Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192

Closed
rcwinder opened this issue May 10, 2022 · 2 comments
Closed

Update Saml2WebSsoAuthenticationFilter requestAuthentication for SAMLart #11192

rcwinder opened this issue May 10, 2022 · 2 comments
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
5.8.0-M1

Comments

@rcwinder
Copy link

rcwinder commented May 10, 2022
edited
Loading

I am using spring security to implement saml2 in our sp application. However the IDP that we use requires us to use HTTP-artifact for our assertionConsumerServiceBinding (instead of HTTP-redirect or HTTP-POST).
I already found that there is an open request for HTTP-artifact support, #10831, but this seems like it might take some time.

For our HTTP-artifact solution we have implemented our own Saml2AuthenticationTokenConverter which allows us to do a SOAP call to our IDP and then continue a similar structure as the default Saml2AuthenticationTokenConverter.

We are able to set our own Saml2AuthenticationTokenConverter in the saml2Login configurer, however this is where we run into an issue with the Saml2WebSsoAuthenticationFilter. The requiresAuthentication in the Saml2WebSsoAuthenticationFilter is set up as below.

protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
	return (super.requiresAuthentication(request, response)
			&& StringUtils.hasText(request.getParameter(Saml2ParameterNames.SAML_RESPONSE)));
	}

Since the response we get from the IDP does not include SAMLResponse as query parameter, but instead SAMLart we cannot use the Saml2WebSsoAuthenticationFilter.

We hope it can be made possible to change the Saml2WebSsoAuthenticationFilter in such a way that the queryparameter can be configured to another (or multiple) query parameters.

Currently we have been able to get a 'dirty' fix by also creating our own implementation of the Saml2WebSsoAuthenticationFilter and add that before the original filter, but since our only limitation of the default Saml2WebSsoAuthenticationFilter is the query parameter we hope this can be made configurable.
@rcwinder rcwinder added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 10, 2022
@marcusdacoregio marcusdacoregio added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels May 10, 2022
@jzheaux
Copy link
Contributor

jzheaux commented May 20, 2022

Thanks for the suggestions, @rcwinder. I think at this point, the check can be removed from the filter since the Saml2AuthenticationTokenConverter checks for the parameter itself.

@rcwinder
Copy link
Author

Thanks for your reply. That would also indeed solve the issue we are currently having. Looking forward to see it in a future version of spring security!

@jzheaux jzheaux added this to the 5.8.0-M1 milestone May 23, 2022
jzheaux added a commit that referenced this issue May 23, 2022
@jzheaux
Remove duplicate check
53e509f 
Closes gh-11192
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-M1
Development

No branches or pull requests
3 participants
@jzheaux @marcusdacoregio @rcwinder