Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-09 06:50:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Registration to Saml2Authentication

Browse Source 
Closes gh-9487
This commit is contained in:
Josh Cummings 2021-03-02 07:54:18 -07:00
parent 88c1475a3b
commit efe42b93ce
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
4 changed files with 50 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
View File

@ -107,6 +107,7 @@ where
* `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue
* `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and
* `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s. * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s.
* `adfs` is <<servlet-saml2login-relyingpartyregistrationid, an arbitrary identifier you choose>>
And that's it! And that's it!
@ -190,6 +191,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs
Then, it places that principal and the authorities into a `Saml2Authentication`. Then, it places that principal and the authorities into a `Saml2Authentication`.
The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element. The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element.
`Saml2Authentication#getRelyingPartyRegistrationId` holds the <<servlet-saml2login-relyingpartyregistrationid,identifier to the associated `RelyingPartyRegistration`>>.
[[servlet-saml2login-opensaml-customization]] [[servlet-saml2login-opensaml-customization]]
==== Customizing OpenSAML Configuration ==== Customizing OpenSAML Configuration
@ -230,7 +232,7 @@ static {
authnRequest.setForceAuthN(true); authnRequest.setForceAuthN(true);
} }
} }
factory.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, marshaller); factory.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, marshaller);
}); });
} }
@ -342,6 +344,10 @@ public RelyingPartyRegistrationRepository relyingPartyRegistrations() {
---- ----
==== ====
[[servlet-saml2login-relyingpartyregistrationid]]
[NOTE]
The `registrationId` is an arbitrary value that you choose for differentiating between registrations.
Or you can provide each detail manually, as you can see below: Or you can provide each detail manually, as you can see below:
.Relying Party Registration Repository Manual Configuration .Relying Party Registration Repository Manual Configuration

37
saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java
View File

@ -22,6 +22,7 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.AuthenticatedPrincipal; import org.springframework.security.core.AuthenticatedPrincipal;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -41,14 +42,40 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
private final String saml2Response; private final String saml2Response;
private final String relyingPartyRegistrationId;
/**
* Construct a {@link Saml2Authentication} using the provided parameters
* @param principal the logged in user
* @param saml2Response the SAML 2.0 response used to authenticate the user
* @param authorities the authorities for the logged in user
* @deprecated Use
* {@link #Saml2Authentication(AuthenticatedPrincipal, String, Collection, String)}
*/
@Deprecated
public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response, public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
Collection<? extends GrantedAuthority> authorities) { Collection<? extends GrantedAuthority> authorities) {
this(principal, saml2Response, authorities, null);
}
/**
* Construct a {@link Saml2Authentication} using the provided parameters
* @param principal the logged in user
* @param saml2Response the SAML 2.0 response used to authenticate the user
* @param authorities the authorities for the logged in user
* @param relyingPartyRegistrationId the
* {@link RelyingPartyRegistration#getRegistrationId} associated with this user
* @since 5.5
*/
public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
Collection<? extends GrantedAuthority> authorities, String relyingPartyRegistrationId) {
super(authorities); super(authorities);
Assert.notNull(principal, "principal cannot be null"); Assert.notNull(principal, "principal cannot be null");
Assert.hasText(saml2Response, "saml2Response cannot be null"); Assert.hasText(saml2Response, "saml2Response cannot be null");
this.principal = principal; this.principal = principal;
this.saml2Response = saml2Response; this.saml2Response = saml2Response;
setAuthenticated(true); setAuthenticated(true);
this.relyingPartyRegistrationId = relyingPartyRegistrationId;
} }
@Override @Override
@ -69,4 +96,14 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
return getSaml2Response(); return getSaml2Response();
} }
/**
* Get the registration id associated with the {@link RelyingPartyRegistration} that
* this user belongs to
* @return the relying party registration id
* @since 5.5
*/
public String getRelyingPartyRegistrationId() {
return this.relyingPartyRegistrationId;
}
} }

7
saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
View File

@ -425,7 +425,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER"))); token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")),
responseToken.token.getRelyingPartyRegistration().getRegistrationId());
}; };
} }
@ -627,8 +628,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
token.getSaml2Response(), token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)),
this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))); responseToken.token.getRelyingPartyRegistration().getRegistrationId());
}; };
} }

3
saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View File

@ -365,7 +365,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER")); token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"),
responseToken.token.getRelyingPartyRegistration().getRegistrationId());
}; };
} }