diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc index a0431de31e..1971c6b589 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc @@ -107,6 +107,7 @@ where * `https://idp.example.com/issuer` is the value contained in the `Issuer` attribute of the SAML responses that the identity provider will issue * `classpath:idp.crt` is the location on the classpath for the identity provider's certificate for verifying SAML responses, and * `https://idp.example.com/issuer/sso` is the endpoint where the identity provider is expecting `AuthnRequest` s. +* `adfs` is <> And that's it! @@ -190,6 +191,7 @@ image:{icondir}/number_10.png[] And finally, it takes the `NameID` from the firs Then, it places that principal and the authorities into a `Saml2Authentication`. The resulting `Authentication#getPrincipal` is a Spring Security `Saml2AuthenticatedPrincipal` object, and `Authentication#getName` maps to the first assertion's `NameID` element. +`Saml2Authentication#getRelyingPartyRegistrationId` holds the <>. [[servlet-saml2login-opensaml-customization]] ==== Customizing OpenSAML Configuration @@ -230,7 +232,7 @@ static { authnRequest.setForceAuthN(true); } } - + factory.getMarshallerFactory().registerMarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME, marshaller); }); } @@ -342,6 +344,10 @@ public RelyingPartyRegistrationRepository relyingPartyRegistrations() { ---- ==== +[[servlet-saml2login-relyingpartyregistrationid]] +[NOTE] +The `registrationId` is an arbitrary value that you choose for differentiating between registrations. + Or you can provide each detail manually, as you can see below: .Relying Party Registration Repository Manual Configuration diff --git a/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java b/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java index d37792456b..c8c19b543a 100644 --- a/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java +++ b/saml2/saml2-service-provider/core/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java @@ -22,6 +22,7 @@ import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.core.AuthenticatedPrincipal; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.util.Assert; /** @@ -41,14 +42,40 @@ public class Saml2Authentication extends AbstractAuthenticationToken { private final String saml2Response; + private final String relyingPartyRegistrationId; + + /** + * Construct a {@link Saml2Authentication} using the provided parameters + * @param principal the logged in user + * @param saml2Response the SAML 2.0 response used to authenticate the user + * @param authorities the authorities for the logged in user + * @deprecated Use + * {@link #Saml2Authentication(AuthenticatedPrincipal, String, Collection, String)} + */ + @Deprecated public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response, Collection authorities) { + this(principal, saml2Response, authorities, null); + } + + /** + * Construct a {@link Saml2Authentication} using the provided parameters + * @param principal the logged in user + * @param saml2Response the SAML 2.0 response used to authenticate the user + * @param authorities the authorities for the logged in user + * @param relyingPartyRegistrationId the + * {@link RelyingPartyRegistration#getRegistrationId} associated with this user + * @since 5.5 + */ + public Saml2Authentication(AuthenticatedPrincipal principal, String saml2Response, + Collection authorities, String relyingPartyRegistrationId) { super(authorities); Assert.notNull(principal, "principal cannot be null"); Assert.hasText(saml2Response, "saml2Response cannot be null"); this.principal = principal; this.saml2Response = saml2Response; setAuthenticated(true); + this.relyingPartyRegistrationId = relyingPartyRegistrationId; } @Override @@ -69,4 +96,14 @@ public class Saml2Authentication extends AbstractAuthenticationToken { return getSaml2Response(); } + /** + * Get the registration id associated with the {@link RelyingPartyRegistration} that + * this user belongs to + * @return the relying party registration id + * @since 5.5 + */ + public String getRelyingPartyRegistrationId() { + return this.relyingPartyRegistrationId; + } + } diff --git a/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java index e8531b1d39..6ebe1a972d 100644 --- a/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java +++ b/saml2/saml2-service-provider/opensaml3/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java @@ -425,7 +425,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi String username = assertion.getSubject().getNameID().getValue(); Map> attributes = getAssertionAttributes(assertion); return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), - token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER"))); + token.getSaml2Response(), Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")), + responseToken.token.getRelyingPartyRegistration().getRegistrationId()); }; } @@ -627,8 +628,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi String username = assertion.getSubject().getNameID().getValue(); Map> attributes = getAssertionAttributes(assertion); return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), - token.getSaml2Response(), - this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))); + token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)), + responseToken.token.getRelyingPartyRegistration().getRegistrationId()); }; } diff --git a/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java index ef148ba6b7..cd92371c87 100644 --- a/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java +++ b/saml2/saml2-service-provider/opensaml4/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java @@ -365,7 +365,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv String username = assertion.getSubject().getNameID().getValue(); Map> attributes = getAssertionAttributes(assertion); return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), - token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER")); + token.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"), + responseToken.token.getRelyingPartyRegistration().getRegistrationId()); }; }