Add AutoConfiguration support for spring-security-saml2-service-provider #18260
Description
Spring Boot should add auto configuration support for spring-security-saml2-service-provider to support basic SAML 2 authentication in Spring Security.
Concept:
A user can configure one or more relying parties in Spring Boot. Each relying party represents a paired configuration between an Identity Provider, IDP, and a Service Provider, SP. The Spring Boot application acts as an SP
A common structure is a 1-to-many SP-to-IDP representation, such as (illustrative sample for alternative configuration)
spring:
security:
saml2:
login:
service-provider:
local-sp-entity-id-template: {baseUrl}/saml2/service-provider-metadata/{registrationId}
signing-credentials:
- private-key: ...
certificate: ...
identity-providers:
- registration-id: idp1
web-sso-url: https://...
verification-credentials:
- certificate: ...
- registration-id: idp2
web-sso-url: https://...
verification-credentials:
- certificate: ...In the Spring Security object model, we have opted to make a 1-to-1 relationship between SP and IDP. This allows us separate out SP credentials per IDP relationship, not requiring all credentials to be rotated at the same time. To be exact, we can create a configuration change for one SP to IDP relationship without affecting the other IDPs that are currently configured.
We have created a sample boot configuration to illustrate this (sample configuration to show 1-to-1 configuration mappings as they exist in the object model, our preferred configuration option)
spring:
security:
saml2:
login:
relying-parties:
- registration-id: mandatory-unique-id-1
local-sp-entity-id-template: {baseUrl}/saml2/service-provider-metadata/{registrationId}
signing-credentials:
- private-key: SP-private-key-1
certificate: SP-X509-certificate-1
usage:
- SIGNING
- DECRYPTION
entity-id: remote-idp-entity-id
web-sso-url: remote-idp-url-for-authn-requests
verification-credentials:
- IDP-X509-certificate-1
- IDP-X509-certificate-2
- registration-id: mandatory-unique-id-2
...
SP credentials are always a list of PrivateKey-X509Certificate object pairs and IDP credentials are a list of X509Certificate objects. The list represents that a user can configure credentials for rotation, when phasing out old credentials.
Spring Security SAML2 will attempt to use credentials in the order they are received.
The SAML 2 Login relies on a single bean, the RelyingPartyRegistrationRepository to provide relying party configuration objects based on the registration-id
To run the sample in Spring Security
-
Launch the server
./gradlew :spring-security-samples-boot-saml2login:bootRun -
Open a Browser
http://localhost:8080/ -
Use credentials
User: user
Password: password
A sample SAML 2 Login Configuration May Look Like
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.saml2Login()
;
}
}