Example showing how to authenticate with multiple Asserting Parties #64
Comments
|
Does the silence mean I was correct, and the design of SAML support in Spring 5 is fatally flawed? |
|
Bump. I desperately need this too @jzheaux. |
|
Any luck here. This seems a fair ask. I am working on migrating a project with old spring security saml extension that needs this feature. The old library used to set Issuer as peer entity by parsing SAML response before validation. And then it would use the same parsed SAML response to do further validation. This was very helpful in applications that need to handle multiple SPs with multiple SP partners or Asserting parties. Right now the only way to have unique registration id for configuring RelyingPartyRegistration for above scenario is to use SP entity name + asserting party entity Name as unique id. However during validation, we would have have to first ourself get Issuer out of token by parsing, and then lookup the relyingpartyregistration with ( SP Name + issuer ) as id. This works but we parse the token two times which is expensive operation. |
|
This does now all work: spring.security.saml2.relyingparty.registration:
one:
entity-id: https://example.com/saml/metadata
assertingparty.metadata-uri: https://example.org/saml/metadata
two:
entity-id: https://example.com/saml/metadata
assertingparty.metadata-uri: https://example.net/saml/metadataAnd you can customise to make it work better. I build a custom You can also set the same ACS etc. URLs for every registration, and set the option to route by the message contents instead of the URL pattern. In Spring Security 6.4 it will be even easier. |
|
I have an app where all it needs to do is validate SAML response token . It acts like middleware to validate SAML token for 100s of apps. One app can have multiple asserting parties and thus there is need to create relyingpartyregistration with a unique id combining issuer and SP entity-id to uniquely identify relyingpartyregistration. before Spring security saml extension used to resolve issuer from SAML response and set it as peer entity, during validation process. It would then load correct metadata for SAML validation. The recent version can identify relyingparty based on issuer, however if we have such unique requirement like above where we need to uniquely identify relyingparty based on ( SP entitfy + issuer), we would have parse token , get issuer, then do relying party lookup from regustration reposirtory to get it by SP entity + issuer. This is problem because it needs double parsing of SAML token, one to get issuer and other is , the library itself does it to validate. XML parsing is quite expensive operation. The previous library would load it in context and wont do it two times. |
|
You can replace the filter that parses the token to do what you need, and avoid parsing it twice. |
|
I am using the library for only SAML response validation. The way its used is: OpenSAML4AuthenticationProvider is final and to avoid duplicate parsing, it means to copy whole class which defeats purpose. Reference
|
|
a) that has nothing to do with this issue |
Continuing from:
spring-projects/spring-security#10551
spring-attic/spring-security-saml#521 (comment)
One Relying Party (Service Provider) should be able to authenticate with a choice of Asserting Parties (Identity Providers).
That's the basic SAML Federation system.
If this is currently possible, please add an example showing how (discovery can be a choice of two buttons - one for each IdP).
If this is not currently possible, please re-open the feature request(s) for it.
If it is not possible to add this feature, please resume support for spring-security-saml, which does allow this.
The text was updated successfully, but these errors were encountered: