Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Registration to Saml2Authentication 

Closes gh-9487
This commit is contained in:
Josh Cummings 2021-03-02 07:54:18 -07:00
parent 822e59af45
commit f5a525e740
6 changed files with 49 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc
View File

@ -107,6 +107,7 @@ where
* `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue
* `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and
* `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s. * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s.
* `adfs` is <<servlet-saml2login-relyingpartyregistrationid, an arbitrary identifier you choose>>
And that's it! And that's it!
@ -196,6 +197,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs
Then, it places that principal and the authorities into a `Saml2Authentication`. Then, it places that principal and the authorities into a `Saml2Authentication`.
The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element. The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element.
`Saml2AuthenticatedPrincipal#getRelyingPartyRegistrationId` holds the <<servlet-saml2login-relyingpartyregistrationid,identifier to the associated `RelyingPartyRegistration`>>.
[[servlet-saml2login-opensaml-customization]] [[servlet-saml2login-opensaml-customization]]
==== Customizing OpenSAML Configuration ==== Customizing OpenSAML Configuration
@ -410,6 +412,10 @@ open fun relyingPartyRegistrations(): RelyingPartyRegistrationRepository? {
---- ----
==== ====
[[servlet-saml2login-relyingpartyregistrationid]]
[NOTE]
The `registrationId` is an arbitrary value that you choose for differentiating between registrations.
Or you can provide each detail manually, as you can see below: Or you can provide each detail manually, as you can see below:
.Relying Party Registration Repository Manual Configuration .Relying Party Registration Repository Manual Configuration

13
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java
View File

@ -34,11 +34,14 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri
private final Map<String, List<Object>> attributes; private final Map<String, List<Object>> attributes;
private String registrationId;
public DefaultSaml2AuthenticatedPrincipal(String name, Map<String, List<Object>> attributes) { public DefaultSaml2AuthenticatedPrincipal(String name, Map<String, List<Object>> attributes) {
Assert.notNull(name, "name cannot be null"); Assert.notNull(name, "name cannot be null");
Assert.notNull(attributes, "attributes cannot be null"); Assert.notNull(attributes, "attributes cannot be null");
this.name = name; this.name = name;
this.attributes = attributes; this.attributes = attributes;
this.registrationId = null;
} }
@Override @Override
@ -51,4 +54,14 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri
return this.attributes; return this.attributes;
} }
@Override
public String getRelyingPartyRegistrationId() {
return this.registrationId;
}
public void setRelyingPartyRegistrationId(String registrationId) {
Assert.notNull(registrationId, "relyingPartyRegistrationId cannot be null");
this.registrationId = registrationId;
}
} }

10
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java
View File

@ -22,6 +22,7 @@ import java.util.Map;
import org.springframework.lang.Nullable; import org.springframework.lang.Nullable;
import org.springframework.security.core.AuthenticatedPrincipal; import org.springframework.security.core.AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.CollectionUtils; import org.springframework.util.CollectionUtils;
/** /**
@ -66,4 +67,13 @@ public interface Saml2AuthenticatedPrincipal extends AuthenticatedPrincipal {
return Collections.emptyMap(); return Collections.emptyMap();
} }
/**
* Get the {@link RelyingPartyRegistration} identifier
* @return the {@link RelyingPartyRegistration} identifier
* @since 5.6
*/
default String getRelyingPartyRegistrationId() {
return null;
}
} }

6
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java
View File

@ -41,6 +41,12 @@ public class Saml2Authentication extends AbstractAuthenticationToken {
private final String saml2Response; private final String saml2Response;
/**
* Construct a {@link Saml2Authentication} using the provided parameters
* @param principal the logged in user
* @param saml2Response the SAML 2.0 response used to authenticate the user
* @param authorities the authorities for the logged in user
*/
public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response, public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response,
Collection<? extends GrantedAuthority> authorities) { Collection<? extends GrantedAuthority> authorities) {
super(authorities); super(authorities);

13
saml2/saml2-service-provider/src/opensaml3Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
View File

@ -424,8 +424,11 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
Assertion assertion = CollectionUtils.firstElement(response.getAssertions()); Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER"))); String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
principal.setRelyingPartyRegistrationId(registrationId);
return new Saml2Authentication(principal, token.getSaml2Response(),
Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
}; };
} }
@ -626,8 +629,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
Assertion assertion = CollectionUtils.firstElement(response.getAssertions()); Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
token.getSaml2Response(), String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
principal.setRelyingPartyRegistrationId(registrationId);
return new Saml2Authentication(principal, token.getSaml2Response(),
this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))); this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
}; };
} }

7
saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View File

@ -425,8 +425,11 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
Assertion assertion = CollectionUtils.firstElement(response.getAssertions()); Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
String username = assertion.getSubject().getNameID().getValue(); String username = assertion.getSubject().getNameID().getValue();
Map<String, List<Object>> attributes = getAssertionAttributes(assertion); Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(username, attributes);
token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER")); String registrationId = responseToken.token.getRelyingPartyRegistration().getRegistrationId();
principal.setRelyingPartyRegistrationId(registrationId);
return new Saml2Authentication(principal, token.getSaml2Response(),
AuthorityUtils.createAuthorityList("ROLE_USER"));
}; };
} }