameID name = decrypter.decrypt(encrypted);
                assertion.getSubject().setNameID(name);
        } catch (Exception e) {
                throw new Saml2AuthenticationException(...);
        }
        });
        Or, in the event that you have your own custom interface, the same pattern applies: 
                OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        MyDecryptionService myService = ...
        provider.setResponseDecrypter((responseToken) -> {
                Assertion assertion = assertionToken.getAssertion();
                EncryptedID encrypted = assertion.getSubject().getEncryptedID();
                NameID name = myService.decrypt(encrypted);
                assertion.getSubject().setNameID(name);
        });
        Parameters:
        assertionDecrypter - the Consumer for decrypting assertion elements
        Since:
        5.5

      • setResponseAuthenticationConverter

        public void setResponseAuthenticationConverter​(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,​? extends org.springframework.security.authentication.AbstractAuthenticationToken> responseAuthenticationConverter)
        Deprecated.
        Set the Converter to use for converting a validated Response into an AbstractAuthenticationToken. You can delegate to the default behavior by calling createDefaultResponseAuthenticationConverter() like so: 
                OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
        Converter<ResponseToken, Saml2Authentication> authenticationConverter =
                        createDefaultResponseAuthenticationConverter();
        provider.setResponseAuthenticationConverter(responseToken -> {
                Saml2Authentication authentication = authenticationConverter.convert(responseToken);
                User user = myUserRepository.findByUsername(authentication.getName());
                return new MyAuthentication(authentication, user);
        });
        This method takes precedence over setAuthoritiesExtractor(Converter) and setAuthoritiesMapper(GrantedAuthoritiesMapper).
        Parameters:
        responseAuthenticationConverter - the Converter to use
        Since:
        5.4

      • setAuthoritiesExtractor

        public void setAuthoritiesExtractor​(org.springframework.core.convert.converter.Converter<org.opensaml.saml.saml2.core.Assertion,​java.util.Collection<? extends org.springframework.security.core.GrantedAuthority>> authoritiesExtractor)
        Deprecated.
        Use setResponseAuthenticationConverter(Converter) instead
        Sets the Converter used for extracting assertion attributes that can be mapped to authorities.
        Parameters:
        authoritiesExtractor - the Converter used for mapping the assertion attributes to authorities

      • setAuthoritiesMapper

        public void setAuthoritiesMapper​(org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper authoritiesMapper)
        Deprecated.
        Use setResponseAuthenticationConverter(Converter) instead
        Sets the GrantedAuthoritiesMapper used for mapping assertion attributes to a new set of authorities which will be associated to the Saml2Authentication. Note: This implementation is only retrieving
        Parameters:
        authoritiesMapper - the GrantedAuthoritiesMapper used for mapping the user's authorities

      • setResponseTimeValidationSkew

        public void setResponseTimeValidationSkew​(java.time.Duration responseTimeValidationSkew)
        Deprecated.
        Use setAssertionValidator(Converter) instead
        Sets the duration for how much time skew an assertion may tolerate during timestamp, NotOnOrBefore and NotOnOrAfter, validation.
        Parameters:
        responseTimeValidationSkew - duration for skew tolerance

      • createDefaultAssertionValidator

        public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,​Saml2ResponseValidatorResult> createDefaultAssertionValidator()
        Deprecated.
        Construct a default strategy for validating each SAML 2.0 Assertion and associated Authentication token
        Returns:
        the default assertion validator strategy
        Since:
        5.4

      • createDefaultAssertionValidator

        public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,​Saml2ResponseValidatorResult> createDefaultAssertionValidator​(org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.AssertionToken,​org.opensaml.saml.common.assertion.ValidationContext> contextConverter)
        Deprecated.
        Construct a default strategy for validating each SAML 2.0 Assertion and associated Authentication token
        Parameters:
        contextConverter - the conversion strategy to use to generate a ValidationContext for each assertion being validated
        Returns:
        the default assertion validator strategy
        Since:
        5.4

      • createDefaultResponseAuthenticationConverter

        public static org.springframework.core.convert.converter.Converter<OpenSamlAuthenticationProvider.ResponseToken,​Saml2Authentication> createDefaultResponseAuthenticationConverter()
        Deprecated.
        Construct a default strategy for converting a SAML 2.0 Response and Authentication token into a Saml2Authentication
        Returns:
        the default response authentication converter strategy
        Since:
        5.4

      • authenticate

        public org.springframework.security.core.Authentication authenticate​(org.springframework.security.core.Authentication authentication)
                                                              throws org.springframework.security.core.AuthenticationException
        Deprecated.
        Specified by:
        authenticate in interface org.springframework.security.authentication.AuthenticationProvider
        Parameters:
        authentication - the authentication request object, must be of type Saml2AuthenticationToken
        Returns:
        Saml2Authentication if the assertion is valid
        Throws:
        org.springframework.security.core.AuthenticationException - if a validation exception occurs

      • supports

        public boolean supports​(java.lang.Class<?> authentication)
        Deprecated.
        Specified by:
        supports in interface org.springframework.security.authentication.AuthenticationProvider