Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12825

Closed
Shabin opened this issue Mar 3, 2023 · 2 comments
Closed

Saml2 RelyingPartyRegistration.nameIdFormat is ignored and not set in AuthnRequest from OpenSamlAuthenticationRequestResolver #12825

Shabin opened this issue Mar 3, 2023 · 2 comments
Assignees
@jzheaux
Labels
status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Milestone
5.7.x

Comments

@Shabin
Copy link

Shabin commented Mar 3, 2023

I migrated from spring security 5.7.2 to 6.0.0.
In 5.7.2, if I set nameIdFormat of RelyingPartyRegistration, it was added to the AuthnRequest in OpenSaml4AuthenticationRequestFactory.createAuthnRequest.
But in 6.0.0 nameIdFormat set in RelyingPartyRegistration is ignored and is not added to the AuthnRequest in OpenSamlAuthenticationRequestResolver.resolve.
I am setting nameIdFormat like this.

Builder builder = RelyingPartyRegistration.withRegistrationId(id);
...
builder.nameIdFormat(properties.getNameIdFormat());
RelyingPartyRegistration registration = builder.build();

What is the process now to add nameIdPolicy to the request?
@Shabin Shabin added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 3, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Mar 6, 2023
edited
Loading

Hi, @Shabin. I think that setting the name id policy needs to be added to OpenSamlAuthenticationRequestResolver. Are you able to provide a PR that does that? If so, please include tests and also base it on 5.7.x since that is where the bug was first introduced.

In the meantime, you can customize the AuthnRequest like so:

@Bean 
OpenSaml4AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
    OpenSaml4AuthenticationRequestResolver authenticationRequestResolver =
            new OpenSaml4AuthenticationRequestResolver(new DefaultRelyingPartyRegistrationResolver(registrations));
    authenticationRequestResolver.setAuthnRequestCustomizer((context) -> {
        RelyingPartyRegistration registration = context.getRelyingPartyRegistration();
        AuthnRequest request = context.getAuthnRequest();
        NameIDPolicy policy = // ...
        policy.setFormat(registration.getNameIdFormat());
        request.setNameIDPolicy(policy);
    });
}

@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 6, 2023
@jzheaux jzheaux added this to the 5.7.x milestone Mar 6, 2023
@jzheaux jzheaux self-assigned this Mar 7, 2023
@tatisled tatisled mentioned this issue Mar 12, 2023
Merged
@tatisled
Copy link
Contributor

Hi, @jzheaux @Shabin
I would prefer to add nameIdPolicy to RelyingPartyRegistration.
I believe it has been already discused here #9115
But while using nameIdFormat, the PR will fix the issue with ignoring it in AuthnRequest.

tatisled added a commit to tatisled/spring-security that referenced this issue Mar 21, 2023
@tatisled
Add nameIdFormat processing to OpenSamlAuthenticationRequestResolver
c7ea40a 
Closes spring-projectsgh-12825
@jzheaux jzheaux mentioned this issue Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug
Projects
None yet
Milestone
5.7.x
Development

No branches or pull requests
3 participants
@jzheaux @Shabin @tatisled