HttpSecurity.saml2login() - MVP Core Code

Implements minimal SAML 2.0 login/authentication functionality with the following feature set: - Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId} - Supports SP initiated login at the default url of /saml2/authenticate/{registrationId} - Supports basic java-configuration via DSL - Provides an integration sample using Spring Boot Not implemented with this MVP - Single Logout - Dynamic Service Provider Metadata Fixes gh-6019
2026-05-22 13:23:17 +00:00 · 2019-08-13 14:45:39 -07:00
parent b5cbab01df
commit e9a44bc0ce
39 changed files with 4260 additions and 19 deletions
@@ -0,0 +1,12 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+    compile project(':spring-security-core')
+    compile project(':spring-security-web')
+
+    compile("org.opensaml:opensaml-core:3.3.0")
+    compile("org.opensaml:opensaml-saml-api:3.3.0")
+    compile("org.opensaml:opensaml-saml-impl:3.3.0")
+
+    provided 'javax.servlet:javax.servlet-api'
+}
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2;
+
+/**
+ * @since 5.2
+ */
+public class Saml2Exception extends RuntimeException {
+
+	public Saml2Exception(String message) {
+		super(message);
+	}
+
+	public Saml2Exception(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	public Saml2Exception(Throwable cause) {
+		super(cause);
+	}
+
+}
@@ -0,0 +1,162 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.saml2.credentials;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import static java.util.Arrays.asList;
+import static org.springframework.util.Assert.notEmpty;
+import static org.springframework.util.Assert.notNull;
+import static org.springframework.util.Assert.state;
+
+/**
+ * Saml2X509Credential is meant to hold an X509 certificate, or an X509 certificate and a
+ * private key. Per:
+ * https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf
+ * Line: 584, Section 4.3 Credentials Used for both signing, signature verification and encryption/decryption
+ *
+ * @since 5.2
+ */
+public class Saml2X509Credential {
+	public enum Saml2X509CredentialType {
+		VERIFICATION,
+		ENCRYPTION,
+		SIGNING,
+		DECRYPTION,
+	}
+
+	private final PrivateKey privateKey;
+	private final X509Certificate certificate;
+	private final Set<Saml2X509CredentialType> credentialTypes;
+
+	/**
+	 * Creates a Saml2X509Credentials representing Identity Provider credentials for
+	 * verification, encryption or both.
+	 * @param certificate an IDP X509Certificate, cannot be null
+	 * @param types credential types, must be one of {@link Saml2X509CredentialType#VERIFICATION} or
+	 *               {@link Saml2X509CredentialType#ENCRYPTION} or both.
+	 */
+	public Saml2X509Credential(X509Certificate certificate, Saml2X509CredentialType... types) {
+		this(null, false, certificate, types);
+		validateUsages(types, Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);
+	}
+
+	/**
+	 * Creates a Saml2X509Credentials representing Service Provider credentials for
+	 * signing, decryption or both.
+	 * @param privateKey a private key used for signing or decryption, cannot be null
+	 * @param certificate an SP X509Certificate shared with identity providers, cannot be null
+	 * @param types credential types, must be one of {@link Saml2X509CredentialType#SIGNING} or
+	 *               {@link Saml2X509CredentialType#DECRYPTION} or both.
+	 */
+	public Saml2X509Credential(PrivateKey privateKey, X509Certificate certificate, Saml2X509CredentialType... types) {
+		this(privateKey, true, certificate, types);
+		validateUsages(types, Saml2X509CredentialType.SIGNING, Saml2X509CredentialType.DECRYPTION);
+	}
+
+	private Saml2X509Credential(
+			PrivateKey privateKey,
+			boolean keyRequired,
+			X509Certificate certificate,
+			Saml2X509CredentialType... types) {
+		notNull(certificate, "certificate cannot be null");
+		notEmpty(types, "credentials types cannot be empty");
+		if (keyRequired) {
+			notNull(privateKey, "privateKey cannot be null");
+		}
+		this.privateKey = privateKey;
+		this.certificate = certificate;
+		this.credentialTypes = new LinkedHashSet<>(asList(types));
+	}
+
+
+	/**
+	 * Returns true if the credential has a private key and can be used for signing, the types will contain
+	 * {@link Saml2X509CredentialType#SIGNING}.
+	 * @return true if the credential is a {@link Saml2X509CredentialType#SIGNING} type
+	 */
+	public boolean isSigningCredential() {
+		return getCredentialTypes().contains(Saml2X509CredentialType.SIGNING);
+	}
+
+	/**
+	 * Returns true if the credential has a private key and can be used for decryption, the types will contain
+	 * {@link Saml2X509CredentialType#DECRYPTION}.
+	 * @return true if the credential is a {@link Saml2X509CredentialType#DECRYPTION} type
+	 */
+	public boolean isDecryptionCredential() {
+		return getCredentialTypes().contains(Saml2X509CredentialType.DECRYPTION);
+	}
+
+	/**
+	 * Returns true if the credential has a certificate and can be used for signature verification, the types will contain
+	 * {@link Saml2X509CredentialType#VERIFICATION}.
+	 * @return true if the credential is a {@link Saml2X509CredentialType#VERIFICATION} type
+	 */
+	public boolean isSignatureVerficationCredential() {
+		return getCredentialTypes().contains(Saml2X509CredentialType.VERIFICATION);
+	}
+
+	/**
+	 * Returns true if the credential has a certificate and can be used for signature verification, the types will contain
+	 * {@link Saml2X509CredentialType#VERIFICATION}.
+	 * @return true if the credential is a {@link Saml2X509CredentialType#VERIFICATION} type
+	 */
+	public boolean isEncryptionCredential() {
+		return getCredentialTypes().contains(Saml2X509CredentialType.ENCRYPTION);
+	}
+
+	/**
+	 * Returns the credential types for this credential.
+	 * @return a set of credential types/usages that this credential can be used for
+	 */
+	protected Set<Saml2X509CredentialType> getCredentialTypes() {
+		return this.credentialTypes;
+	}
+
+	/**
+	 * Returns the private key, or null if this credential type doesn't require one.
+	 * @return the private key, or null
+	 * @see {@link #Saml2X509Credential(PrivateKey, X509Certificate, Saml2X509CredentialType...)}
+	 */
+	public PrivateKey getPrivateKey() {
+		return this.privateKey;
+	}
+
+	/**
+	 * Returns the X509 certificate for ths credential. Cannot be null
+	 * @return the X509 certificate
+	 */
+	public X509Certificate getCertificate() {
+		return this.certificate;
+	}
+
+	private void validateUsages(Saml2X509CredentialType[] usages, Saml2X509CredentialType... validUsages) {
+		for (Saml2X509CredentialType usage : usages) {
+			boolean valid = false;
+			for (Saml2X509CredentialType validUsage : validUsages) {
+				if (usage == validUsage) {
+					valid = true;
+					break;
+				}
+			}
+			state(valid, () -> usage +" is not a valid usage for this credential");
+		}
+	}
+}
@@ -0,0 +1,403 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+import org.springframework.util.Assert;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.common.assertion.AssertionValidationException;
+import org.opensaml.saml.common.assertion.ValidationContext;
+import org.opensaml.saml.common.assertion.ValidationResult;
+import org.opensaml.saml.saml2.assertion.ConditionValidator;
+import org.opensaml.saml.saml2.assertion.SAML20AssertionValidator;
+import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
+import org.opensaml.saml.saml2.assertion.StatementValidator;
+import org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator;
+import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
+import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.EncryptedAssertion;
+import org.opensaml.saml.saml2.core.EncryptedID;
+import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Subject;
+import org.opensaml.saml.saml2.encryption.Decrypter;
+import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.credential.CredentialResolver;
+import org.opensaml.security.credential.CredentialSupport;
+import org.opensaml.security.credential.impl.CollectionCredentialResolver;
+import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
+import org.opensaml.xmlsec.encryption.support.DecryptionException;
+import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
+import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
+import org.opensaml.xmlsec.signature.support.SignatureValidator;
+import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
+
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static java.lang.String.format;
+import static java.util.Collections.singleton;
+import static java.util.Collections.singletonList;
+import static org.springframework.util.Assert.notNull;
+import static org.springframework.util.StringUtils.hasText;
+
+/**
+ * @since 5.2
+ */
+public final class OpenSamlAuthenticationProvider implements AuthenticationProvider {
+
+	private static Log logger = LogFactory.getLog(OpenSamlAuthenticationProvider.class);
+
+	private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
+	private Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = (a -> singletonList(new SimpleGrantedAuthority("ROLE_USER")));
+	private GrantedAuthoritiesMapper authoritiesMapper = (a -> a);
+	private Duration responseTimeValidationSkew = Duration.ofMinutes(5);
+
+	/**
+	 * Sets the {@link Converter} used for extracting assertion attributes that
+	 * can be mapped to authorities.
+	 * @param authoritiesExtractor the {@code Converter} used for mapping the
+	 *                             assertion attributes to authorities
+	 */
+	public void setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor) {
+		Assert.notNull(authoritiesExtractor, "authoritiesExtractor cannot be null");
+		this.authoritiesExtractor = authoritiesExtractor;
+	}
+
+	/**
+	 * Sets the {@link GrantedAuthoritiesMapper} used for mapping assertion attributes
+	 * to a new set of authorities which will be associated to the {@link Saml2Authentication}.
+	 * Note: This implementation is only retrieving
+	 * @param authoritiesMapper the {@link GrantedAuthoritiesMapper} used for mapping the user's authorities
+	 */
+	public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
+		notNull(authoritiesMapper, "authoritiesMapper cannot be null");
+		this.authoritiesMapper = authoritiesMapper;
+	}
+
+	/**
+	 * Sets the duration for how much time skew an assertion may tolerate during
+	 * timestamp, NotOnOrBefore and NotOnOrAfter, validation.
+	 * @param responseTimeValidationSkew duration for skew tolerance
+	 */
+	public void setResponseTimeValidationSkew(Duration responseTimeValidationSkew) {
+		this.responseTimeValidationSkew = responseTimeValidationSkew;
+	}
+
+	/**
+	 * @param authentication the authentication request object, must be of type
+	 *                       {@link Saml2AuthenticationToken}
+	 *
+	 * @return {@link Saml2Authentication} if the assertion is valid
+	 * @throws AuthenticationException if a validation exception occurs
+	 */
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		try {
+			Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
+			String xml = token.getSaml2Response();
+			Response samlResponse = getSaml2Response(xml);
+
+			Assertion assertion = validateSaml2Response(token, token.getRecipientUri(), samlResponse);
+			final String username = getUsername(token, assertion);
+			if (username == null) {
+				throw new UsernameNotFoundException("Assertion [" +
+						assertion.getID() +
+						"] is missing a user identifier");
+			}
+			return new Saml2Authentication(
+					() -> username, token.getSaml2Response(),
+					this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))
+			);
+		}catch (Saml2Exception | IllegalArgumentException e) {
+			throw new AuthenticationServiceException(e.getMessage(), e);
+		}
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication);
+	}
+
+	private Collection<? extends GrantedAuthority> getAssertionAuthorities(Assertion assertion) {
+		return this.authoritiesExtractor.convert(assertion);
+	}
+
+	private String getUsername(Saml2AuthenticationToken token, Assertion assertion) {
+		final Subject subject = assertion.getSubject();
+		if (subject == null) {
+			return null;
+		}
+		if (subject.getNameID() != null) {
+			return subject.getNameID().getValue();
+		}
+		if (subject.getEncryptedID() != null) {
+			NameID nameId = decrypt(token, subject.getEncryptedID());
+			return nameId.getValue();
+		}
+		return null;
+	}
+
+	private Assertion validateSaml2Response(Saml2AuthenticationToken token,
+											String recipient,
+											Response samlResponse) throws AuthenticationException {
+		if (hasText(samlResponse.getDestination()) && !recipient.equals(samlResponse.getDestination())) {
+			throw new Saml2Exception("Invalid SAML response destination: " + samlResponse.getDestination());
+		}
+
+		final String issuer = samlResponse.getIssuer().getValue();
+		if (logger.isDebugEnabled()) {
+			logger.debug("Processing SAML response from " + issuer);
+		}
+		if (token == null) {
+			throw new Saml2Exception(format("SAML 2 Provider for %s was not found.", issuer));
+		}
+		boolean responseSigned = hasValidSignature(samlResponse, token);
+		for (Assertion a : samlResponse.getAssertions()) {
+			if (logger.isDebugEnabled()) {
+				logger.debug("Checking plain assertion validity " + a);
+			}
+			if (isValidAssertion(recipient, a, token, !responseSigned)) {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Found valid assertion. Skipping potential others.");
+				}
+				return a;
+			}
+		}
+		for (EncryptedAssertion ea : samlResponse.getEncryptedAssertions()) {
+			if (logger.isDebugEnabled()) {
+				logger.debug("Checking encrypted assertion validity " + ea);
+			}
+
+			Assertion a = decrypt(token, ea);
+			if (isValidAssertion(recipient, a, token, false)) {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Found valid encrypted assertion. Skipping potential others.");
+				}
+				return a;
+			}
+		}
+		throw new InsufficientAuthenticationException("Unable to find a valid assertion");
+	}
+
+	private boolean hasValidSignature(SignableSAMLObject samlResponse, Saml2AuthenticationToken token) {
+		if (!samlResponse.isSigned()) {
+			return false;
+		}
+
+		final List<X509Certificate> verificationKeys = getVerificationKeys(token);
+		if (verificationKeys.isEmpty()) {
+			return false;
+		}
+
+		for (X509Certificate key : verificationKeys) {
+			final Credential credential = getVerificationCredential(key);
+			try {
+				SignatureValidator.validate(samlResponse.getSignature(), credential);
+				return true;
+			}
+			catch (SignatureException ignored) {
+				logger.debug("Signature validation failed", ignored);
+			}
+		}
+		return false;
+	}
+
+	private boolean isValidAssertion(String recipient, Assertion a, Saml2AuthenticationToken token, boolean signatureRequired) {
+		final SAML20AssertionValidator validator = getAssertionValidator(token);
+		Map<String, Object> validationParams = new HashMap<>();
+		validationParams.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false);
+		validationParams.put(
+				SAML2AssertionValidationParameters.CLOCK_SKEW,
+				this.responseTimeValidationSkew
+		);
+		validationParams.put(
+				SAML2AssertionValidationParameters.COND_VALID_AUDIENCES,
+				singleton(token.getLocalSpEntityId())
+		);
+		if (hasText(recipient)) {
+			validationParams.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, singleton(recipient));
+		}
+
+		if (signatureRequired && !hasValidSignature(a, token)) {
+			if (logger.isDebugEnabled()) {
+				logger.debug(format("Assertion [%s] does not a valid signature.", a.getID()));
+			}
+			return false;
+		}
+		a.setSignature(null);
+
+		// validation for recipient
+		ValidationContext vctx = new ValidationContext(validationParams);
+		try {
+			final ValidationResult result = validator.validate(a, vctx);
+			final boolean valid = result.equals(ValidationResult.VALID);
+			if (!valid) {
+				if (logger.isDebugEnabled()) {
+					logger.debug(format("Failed to validate assertion from %s with user %s", token.getIdpEntityId(),
+							getUsername(token, a)
+					));
+				}
+			}
+			return valid;
+		}
+		catch (AssertionValidationException e) {
+			if (logger.isDebugEnabled()) {
+				logger.debug("Failed to validate assertion:", e);
+			}
+			return false;
+		}
+
+	}
+
+	private Response getSaml2Response(String xml) throws Saml2Exception, AuthenticationException {
+		final Object result = this.saml.resolve(xml);
+		if (result == null) {
+			throw new AuthenticationCredentialsNotFoundException("SAMLResponse returned null object");
+		}
+		else if (result instanceof Response) {
+			return (Response) result;
+		}
+		throw new IllegalArgumentException("Invalid response class:"+result.getClass().getName());
+	}
+
+	private SAML20AssertionValidator getAssertionValidator(Saml2AuthenticationToken provider) {
+		List<ConditionValidator> conditions = Collections.singletonList(new AudienceRestrictionConditionValidator());
+		final BearerSubjectConfirmationValidator subjectConfirmationValidator =
+				new BearerSubjectConfirmationValidator();
+
+		List<SubjectConfirmationValidator> subjects = Collections.singletonList(subjectConfirmationValidator);
+		List<StatementValidator> statements = Collections.emptyList();
+
+		Set<Credential> credentials = new HashSet<>();
+		for (X509Certificate key : getVerificationKeys(provider)) {
+			final Credential cred = getVerificationCredential(key);
+			credentials.add(cred);
+		}
+		CredentialResolver credentialsResolver = new CollectionCredentialResolver(credentials);
+		SignatureTrustEngine signatureTrustEngine = new ExplicitKeySignatureTrustEngine(
+				credentialsResolver,
+				DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver()
+		);
+		SignaturePrevalidator signaturePrevalidator = new SAMLSignatureProfileValidator();
+		return new SAML20AssertionValidator(
+				conditions,
+				subjects,
+				statements,
+				signatureTrustEngine,
+				signaturePrevalidator
+		);
+	}
+
+	private Credential getVerificationCredential(X509Certificate certificate) {
+		return CredentialSupport.getSimpleCredential(certificate, null);
+	}
+
+	private Decrypter getDecrypter(Saml2X509Credential key) {
+		Credential credential = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
+		KeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(credential);
+		Decrypter decrypter = new Decrypter(null, resolver, this.saml.getEncryptedKeyResolver());
+		decrypter.setRootInNewDocument(true);
+		return decrypter;
+	}
+
+	private Assertion decrypt(Saml2AuthenticationToken token, EncryptedAssertion assertion) {
+		Saml2Exception last = null;
+		List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(token);
+		if (decryptionCredentials.isEmpty()) {
+			throw new Saml2Exception("No valid decryption credentials found.");
+		}
+		for (Saml2X509Credential key : decryptionCredentials) {
+			final Decrypter decrypter = getDecrypter(key);
+			try {
+				return decrypter.decrypt(assertion);
+			}
+			catch (DecryptionException e) {
+				last = new Saml2Exception(e);
+			}
+		}
+		throw last;
+	}
+
+	private NameID decrypt(Saml2AuthenticationToken token, EncryptedID assertion) {
+		Saml2Exception last = null;
+		List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(token);
+		if (decryptionCredentials.isEmpty()) {
+			throw new Saml2Exception("No valid decryption credentials found.");
+		}
+		for (Saml2X509Credential key : decryptionCredentials) {
+			final Decrypter decrypter = getDecrypter(key);
+			try {
+				return (NameID) decrypter.decrypt(assertion);
+			}
+			catch (DecryptionException e) {
+				last = new Saml2Exception(e);
+			}
+		}
+		throw last;
+	}
+
+	private List<Saml2X509Credential> getDecryptionCredentials(Saml2AuthenticationToken token) {
+		List<Saml2X509Credential> result = new LinkedList<>();
+		for (Saml2X509Credential c : token.getX509Credentials()) {
+			if (c.isDecryptionCredential()) {
+				result.add(c);
+			}
+		}
+		return result;
+	}
+
+	private List<X509Certificate> getVerificationKeys(Saml2AuthenticationToken token) {
+		List<X509Certificate> result = new LinkedList<>();
+		for (Saml2X509Credential c : token.getX509Credentials()) {
+			if (c.isSignatureVerficationCredential()) {
+				result.add(c.getCertificate());
+			}
+		}
+		return result;
+	}
+}
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.util.Assert;
+
+import org.joda.time.DateTime;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.security.SecurityException;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+
+import java.time.Clock;
+import java.time.Instant;
+import java.util.UUID;
+
+/**
+ * @since 5.2
+ */
+public class OpenSamlAuthenticationRequestFactory implements Saml2AuthenticationRequestFactory {
+	private Clock clock = Clock.systemUTC();
+	private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
+		AuthnRequest auth = this.saml.buildSAMLObject(AuthnRequest.class);
+		auth.setID("ARQ" + UUID.randomUUID().toString().substring(1));
+		auth.setIssueInstant(new DateTime(this.clock.millis()));
+		auth.setForceAuthn(Boolean.FALSE);
+		auth.setIsPassive(Boolean.FALSE);
+		auth.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
+		Issuer issuer = this.saml.buildSAMLObject(Issuer.class);
+		issuer.setValue(request.getLocalSpEntityId());
+		auth.setIssuer(issuer);
+		auth.setDestination(request.getWebSsoUri());
+		try {
+			return this.saml.toXml(
+					auth,
+					request.getCredentials(),
+					request.getLocalSpEntityId()
+			);
+		}
+		catch (MarshallingException | SignatureException | SecurityException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+
+	/**
+	 * '
+	 * Use this {@link Clock} with {@link Instant#now()} for generating
+	 * timestamps
+	 *
+	 * @param clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
+}
@@ -0,0 +1,255 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.saml2.provider.service.authentication;
+
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.xml.XMLConstants;
+import javax.xml.namespace.QName;
+
+import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+import net.shibboleth.utilities.java.support.xml.BasicParserPool;
+import net.shibboleth.utilities.java.support.xml.SerializeSupport;
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+import org.opensaml.core.config.ConfigurationService;
+import org.opensaml.core.config.InitializationException;
+import org.opensaml.core.config.InitializationService;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.MarshallerFactory;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.core.xml.io.UnmarshallerFactory;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
+import org.opensaml.security.SecurityException;
+import org.opensaml.security.credential.BasicCredential;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.credential.CredentialSupport;
+import org.opensaml.security.credential.UsageType;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.SignatureSigningParameters;
+import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
+import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
+import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
+import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.opensaml.xmlsec.signature.support.SignatureException;
+import org.opensaml.xmlsec.signature.support.SignatureSupport;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import static java.lang.Boolean.FALSE;
+import static java.lang.Boolean.TRUE;
+import static java.util.Arrays.asList;
+import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory;
+
+/**
+ * @since 5.2
+ */
+final class OpenSamlImplementation {
+	private static OpenSamlImplementation instance = new OpenSamlImplementation();
+
+	private final BasicParserPool parserPool = new BasicParserPool();
+	private final EncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(
+			asList(
+					new InlineEncryptedKeyResolver(),
+					new EncryptedElementTypeEncryptedKeyResolver(),
+					new SimpleRetrievalMethodEncryptedKeyResolver()
+			)
+	);
+
+	private OpenSamlImplementation() {
+		bootstrap();
+	}
+
+	/*
+	 * ==============================================================
+	 * PRIVATE METHODS
+	 * ==============================================================
+	 */
+	private void bootstrap() {
+		// configure default values
+		// maxPoolSize = 5;
+		this.parserPool.setMaxPoolSize(50);
+		// coalescing = true;
+		this.parserPool.setCoalescing(true);
+		// expandEntityReferences = false;
+		this.parserPool.setExpandEntityReferences(false);
+		// ignoreComments = true;
+		this.parserPool.setIgnoreComments(true);
+		// ignoreElementContentWhitespace = true;
+		this.parserPool.setIgnoreElementContentWhitespace(true);
+		// namespaceAware = true;
+		this.parserPool.setNamespaceAware(true);
+		// schema = null;
+		this.parserPool.setSchema(null);
+		// dtdValidating = false;
+		this.parserPool.setDTDValidating(false);
+		// xincludeAware = false;
+		this.parserPool.setXincludeAware(false);
+
+		Map<String, Object> builderAttributes = new HashMap<>();
+		this.parserPool.setBuilderAttributes(builderAttributes);
+
+		Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
+		parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", TRUE);
+		parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, TRUE);
+		parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", FALSE);
+		parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", FALSE);
+		parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", FALSE);
+		parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", FALSE);
+		this.parserPool.setBuilderFeatures(parserBuilderFeatures);
+
+		try {
+			this.parserPool.initialize();
+		}
+		catch (ComponentInitializationException x) {
+			throw new Saml2Exception("Unable to initialize OpenSaml v3 ParserPool", x);
+		}
+
+		try {
+			InitializationService.initialize();
+		}
+		catch (InitializationException e) {
+			throw new Saml2Exception("Unable to initialize OpenSaml v3", e);
+		}
+
+		XMLObjectProviderRegistry registry;
+		synchronized (ConfigurationService.class) {
+			registry = ConfigurationService.get(XMLObjectProviderRegistry.class);
+			if (registry == null) {
+				registry = new XMLObjectProviderRegistry();
+				ConfigurationService.register(XMLObjectProviderRegistry.class, registry);
+			}
+		}
+
+		registry.setParserPool(this.parserPool);
+	}
+
+	/*
+	 * ==============================================================
+	 * PUBLIC METHODS
+	 * ==============================================================
+	 */
+	static OpenSamlImplementation getInstance() {
+		return instance;
+	}
+
+	EncryptedKeyResolver getEncryptedKeyResolver() {
+		return this.encryptedKeyResolver;
+	}
+
+	<T> T buildSAMLObject(final Class<T> clazz) {
+		try {
+			QName defaultElementName = (QName) clazz.getDeclaredField("DEFAULT_ELEMENT_NAME").get(null);
+			return (T) getBuilderFactory().getBuilder(defaultElementName).buildObject(defaultElementName);
+		}
+		catch (IllegalAccessException e) {
+			throw new Saml2Exception("Could not create SAML object", e);
+		}
+		catch (NoSuchFieldException e) {
+			throw new Saml2Exception("Could not create SAML object", e);
+		}
+	}
+
+	XMLObject resolve(String xml) {
+		return resolve(xml.getBytes(StandardCharsets.UTF_8));
+	}
+
+	private XMLObject resolve(byte[] xml) {
+		XMLObject parsed = parse(xml);
+		if (parsed != null) {
+			return parsed;
+		}
+		throw new Saml2Exception("Deserialization not supported for given data set");
+	}
+
+	private XMLObject parse(byte[] xml) {
+		try {
+			Document document = this.parserPool.parse(new ByteArrayInputStream(xml));
+			Element element = document.getDocumentElement();
+			return getUnmarshallerFactory().getUnmarshaller(element).unmarshall(element);
+		}
+		catch (UnmarshallingException | XMLParserException e) {
+			throw new Saml2Exception(e);
+		}
+	}
+
+	private UnmarshallerFactory getUnmarshallerFactory() {
+		return XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
+	}
+
+	String toXml(XMLObject object, List<Saml2X509Credential> signingCredentials, String localSpEntityId)
+			throws MarshallingException, SignatureException, SecurityException {
+		if (object instanceof SignableSAMLObject && null != hasSigningCredential(signingCredentials)) {
+			signXmlObject(
+					(SignableSAMLObject) object,
+					getSigningCredential(signingCredentials, localSpEntityId)
+			);
+		}
+		final MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory();
+		Element element = marshallerFactory.getMarshaller(object).marshall(object);
+		return SerializeSupport.nodeToString(element);
+	}
+
+	private Saml2X509Credential hasSigningCredential(List<Saml2X509Credential> credentials) {
+		for (Saml2X509Credential c : credentials) {
+			if (c.isSigningCredential()) {
+				return c;
+			}
+		}
+		return null;
+	}
+
+	private void signXmlObject(SignableSAMLObject object, Credential credential)
+			throws MarshallingException, SecurityException, SignatureException {
+		SignatureSigningParameters parameters = new SignatureSigningParameters();
+		parameters.setSigningCredential(credential);
+		parameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+		parameters.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+		parameters.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+		SignatureSupport.signObject(object, parameters);
+	}
+
+	private Credential getSigningCredential(List<Saml2X509Credential> signingCredential,
+											String localSpEntityId
+	) {
+		Saml2X509Credential credential = hasSigningCredential(signingCredential);
+		if (credential == null) {
+			throw new IllegalArgumentException("no signing credential configured");
+		}
+		BasicCredential cred = getBasicCredential(credential);
+		cred.setEntityId(localSpEntityId);
+		cred.setUsageType(UsageType.SIGNING);
+		return cred;
+	}
+
+	private BasicX509Credential getBasicCredential(Saml2X509Credential credential) {
+		return CredentialSupport.getSimpleCredential(
+				credential.getCertificate(),
+				credential.getPrivateKey()
+		);
+	}
+
+}
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.AuthenticatedPrincipal;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.util.Assert;
+
+import java.util.Collection;
+
+/**
+ * An implementation of an {@link AbstractAuthenticationToken}
+ * that represents an authenticated SAML 2.0 {@link Authentication}.
+ * <p>
+ * The {@link Authentication} associates valid SAML assertion
+ * data with a Spring Security authentication object
+ * The complete assertion is contained in the object in String format,
+ * {@link Saml2Authentication#getSaml2Response()}
+ * @since 5.2
+ * @see AbstractAuthenticationToken
+ */
+public class Saml2Authentication extends AbstractAuthenticationToken {
+
+	private final AuthenticatedPrincipal principal;
+	private final String saml2Response;
+
+	public Saml2Authentication(AuthenticatedPrincipal principal,
+			String saml2Response,
+			Collection<? extends GrantedAuthority> authorities) {
+		super(authorities);
+		Assert.notNull(principal, "principal cannot be null");
+		Assert.hasText(saml2Response, "saml2Response cannot be null");
+		this.principal = principal;
+		this.saml2Response = saml2Response;
+		setAuthenticated(true);
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return this.principal;
+	}
+
+	/**
+	 * Returns the SAML response object, as decoded XML. May contain encrypted elements
+	 * @return string representation of the SAML Response XML object
+	 */
+	public String getSaml2Response() {
+		return this.saml2Response;
+	}
+
+	@Override
+	public Object getCredentials() {
+		return getSaml2Response();
+	}
+
+}
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+import org.springframework.util.Assert;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * Data holder for information required to send an {@code AuthNRequest}
+ * from the service provider to the identity provider
+ *
+ * @see {@link Saml2AuthenticationRequestFactory}
+ * @see https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (line 2031)
+ * @since 5.2
+ */
+public class Saml2AuthenticationRequest {
+	private final String localSpEntityId;
+	private final List<Saml2X509Credential> credentials;
+	private String webSsoUri;
+
+	public Saml2AuthenticationRequest(String localSpEntityId, String webSsoUri, List<Saml2X509Credential> credentials) {
+		Assert.hasText(localSpEntityId, "localSpEntityId cannot be null");
+		Assert.hasText(localSpEntityId, "webSsoUri cannot be null");
+		this.localSpEntityId = localSpEntityId;
+		this.webSsoUri = webSsoUri;
+		this.credentials = new LinkedList<>();
+		for (Saml2X509Credential c : credentials) {
+			if (c.isSigningCredential()) {
+				this.credentials.add(c);
+			}
+		}
+		Assert.notEmpty(this.credentials, "at least one SIGNING credential must be present");
+	}
+
+
+	public String getLocalSpEntityId() {
+		return this.localSpEntityId;
+	}
+
+	public String getWebSsoUri() {
+		return this.webSsoUri;
+	}
+
+	public List<Saml2X509Credential> getCredentials() {
+		return this.credentials;
+	}
+}
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+/**
+ * Component that generates an AuthenticationRequest, <code>samlp:AuthnRequestType</code> as defined by
+ * https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf
+ * Page 50, Line 2147
+ *
+ * @since 5.2
+ */
+public interface Saml2AuthenticationRequestFactory {
+	/**
+	 * Creates an authentication request from the Service Provider, sp,
+	 * to the Identity Provider, idp.
+	 * The authentication result is an XML string that may be signed, encrypted, both or neither.
+	 *
+	 * @param request - information about the identity provider, the recipient of this authentication request and
+	 *                accompanying data
+	 * @return XML data in the format of a String. This data may be signed, encrypted, both signed and encrypted or
+	 * neither signed and encrypted
+	 */
+	String createAuthenticationRequest(Saml2AuthenticationRequest request);
+}
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+
+import java.util.List;
+
+/**
+ * Represents an incoming SAML 2.0 response containing an assertion that has not been validated.
+ * {@link Saml2AuthenticationToken#isAuthenticated()} will always return false.
+ * @since 5.2
+ */
+public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
+
+	private final String saml2Response;
+	private final String recipientUri;
+	private String idpEntityId;
+	private String localSpEntityId;
+	private List<Saml2X509Credential> credentials;
+
+	/**
+	 * Creates an authentication token from an incoming SAML 2 Response object
+	 * @param saml2Response inflated and decoded XML representation of the SAML 2 Response
+	 * @param recipientUri the URL that the SAML 2 Response was received at. Used for validation
+	 * @param idpEntityId the entity ID of the asserting entity
+	 * @param localSpEntityId the configured local SP, the relying party, entity ID
+	 * @param credentials the credentials configured for signature verification and decryption
+	 */
+	public Saml2AuthenticationToken(String saml2Response,
+									String recipientUri,
+									String idpEntityId,
+									String localSpEntityId,
+									List<Saml2X509Credential> credentials) {
+		super(null);
+		this.saml2Response = saml2Response;
+		this.recipientUri = recipientUri;
+		this.idpEntityId = idpEntityId;
+		this.localSpEntityId = localSpEntityId;
+		this.credentials = credentials;
+	}
+
+	/**
+	 * Returns the decoded and inflated SAML 2.0 Response XML object as a string
+	 * @return decoded and inflated XML data as a {@link String}
+	 */
+	@Override
+	public Object getCredentials() {
+		return getSaml2Response();
+	}
+
+	/**
+	 * Always returns null.
+	 * @return null
+	 */
+	@Override
+	public Object getPrincipal() {
+		return null;
+	}
+
+	/**
+	 * Returns inflated and decoded XML representation of the SAML 2 Response
+	 * @return inflated and decoded XML representation of the SAML 2 Response
+	 */
+	public String getSaml2Response() {
+		return this.saml2Response;
+	}
+
+	/**
+	 * Returns the URI that the SAML 2 Response object came in on
+	 * @return URI as a string
+	 */
+	public String getRecipientUri() {
+		return this.recipientUri;
+	}
+
+	/**
+	 * Returns the configured entity ID of the receiving relying party, SP
+	 * @return an entityID for the configured local relying party
+	 */
+	public String getLocalSpEntityId() {
+		return this.localSpEntityId;
+	}
+
+	/**
+	 * Returns all the credentials associated with the relying party configuraiton
+	 * @return
+	 */
+	public List<Saml2X509Credential> getX509Credentials() {
+		return this.credentials;
+	}
+
+	/**
+	 * @return false
+	 */
+	@Override
+	public boolean isAuthenticated() {
+		return false;
+	}
+
+	/**
+	 * The state of this object cannot be changed. Will always throw an exception
+	 * @param authenticated ignored
+	 * @throws {@link IllegalArgumentException}
+	 */
+	@Override
+	public void setAuthenticated(boolean authenticated) {
+		throw new IllegalArgumentException();
+	}
+
+	/**
+	 * Returns the configured IDP, asserting party, entity ID
+	 * @return a string representing the entity ID
+	 */
+	public String getIdpEntityId() {
+		return this.idpEntityId;
+	}
+}
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.registration;
+
+import org.springframework.util.Assert;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static java.util.Arrays.asList;
+import static org.springframework.util.Assert.notEmpty;
+import static org.springframework.util.Assert.notNull;
+
+/**
+ * @since 5.2
+ */
+public class InMemoryRelyingPartyRegistrationRepository
+		implements RelyingPartyRegistrationRepository, Iterable<RelyingPartyRegistration> {
+
+	private final Map<String, RelyingPartyRegistration> byRegistrationId;
+
+	public InMemoryRelyingPartyRegistrationRepository(RelyingPartyRegistration... registrations) {
+		this(asList(registrations));
+	}
+
+	public InMemoryRelyingPartyRegistrationRepository(Collection<RelyingPartyRegistration> registrations) {
+		notEmpty(registrations, "registrations cannot be empty");
+		this.byRegistrationId = createMappingToIdentityProvider(registrations);
+	}
+
+	private static Map<String, RelyingPartyRegistration> createMappingToIdentityProvider(
+			Collection<RelyingPartyRegistration> rps
+	) {
+		LinkedHashMap<String, RelyingPartyRegistration> result = new LinkedHashMap<>();
+		for (RelyingPartyRegistration rp : rps) {
+			notNull(rp, "relying party collection cannot contain null values");
+			String key = rp.getRegistrationId();
+			notNull(rp, "relying party identifier cannot be null");
+			Assert.isNull(result.get(key), () -> "relying party duplicate identifier '" + key+"' detected.");
+			result.put(key, rp);
+		}
+		return Collections.unmodifiableMap(result);
+	}
+
+	@Override
+	public RelyingPartyRegistration findByRegistrationId(String id) {
+			return this.byRegistrationId.get(id);
+	}
+
+	@Override
+	public Iterator<RelyingPartyRegistration> iterator() {
+		return this.byRegistrationId.values().iterator();
+	}
+
+}
@@ -0,0 +1,304 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.registration;
+
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType;
+import org.springframework.util.Assert;
+
+import java.util.Collection;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.function.Consumer;
+import java.util.function.Function;
+
+import static java.util.Collections.unmodifiableList;
+import static org.springframework.util.Assert.hasText;
+import static org.springframework.util.Assert.notEmpty;
+import static org.springframework.util.Assert.notNull;
+
+/**
+ * Represents a configured service provider, SP, and a remote identity provider, IDP, pair.
+ * Each SP/IDP pair is uniquely identified using a <code>registrationId</code>, an arbitrary string.
+ * A fully configured registration may look like
+ * <pre>
+ *		//remote IDP entity ID
+ *		String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php";
+ *		//remote WebSSO Endpoint - Where to Send AuthNRequests to
+ *		String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php";
+ *		//local registration ID
+ *		String registrationId = "simplesamlphp";
+ *		//local entity ID - autogenerated based on URL
+ *		String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
+ *		//local SSO URL - autogenerated, endpoint to receive SAML Response objects
+ *		String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
+ *		//local signing (and local decryption key and remote encryption certificate)
+ *		Saml2X509Credential signingCredential = getSigningCredential();
+ *		//IDP certificate for verification of incoming messages
+ *		Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
+ *		RelyingPartyRegistration rp = RelyingPartyRegistration.withRegistrationId(registrationId)
+ * 				.remoteIdpEntityId(idpEntityId)
+ * 				.idpWebSsoUrl(webSsoEndpoint)
+ * 				.credentials(c -> c.add(signingCredential))
+ * 				.credentials(c -> c.add(idpVerificationCertificate))
+ * 				.localEntityIdTemplate(localEntityIdTemplate)
+ * 				.assertionConsumerServiceUrlTemplate(acsTemplate)
+ * 				.build();
+ * </pre>
+ * @since 5.2
+ */
+public class RelyingPartyRegistration {
+
+	private final String registrationId;
+	private final String remoteIdpEntityId;
+	private final String assertionConsumerServiceUrlTemplate;
+	private final String idpWebSsoUrl;
+	private final List<Saml2X509Credential> credentials;
+	private final String localEntityIdTemplate;
+
+	private RelyingPartyRegistration(String idpEntityId, String registrationId, String assertionConsumerServiceUrlTemplate,
+			String idpWebSsoUri, List<Saml2X509Credential> credentials, String localEntityIdTemplate) {
+		hasText(idpEntityId, "idpEntityId cannot be empty");
+		hasText(registrationId, "registrationId cannot be empty");
+		hasText(assertionConsumerServiceUrlTemplate, "assertionConsumerServiceUrlTemplate cannot be empty");
+		hasText(localEntityIdTemplate, "localEntityIdTemplate cannot be empty");
+		notEmpty(credentials, "credentials cannot be empty");
+		notNull(idpWebSsoUri, "idpWebSsoUri cannot be empty");
+		for (Saml2X509Credential c : credentials) {
+			notNull(c, "credentials cannot contain null elements");
+		}
+		this.registrationId = registrationId;
+		this.remoteIdpEntityId = idpEntityId;
+		this.assertionConsumerServiceUrlTemplate = assertionConsumerServiceUrlTemplate;
+		this.credentials = unmodifiableList(new LinkedList<>(credentials));
+		this.idpWebSsoUrl = idpWebSsoUri;
+		this.localEntityIdTemplate = localEntityIdTemplate;
+	}
+
+	/**
+	 * Returns the entity ID of the IDP, the asserting party.
+	 * @return entity ID of the asserting party
+	 */
+	public String getRemoteIdpEntityId() {
+		return this.remoteIdpEntityId;
+	}
+
+	/**
+	 * Returns the unique relying party registration ID
+	 * @return registrationId
+	 */
+	public String getRegistrationId() {
+		return this.registrationId;
+	}
+
+	/**
+	 * returns the URL template for which ACS URL authentication requests should contain
+	 * Possible variables are {@code baseUrl}, {@code registrationId},
+	 * {@code baseScheme}, {@code baseHost}, and {@code basePort}.
+	 * @return string containing the ACS URL template, with or without variables present
+	 */
+	public String getAssertionConsumerServiceUrlTemplate() {
+		return this.assertionConsumerServiceUrlTemplate;
+	}
+
+	/**
+	 * Contains the URL for which to send the SAML 2 Authentication Request to initiate
+	 * a single sign on flow.
+	 * @return a IDP URL that accepts REDIRECT or POST binding for authentication requests
+	 */
+	public String getIdpWebSsoUrl() {
+		return this.idpWebSsoUrl;
+	}
+
+	/**
+	 * The local relying party, or Service Provider, can generate it's entity ID based on
+	 * possible variables of {@code baseUrl}, {@code registrationId},
+	 * {@code baseScheme}, {@code baseHost}, and {@code basePort}, for example
+	 * {@code {baseUrl}/saml2/service-provider-metadata/{registrationId}}
+	 * @return a string containing the entity ID or entity ID template
+	 */
+	public String getLocalEntityIdTemplate() {
+		return this.localEntityIdTemplate;
+	}
+
+	/**
+	 * Returns a list of configured credentials to be used in message exchanges between relying party, SP, and
+	 * asserting party, IDP.
+	 * @return a list of credentials
+	 */
+	public List<Saml2X509Credential> getCredentials() {
+		return this.credentials;
+	}
+
+	/**
+	 * @return a filtered list containing only credentials of type
+	 * {@link Saml2X509CredentialType#VERIFICATION}.
+	 * Returns an empty list of credentials are not found
+	 */
+	public List<Saml2X509Credential> getVerificationCredentials() {
+		return filterCredentials(c -> c.isSignatureVerficationCredential());
+	}
+
+	/**
+	 * @return a filtered list containing only credentials of type
+	 * {@link Saml2X509CredentialType#SIGNING}.
+	 * Returns an empty list of credentials are not found
+	 */
+	public List<Saml2X509Credential> getSigningCredentials() {
+		return filterCredentials(c -> c.isSigningCredential());
+	}
+
+	/**
+	 * @return a filtered list containing only credentials of type
+	 * {@link Saml2X509CredentialType#ENCRYPTION}.
+	 * Returns an empty list of credentials are not found
+	 */
+	public List<Saml2X509Credential> getEncryptionCredentials() {
+		return filterCredentials(c -> c.isEncryptionCredential());
+	}
+
+	/**
+	 * @return a filtered list containing only credentials of type
+	 * {@link Saml2X509CredentialType#DECRYPTION}.
+	 * Returns an empty list of credentials are not found
+	 */
+	public List<Saml2X509Credential> getDecryptionCredentials() {
+		return filterCredentials(c -> c.isDecryptionCredential());
+	}
+
+	private List<Saml2X509Credential> filterCredentials(Function<Saml2X509Credential, Boolean> filter) {
+		List<Saml2X509Credential> result = new LinkedList<>();
+		for (Saml2X509Credential c : getCredentials()) {
+			if (filter.apply(c)) {
+				result.add(c);
+			}
+		}
+		return result;
+	}
+
+	/**
+	 * Creates a {@code RelyingPartyRegistration} {@link Builder} with a known {@code registrationId}
+	 * @param registrationId a string identifier for the {@code RelyingPartyRegistration}
+	 * @return {@code Builder} to create a {@code RelyingPartyRegistration} object
+	 */
+	public static Builder withRegistrationId(String registrationId) {
+		Assert.hasText(registrationId, "registrationId cannot be empty");
+		return new Builder(registrationId);
+	}
+
+	public static class Builder {
+		private String registrationId;
+		private String remoteIdpEntityId;
+		private String idpWebSsoUrl;
+		private String assertionConsumerServiceUrlTemplate;
+		private List<Saml2X509Credential> credentials = new LinkedList<>();
+		private String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
+
+		private Builder(String registrationId) {
+			this.registrationId = registrationId;
+		}
+
+
+		/**
+		 * Sets the {@code registrationId} template. Often be used in URL paths
+		 * @param id registrationId for this object, should be unique
+		 * @return this object
+		 */
+		public Builder registrationId(String id) {
+			this.registrationId = id;
+			return this;
+		}
+
+		/**
+		 * Sets the {@code entityId} for the remote asserting party, the Identity Provider.
+		 * @param entityId the IDP entityId
+		 * @return this object
+		 */
+		public Builder remoteIdpEntityId(String entityId) {
+			this.remoteIdpEntityId = entityId;
+			return this;
+		}
+
+		/**
+		 * <a href="https://wiki.shibboleth.net/confluence/display/CONCEPT/AssertionConsumerService">Assertion Consumer
+		 * Service</a> URL template. It can contain variables {@code baseUrl}, {@code registrationId},
+		 * {@code baseScheme}, {@code baseHost}, and {@code basePort}.
+		 * @param assertionConsumerServiceUrlTemplate the Assertion Consumer Service URL template (i.e.
+		 * "{baseUrl}/login/saml2/sso/{registrationId}".
+		 * @return this object
+		 */
+		public Builder assertionConsumerServiceUrlTemplate(String assertionConsumerServiceUrlTemplate) {
+			this.assertionConsumerServiceUrlTemplate = assertionConsumerServiceUrlTemplate;
+			return this;
+		}
+
+		/**
+		 * Sets the {@code SSO URL} for the remote asserting party, the Identity Provider.
+		 * @param url - a URL that accepts authentication requests via REDIRECT or POST bindings
+		 * @return this object
+		 */
+		public Builder idpWebSsoUrl(String url) {
+			this.idpWebSsoUrl = url;
+			return this;
+		}
+
+		/**
+		 * Modifies the collection of {@link Saml2X509Credential} objects
+		 * used in communication between IDP and SP
+		 * For example:
+		 * <code>
+		 *     Saml2X509Credential credential = ...;
+		 *     return RelyingPartyRegistration.withRegistrationId("id")
+		 *             .credentials(c -> c.add(credential))
+		 *             ...
+		 *             .build();
+		 * </code>
+		 * @param credentials - a consumer that can modify the collection of credentials
+		 * @return this object
+		 */
+		public Builder credentials(Consumer<Collection<Saml2X509Credential>> credentials) {
+			credentials.accept(this.credentials);
+			return this;
+		}
+
+		/**
+		 * Sets the local relying party, or Service Provider, entity Id template.
+		 * can generate it's entity ID based on possible variables of {@code baseUrl}, {@code registrationId},
+		 * {@code baseScheme}, {@code baseHost}, and {@code basePort}, for example
+		 * {@code {baseUrl}/saml2/service-provider-metadata/{registrationId}}
+		 * @return a string containing the entity ID or entity ID template
+		 */
+
+		public Builder localEntityIdTemplate(String template) {
+			this.localEntityIdTemplate = template;
+			return this;
+		}
+
+		public RelyingPartyRegistration build() {
+			return new RelyingPartyRegistration(
+					remoteIdpEntityId,
+					registrationId,
+					assertionConsumerServiceUrlTemplate,
+					idpWebSsoUrl,
+					credentials,
+					localEntityIdTemplate
+			);
+		}
+	}
+
+
+}
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.registration;
+
+/**
+ * Resolves a {@link RelyingPartyRegistration}, a configured service provider and remote identity provider pair,
+ * by entityId or registrationId
+ * @since 5.2
+ */
+public interface RelyingPartyRegistrationRepository {
+
+	/**
+	 * Resolves an {@link RelyingPartyRegistration} by registrationId, or returns the default provider
+	 * if no registrationId is provided
+	 *
+	 * @param registrationId - a provided registrationId, may be be null or empty
+	 * @return {@link RelyingPartyRegistration} if found, {@code null} if an registrationId is provided and
+	 * no registration is found. Returns a default, implementation specific,
+	 * {@link RelyingPartyRegistration} if no registrationId is provided
+	 */
+	RelyingPartyRegistration findByRegistrationId(String registrationId);
+
+}
@@ -0,0 +1,134 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.servlet.filter;
+
+import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.zip.Deflater;
+import java.util.zip.DeflaterOutputStream;
+import java.util.zip.Inflater;
+import java.util.zip.InflaterOutputStream;
+import javax.servlet.http.HttpServletRequest;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.zip.Deflater.DEFLATED;
+import static org.springframework.security.web.util.UrlUtils.buildFullRequestUrl;
+import static org.springframework.web.util.UriComponentsBuilder.fromHttpUrl;
+
+/**
+ * @since 5.2
+ */
+final class Saml2Utils {
+
+	private static final char PATH_DELIMITER = '/';
+	private static Base64.Encoder ENCODER = Base64.getEncoder();
+	private static Base64.Decoder DECODER = Base64.getDecoder();
+
+	static String encode(byte[] b) {
+		return ENCODER.encodeToString(b);
+	}
+
+	static byte[] decode(String s) {
+		return DECODER.decode(s);
+	}
+
+	static byte[] deflate(String s) {
+		try {
+			ByteArrayOutputStream b = new ByteArrayOutputStream();
+			DeflaterOutputStream deflater = new DeflaterOutputStream(b, new Deflater(DEFLATED, true));
+			deflater.write(s.getBytes(UTF_8));
+			deflater.finish();
+			return b.toByteArray();
+		}
+		catch (IOException e) {
+			throw new Saml2Exception("Unable to deflate string", e);
+		}
+	}
+
+	static String inflate(byte[] b) {
+		try {
+			ByteArrayOutputStream out = new ByteArrayOutputStream();
+			InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
+			iout.write(b);
+			iout.finish();
+			return new String(out.toByteArray(), UTF_8);
+		}
+		catch (IOException e) {
+			throw new Saml2Exception("Unable to inflate string", e);
+		}
+	}
+
+	static String getServiceProviderEntityId(RelyingPartyRegistration rp, HttpServletRequest request) {
+		return resolveUrlTemplate(
+				rp.getLocalEntityIdTemplate(),
+				getApplicationUri(request),
+				rp.getRemoteIdpEntityId(),
+				rp.getRegistrationId()
+		);
+	}
+
+	static String resolveUrlTemplate(String template, String baseUrl, String entityId, String registrationId) {
+		if (!StringUtils.hasText(template)) {
+			return baseUrl;
+		}
+
+		Map<String, String> uriVariables = new HashMap<>();
+		UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(baseUrl)
+				.replaceQuery(null)
+				.fragment(null)
+				.build();
+		String scheme = uriComponents.getScheme();
+		uriVariables.put("baseScheme", scheme == null ? "" : scheme);
+		String host = uriComponents.getHost();
+		uriVariables.put("baseHost", host == null ? "" : host);
+		// following logic is based on HierarchicalUriComponents#toUriString()
+		int port = uriComponents.getPort();
+		uriVariables.put("basePort", port == -1 ? "" : ":" + port);
+		String path = uriComponents.getPath();
+		if (StringUtils.hasLength(path)) {
+			if (path.charAt(0) != PATH_DELIMITER) {
+				path = PATH_DELIMITER + path;
+			}
+		}
+		uriVariables.put("basePath", path == null ? "" : path);
+		uriVariables.put("baseUrl", uriComponents.toUriString());
+		uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
+		uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
+
+		return UriComponentsBuilder.fromUriString(template)
+				.buildAndExpand(uriVariables)
+				.toUriString();
+	}
+
+	static String getApplicationUri(HttpServletRequest request) {
+		UriComponents uriComponents = fromHttpUrl(buildFullRequestUrl(request))
+				.replacePath(request.getContextPath())
+				.replaceQuery(null)
+				.fragment(null)
+				.build();
+		return uriComponents.toUriString();
+	}
+}
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.servlet.filter;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.springframework.util.StringUtils.hasText;
+
+/**
+ * @since 5.2
+ */
+public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
+
+	public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
+	private final RequestMatcher matcher;
+	private final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
+
+	public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
+		super(DEFAULT_FILTER_PROCESSES_URI);
+		Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
+		this.matcher = new AntPathRequestMatcher(DEFAULT_FILTER_PROCESSES_URI);
+		this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
+		setAllowSessionCreation(true);
+		setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
+	}
+
+	@Override
+	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
+		return (super.requiresAuthentication(request, response) && hasText(request.getParameter("SAMLResponse")));
+	}
+
+	@Override
+	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+			throws AuthenticationException {
+		String saml2Response = request.getParameter("SAMLResponse");
+		byte[] b = Saml2Utils.decode(saml2Response);
+
+		String responseXml = inflateIfRequired(request, b);
+		RelyingPartyRegistration rp =
+				this.relyingPartyRegistrationRepository.findByRegistrationId(this.matcher.matcher(request).getVariables().get("registrationId"));
+		String localSpEntityId = Saml2Utils.getServiceProviderEntityId(rp, request);
+		final Saml2AuthenticationToken authentication = new Saml2AuthenticationToken(
+				responseXml,
+				request.getRequestURL().toString(),
+				rp.getRemoteIdpEntityId(),
+				localSpEntityId,
+				rp.getCredentials()
+		);
+		return getAuthenticationManager().authenticate(authentication);
+	}
+
+	private String inflateIfRequired(HttpServletRequest request, byte[] b) {
+		if (HttpMethod.GET.matches(request.getMethod())) {
+			return Saml2Utils.inflate(b);
+		}
+		else {
+			return new String(b, UTF_8);
+		}
+	}
+
+}
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.servlet.filter;
+
+import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher.MatchResult;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.UriComponentsBuilder;
+import org.springframework.web.util.UriUtils;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static java.lang.String.format;
+import static org.springframework.security.saml2.provider.service.servlet.filter.Saml2Utils.deflate;
+import static org.springframework.security.saml2.provider.service.servlet.filter.Saml2Utils.encode;
+
+/**
+ * @since 5.2
+ */
+public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter {
+
+	private final RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
+
+	private RequestMatcher redirectMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}");
+
+	private Saml2AuthenticationRequestFactory authenticationRequestFactory = new OpenSamlAuthenticationRequestFactory();
+
+	public Saml2WebSsoAuthenticationRequestFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
+		Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
+		this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
+	}
+
+	public void setAuthenticationRequestFactory(Saml2AuthenticationRequestFactory authenticationRequestFactory) {
+		Assert.notNull(authenticationRequestFactory, "authenticationRequestFactory cannot be null");
+		this.authenticationRequestFactory = authenticationRequestFactory;
+	}
+
+	public void setRedirectMatcher(RequestMatcher redirectMatcher) {
+		Assert.notNull(redirectMatcher, "redirectMatcher cannot be null");
+		this.redirectMatcher = redirectMatcher;
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+		MatchResult matcher = this.redirectMatcher.matcher(request);
+		if (!matcher.isMatch()) {
+			filterChain.doFilter(request, response);
+			return;
+		}
+
+		String registrationId = matcher.getVariables().get("registrationId");
+		sendRedirect(request, response, registrationId);
+	}
+
+	private void sendRedirect(HttpServletRequest request, HttpServletResponse response, String registrationId)
+			throws IOException {
+		if (this.logger.isDebugEnabled()) {
+			this.logger.debug(format("Creating SAML2 SP Authentication Request for IDP[%s]", registrationId));
+		}
+		RelyingPartyRegistration relyingParty = this.relyingPartyRegistrationRepository.findByRegistrationId(registrationId);
+		String redirectUrl = createSamlRequestRedirectUrl(request, relyingParty);
+		response.sendRedirect(redirectUrl);
+	}
+
+	private String createSamlRequestRedirectUrl(HttpServletRequest request, RelyingPartyRegistration relyingParty) {
+		Saml2AuthenticationRequest authNRequest = createAuthenticationRequest(relyingParty, request);
+		String xml = this.authenticationRequestFactory.createAuthenticationRequest(authNRequest);
+		String encoded = encode(deflate(xml));
+		String relayState = request.getParameter("RelayState");
+		String redirect = UriComponentsBuilder
+				.fromUriString(relyingParty.getIdpWebSsoUrl())
+				.queryParam("SAMLRequest", UriUtils.encode(encoded, StandardCharsets.ISO_8859_1))
+				.queryParam("RelayState", UriUtils.encode(relayState, StandardCharsets.ISO_8859_1))
+				.build(true)
+				.toUriString();
+		return redirect;
+	}
+
+	private Saml2AuthenticationRequest createAuthenticationRequest(RelyingPartyRegistration relyingParty, HttpServletRequest request) {
+		String localSpEntityId = Saml2Utils.getServiceProviderEntityId(relyingParty, request);
+		return new Saml2AuthenticationRequest(
+				localSpEntityId,
+				Saml2Utils.resolveUrlTemplate(
+						relyingParty.getAssertionConsumerServiceUrlTemplate(),
+						Saml2Utils.getApplicationUri(request),
+						relyingParty.getRemoteIdpEntityId(),
+						relyingParty.getRegistrationId()
+				),
+				relyingParty.getSigningCredentials()
+		);
+	}
+
+}
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.junit.Test;
+
+public class OpenSamlImplementationTests {
+
+	@Test
+	public void getInstance() {
+		OpenSamlImplementation.getInstance();
+	}
+}
@@ -0,0 +1,14 @@
+<configuration>
+	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+		<encoder>
+			<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+		</encoder>
+	</appender>
+
+	<logger name="org.springframework.security" level="${sec.log.level:-WARN}"/>
+
+	<root level="${root.level:-WARN}">
+		<appender-ref ref="STDOUT"/>
+	</root>
+
+</configuration>