164 lines
4.6 KiB
Plaintext
164 lines
4.6 KiB
Plaintext
[[servlet-saml2login-metadata]]
|
|
= Saml 2.0 Metadata
|
|
|
|
Spring Security can <<parsing-asserting-party-metadata,parse asserting party metadata>> to produce an `AssertingPartyDetails` instance as well as <<publishing-relying-party-metadata,publish relying party metadata>> from a `RelyingPartyRegistration` instance.
|
|
|
|
[[parsing-asserting-party-metadata]]
|
|
== Parsing `<saml2:IDPSSODescriptor>` metadata
|
|
|
|
You can parse an asserting party's metadata xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistrationrepository[using `RelyingPartyRegistrations`].
|
|
|
|
When using the OpenSAML vendor support, the resulting `AssertingPartyDetails` will be of type `OpenSamlAssertingPartyDetails`.
|
|
This means you'll be able to do get the underlying OpenSAML XMLObject by doing the following:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
|
|
registration.getAssertingPartyDetails();
|
|
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
val details: OpenSamlAssertingPartyDetails =
|
|
registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
|
|
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();
|
|
----
|
|
======
|
|
|
|
[[publishing-relying-party-metadata]]
|
|
== Producing `<saml2:SPSSODescriptor>` Metadata
|
|
|
|
You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
|
|
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
|
|
Saml2MetadataFilter filter = new Saml2MetadataFilter(
|
|
relyingPartyRegistrationResolver,
|
|
new OpenSamlMetadataResolver());
|
|
|
|
http
|
|
// ...
|
|
.saml2Login(withDefaults())
|
|
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
|
|
DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
|
|
val filter = Saml2MetadataFilter(
|
|
relyingPartyRegistrationResolver,
|
|
OpenSamlMetadataResolver()
|
|
)
|
|
|
|
http {
|
|
//...
|
|
saml2Login { }
|
|
addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
|
|
}
|
|
----
|
|
======
|
|
|
|
You can use this metadata endpoint to register your relying party with your asserting party.
|
|
This is often as simple as finding the correct form field to supply the metadata endpoint.
|
|
|
|
By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
|
|
You can change this by calling the `setRequestMatcher` method on the filter:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))
|
|
----
|
|
======
|
|
|
|
Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
|
|
----
|
|
|
|
Kotlin::
|
|
+
|
|
[source,kotlin,role="secondary"]
|
|
----
|
|
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))
|
|
----
|
|
======
|
|
|
|
== Changing the Way a `RelyingPartyRegistration` Is Looked Up
|
|
|
|
To apply a custom `RelyingPartyRegistrationResolver` to the metadata endpoint, you can provide it directly in the filter constructor like so:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
RelyingPartyRegistrationResolver myRegistrationResolver = ...;
|
|
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());
|
|
|
|
// ...
|
|
|
|
http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
|
|
----
|
|
======
|
|
|
|
.Kotlin
|
|
----
|
|
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
|
|
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());
|
|
|
|
// ...
|
|
|
|
http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);
|
|
----
|
|
|
|
In the event that you are applying a `RelyingPartyRegistrationResolver` to remove the `registrationId` from the URI, you must also change the URI in the filter like so:
|
|
|
|
[tabs]
|
|
======
|
|
Java::
|
|
+
|
|
[source,java,role="primary"]
|
|
----
|
|
metadata.setRequestMatcher("/saml2/metadata")
|
|
----
|
|
======
|
|
|
|
.Kotlin
|
|
----
|
|
metadata.setRequestMatcher("/saml2/metadata")
|
|
----
|