-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Saml2MetadataFilter to work without AssertingPartyDetails in RelyingPartyRegistration #11369
Comments
@emopti-jrufer, thanks for the suggestion. This may take some time to sort out as there is no domain object in Spring Security that contains only the relying party information. I'm placing this in the backlog for the time being. In the meantime, can you clarify why you are filling out fake data for the asserting party? I'm guessing that your application does coordinate with an asserting party, so I wonder what your arrangement is such that you cannot use the |
@jzheaux We have a multi tenant SaaS application where we provide our customers access to download the Service Provider SAML Metadata before it is configured in the application. Basically we are requesting the IDP metadata from our customers at the same time we share our SP metadata. We prefer not requiring the IDP information before allowing access to the SP metadata. This is something that are currently using with the legacy SAML extension. For our use case the metadata our application generates is determined by the hostname where the entityId is unique to that hostname. We allow multiple IDPs to be configured per hostname but do not change the metadata based on the IDP. For our workaround we are generating the One possible option is to expand the purpose of RelyingPartyRegistration to be either SP and IDP or just SP. An additional build method with a corresponding constructor could be added that is specifically for SP only. Ex: private RelyingPartyRegistration(String registrationId, String entityId, String assertionConsumerServiceLocation,
Saml2MessageBinding assertionConsumerServiceBinding, String singleLogoutServiceLocation,
String singleLogoutServiceResponseLocation, Collection<Saml2MessageBinding> singleLogoutServiceBindings, String nameIdFormat,
Collection<Saml2X509Credential> decryptionX509Credentials,
Collection<Saml2X509Credential> signingX509Credentials) {
...
}
public RelyingPartyRegistration buildForMetadata() {
...
) |
Plus one on this. We are implementing a use case where the SAML SP metadata needs to be downloadable before the asserting party is set up. I think this is because some SAML IDPs want you to supply the SAML SP metadata first in order to set up the asserting party config. For context, we are maintaining an identity proxy app where customers can integrate our app with whatever SAML IDPs of their choice, in runtime. So in our app code, we need to stay agnostic to what the exact SAML IDPs / asserting parties are, and make that configurable via API in runtime. |
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697]
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697]
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697]
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
I think one thing that we could at least do is provide an interface, say |
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration, which requires a valid SAML IDP metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML IDPs might require you to supply the SAML SP metadata first before you can obtain the SAML IDP metadata. See relevant issue: spring-projects/spring-security#11369 - Previously, to solve this problem, the SAML SP metadata generation relies on relyingPartyRegistration values in saml-providers.xml, which hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance); this means that UAA's SP metadata generation relies on the example Okta SAML instance to be running. - This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML SP metadata generation, at the advice of Spring Security team, so that UAA's functioning does not rely on some external running Okta instance. - code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62 [#186986697] Co-authored-by: Peter Chen <peter-h.chen@broadcom.com>
Expected Behavior
Saml2MetadataFilter
should not require information about an identity provider / asserting party in order to generate the metadata. TheRelyingPartyRegistration
is intended to be a representation of both the relying part and the asserting party. Since the metadata is a representation solely of the relying party not sure if theRelyingPartyRegistration
should be used or potentially modified to allow creating theRelyingPartyRegistration
withoutAssertingPartyDetails
.Current Behavior
Current behavior utilizes
RelyingPartyRegistration
which requiresAssertingPartyDetails
to be configured.Context
We are having to add fake data to the asserting party details that is part of
RelyingPartyRegistration
in order to generate metadata.The text was updated successfully, but these errors were encountered: