mirror of
				https://github.com/spring-projects/spring-security.git
				synced 2025-10-26 12:18:43 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			164 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			164 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| [[servlet-saml2login-metadata]]
 | |
| = Saml 2.0 Metadata
 | |
| 
 | |
| Spring Security can <<parsing-asserting-party-metadata,parse asserting party metadata>> to produce an `AssertingPartyDetails` instance as well as <<publishing-relying-party-metadata,publish relying party metadata>> from a `RelyingPartyRegistration` instance.
 | |
| 
 | |
| [[parsing-asserting-party-metadata]]
 | |
| == Parsing `<saml2:IDPSSODescriptor>` metadata
 | |
| 
 | |
| You can parse an asserting party's metadata xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistrationrepository[using `RelyingPartyRegistrations`].
 | |
| 
 | |
| When using the OpenSAML vendor support, the resulting `AssertingPartyDetails` will be of type `OpenSamlAssertingPartyDetails`.
 | |
| This means you'll be able to do get the underlying OpenSAML XMLObject by doing the following:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
 | |
|         registration.getAssertingPartyDetails();
 | |
| EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| val details: OpenSamlAssertingPartyDetails =
 | |
|         registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
 | |
| val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();
 | |
| ----
 | |
| ======
 | |
| 
 | |
| [[publishing-relying-party-metadata]]
 | |
| == Producing `<saml2:SPSSODescriptor>` Metadata
 | |
| 
 | |
| You can publish a metadata endpoint by adding the `Saml2MetadataFilter` to the filter chain, as you'll see below:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
 | |
|         new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
 | |
| Saml2MetadataFilter filter = new Saml2MetadataFilter(
 | |
|         relyingPartyRegistrationResolver,
 | |
|         new OpenSamlMetadataResolver());
 | |
| 
 | |
| http
 | |
|     // ...
 | |
|     .saml2Login(withDefaults())
 | |
|     .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
 | |
|     DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
 | |
| val filter = Saml2MetadataFilter(
 | |
|     relyingPartyRegistrationResolver,
 | |
|     OpenSamlMetadataResolver()
 | |
| )
 | |
| 
 | |
| http {
 | |
|     //...
 | |
|     saml2Login { }
 | |
|     addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
 | |
| }
 | |
| ----
 | |
| ======
 | |
| 
 | |
| You can use this metadata endpoint to register your relying party with your asserting party.
 | |
| This is often as simple as finding the correct form field to supply the metadata endpoint.
 | |
| 
 | |
| By default, the metadata endpoint is `+/saml2/service-provider-metadata/{registrationId}+`.
 | |
| You can change this by calling the `setRequestMatcher` method on the filter:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))
 | |
| ----
 | |
| ======
 | |
| 
 | |
| Or, if you have registered a custom relying party registration resolver in the constructor, then you can specify a path without a `registrationId` hint, like so:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
 | |
| ----
 | |
| 
 | |
| Kotlin::
 | |
| +
 | |
| [source,kotlin,role="secondary"]
 | |
| ----
 | |
| filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))
 | |
| ----
 | |
| ======
 | |
| 
 | |
| == Changing the Way a `RelyingPartyRegistration` Is Looked Up
 | |
| 
 | |
| To apply a custom `RelyingPartyRegistrationResolver` to the metadata endpoint, you can provide it directly in the filter constructor like so:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| RelyingPartyRegistrationResolver myRegistrationResolver = ...;
 | |
| Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());
 | |
| 
 | |
| // ...
 | |
| 
 | |
| http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
 | |
| ----
 | |
| ======
 | |
| 
 | |
| .Kotlin
 | |
| ----
 | |
| val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
 | |
| val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());
 | |
| 
 | |
| // ...
 | |
| 
 | |
| http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);
 | |
| ----
 | |
| 
 | |
| In the event that you are applying a `RelyingPartyRegistrationResolver` to remove the `registrationId` from the URI, you must also change the URI in the filter like so:
 | |
| 
 | |
| [tabs]
 | |
| ======
 | |
| Java::
 | |
| +
 | |
| [source,java,role="primary"]
 | |
| ----
 | |
| metadata.setRequestMatcher("/saml2/metadata")
 | |
| ----
 | |
| ======
 | |
| 
 | |
| .Kotlin
 | |
| ----
 | |
| metadata.setRequestMatcher("/saml2/metadata")
 | |
| ----
 |