Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369

emopti-jrufer · 2022-06-13T18:07:00Z

Expected Behavior

Saml2MetadataFilter should not require information about an identity provider / asserting party in order to generate the metadata. The RelyingPartyRegistration is intended to be a representation of both the relying part and the asserting party. Since the metadata is a representation solely of the relying party not sure if the RelyingPartyRegistration should be used or potentially modified to allow creating the RelyingPartyRegistration without AssertingPartyDetails.

Current Behavior

Current behavior utilizes RelyingPartyRegistration which requires AssertingPartyDetails to be configured.

Context
We are having to add fake data to the asserting party details that is part of RelyingPartyRegistration in order to generate metadata.

The text was updated successfully, but these errors were encountered:

jzheaux · 2022-06-21T16:21:06Z

@emopti-jrufer, thanks for the suggestion. This may take some time to sort out as there is no domain object in Spring Security that contains only the relying party information. I'm placing this in the backlog for the time being.

In the meantime, can you clarify why you are filling out fake data for the asserting party? I'm guessing that your application does coordinate with an asserting party, so I wonder what your arrangement is such that you cannot use the RelyingPartyRegistration tied to that relying party/asserting party pair.

emopti-jrufer · 2022-06-21T17:02:37Z

@jzheaux We have a multi tenant SaaS application where we provide our customers access to download the Service Provider SAML Metadata before it is configured in the application. Basically we are requesting the IDP metadata from our customers at the same time we share our SP metadata. We prefer not requiring the IDP information before allowing access to the SP metadata. This is something that are currently using with the legacy SAML extension. For our use case the metadata our application generates is determined by the hostname where the entityId is unique to that hostname. We allow multiple IDPs to be configured per hostname but do not change the metadata based on the IDP. For our workaround we are generating the RelyingPartyRegistration dynamically with a custom RelyingPartyRegistrationResolver instead of looking up in a repository.

One possible option is to expand the purpose of RelyingPartyRegistration to be either SP and IDP or just SP. An additional build method with a corresponding constructor could be added that is specifically for SP only. Ex: buildForMetadata. This would allow implementors to declaratively know they are creating a registration solely generating metadata.

	private RelyingPartyRegistration(String registrationId, String entityId, String assertionConsumerServiceLocation,
			Saml2MessageBinding assertionConsumerServiceBinding, String singleLogoutServiceLocation,
			String singleLogoutServiceResponseLocation, Collection<Saml2MessageBinding> singleLogoutServiceBindings, String nameIdFormat,
			Collection<Saml2X509Credential> decryptionX509Credentials,
			Collection<Saml2X509Credential> signingX509Credentials) {
...
}

public RelyingPartyRegistration buildForMetadata() {
...
)

peterhaochen47 · 2024-03-19T20:53:42Z

Plus one on this.

We are implementing a use case where the SAML SP metadata needs to be downloadable before the asserting party is set up. I think this is because some SAML IDPs want you to supply the SAML SP metadata first in order to set up the asserting party config.

For context, we are maintaining an identity proxy app where customers can integrate our app with whatever SAML IDPs of their choice, in runtime. So in our app code, we need to stay agnostic to what the exact SAML IDPs / asserting parties are, and make that configurable via API in runtime.

- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697]

- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

jzheaux · 2024-07-02T22:39:02Z

I think one thing that we could at least do is provide an interface, say RelyingPartyMetadata, that RelyingPartyRegistration implements. With the introduction of Saml2MetadataResponseResolver, I think we could introduce an interface that takes an Iterable<RelyingPartyMetadata> or similar and works out a metadata listing from there. There may be a way to also introduce an implementation of RelyingPartyMetadata that doesn't require an asserting party details instance.

- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>

emopti-jrufer added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 13, 2022

rwinch assigned jzheaux Jun 14, 2022

jzheaux added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 21, 2022

jzheaux added this to the General Backlog milestone Jun 21, 2022

jzheaux modified the milestones: General Backlog, 6.4.x Jul 2, 2024

jzheaux mentioned this issue Jul 2, 2024

Allow metadata download without Asserting Party details being known #12748

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369

Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369

emopti-jrufer commented Jun 13, 2022

jzheaux commented Jun 21, 2022 •

edited

Loading

emopti-jrufer commented Jun 21, 2022

peterhaochen47 commented Mar 19, 2024

jzheaux commented Jul 2, 2024

Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369

Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369

Comments

emopti-jrufer commented Jun 13, 2022

jzheaux commented Jun 21, 2022 • edited Loading

emopti-jrufer commented Jun 21, 2022

peterhaochen47 commented Mar 19, 2024

jzheaux commented Jul 2, 2024

jzheaux commented Jun 21, 2022 •

edited

Loading