Add Registration to Saml2Authentication

Closes gh-9487
2025-03-09 06:50:05 +00:00 · 2021-03-02 07:54:18 -07:00 · 2021-03-02 07:54:18 -07:00 · efe42b93ce
commit efe42b93ce
parent 88c1475a3b
4 changed files with 50 additions and 5 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
@ -107,6 +107,7 @@ where
 * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue
 * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and
 * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s.
+* `adfs` is <<servlet-saml2login-relyingpartyregistrationid, an arbitrary identifier you choose>>

 And that's it!

@ -190,6 +191,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs
 Then, it places that principal and the authorities into a `Saml2Authentication`.

 The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element.
+`Saml2Authentication#getRelyingPartyRegistrationId` holds the <<servlet-saml2login-relyingpartyregistrationid,identifier to the associated `RelyingPartyRegistration`>>.

 [[servlet-saml2login-opensaml-customization]]
 ==== Customizing OpenSAML Configuration
@ -230,7 +232,7 @@ static {
 				authnRequest.setForceAuthN(true);
            }
 		}
-		
+
 	    factory.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, marshaller);
 	});
 }
@ -342,6 +344,10 @@ public RelyingPartyRegistrationRepository relyingPartyRegistrations() {
 ----
 ====

+[[servlet-saml2login-relyingpartyregistrationid]]
+[NOTE]
+The `registrationId` is an arbitrary value that you choose for differentiating between registrations.
+
 Or you can provide each detail manually, as you can see below:

 .Relying Party Registration Repository Manual Configuration
--- a/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java
+++ b/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java
@ -22,6 +22,7 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.AuthenticatedPrincipal;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;

 /**
@ -41,14 +42,40 @@ public class Saml2Authentication extends AbstractAuthenticationToken {

 	private final String saml2Response;

+	private final String relyingPartyRegistrationId;
+
+	/**
+	 * Construct a {@link Saml2Authentication} using the provided parameters
+	 * @param principal the logged in user
+	 * @param saml2Response the SAML 2.0 response used to authenticate the user
+	 * @param authorities the authorities for the logged in user
+	 * @deprecated Use
+	 * {@link #Saml2Authentication(AuthenticatedPrincipal, String, Collection, String)}
+	 */
+	@Deprecated
 	public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
 			Collection<? extends GrantedAuthority> authorities) {
+		this(principal, saml2Response, authorities, null);
+	}
+
+	/**
+	 * Construct a {@link Saml2Authentication} using the provided parameters
+	 * @param principal the logged in user
+	 * @param saml2Response the SAML 2.0 response used to authenticate the user
+	 * @param authorities the authorities for the logged in user
+	 * @param relyingPartyRegistrationId the
+	 * {@link RelyingPartyRegistration#getRegistrationId} associated with this user
+	 * @since 5.5
+	 */
+	public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
+			Collection<? extends GrantedAuthority> authorities, String relyingPartyRegistrationId) {
 		super(authorities);
 		Assert.notNull(principal, "principal cannot be null");
 		Assert.hasText(saml2Response, "saml2Response cannot be null");
 		this.principal = principal;
 		this.saml2Response = saml2Response;
 		setAuthenticated(true);
+		this.relyingPartyRegistrationId = relyingPartyRegistrationId;
 	}

 	@Override
@ -69,4 +96,14 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
 		return getSaml2Response();
 	}

+	/**
+	 * Get the registration id associated with the {@link RelyingPartyRegistration} that
+	 * this user belongs to
+	 * @return the relying party registration id
+	 * @since 5.5
+	 */
+	public String getRelyingPartyRegistrationId() {
+		return this.relyingPartyRegistrationId;
+	}
+
 }
--- a/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
+++ b/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@ -425,7 +425,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
+					token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}

@ -627,8 +628,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(),
-					this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
+					token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}

--- a/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
+++ b/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@ -365,7 +365,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 			String username = assertion.getSubject().getNameID().getValue();
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
-					token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"));
+					token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"),
+					responseToken.token.getRelyingPartyRegistration().getRegistrationId());
 		};
 	}