Skip to content

Custom SAML Authority Extractor #7642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mftruso opened this issue Nov 11, 2019 · 3 comments
Closed

Custom SAML Authority Extractor #7642

mftruso opened this issue Nov 11, 2019 · 3 comments
Assignees
@eleftherias
Labels
in: saml2 An issue in SAML2 modules status: duplicate A duplicate of another issue

Comments

@mftruso
Copy link
Contributor

mftruso commented Nov 11, 2019

Summary

It doesn't appear possible to use AuthenticationManagerBuilder config with Saml2LoginConfigurer to provide a custom Authority extractor.

Actual Behavior

OpenSamlAuthenticationProvider always uses the default implementation for authoritiesExtractor. See https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java#L216-L219

Expected Behavior

Use AuthenticationManagerBuilder to provide OpenSamlAuthenticationProvider with a custom Authority mapper & extractor.

Configuration

Converter<Assertion, Collection<? extends GrantedAuthority>> authoritiesExtractor = (a ->
            singletonList(new SimpleGrantedAuthority("ROLE_SUPERUSER"))
    );

    GrantedAuthoritiesMapper authoritiesMapper = (a -> a);

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        OpenSamlAuthenticationProvider samlAuthProvider = new OpenSamlAuthenticationProvider();
        samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor);
        samlAuthProvider.setAuthoritiesMapper(authoritiesMapper);
        authenticationManagerBuilder.authenticationProvider(samlAuthProvider);
    }

@Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
		http
			.authorizeRequests()
				.anyRequest().authenticated()
				.and()
			.saml2Login()
				.relyingPartyRegistrationRepository(
						new InMemoryRelyingPartyRegistrationRepository(
							getSaml2AuthenticationConfiguration()
					)
				)
                .successHandler(getCustomLoginSuccessHandler());
		// @formatter:on
    }

Version

  • Spring 5.1.6.RELEASE
  • Spring Security 5.2.1.RELEASE

Sample

https://github.com/mftruso/spring-security-saml-example/blob/master/src/main/java/com/miketruso/springsecurity/saml/demo/config/SecurityConfig.java
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 11, 2019
@eleftherias eleftherias assigned fhanik and eleftherias and unassigned fhanik Nov 12, 2019
@eleftherias eleftherias mentioned this issue Nov 18, 2019
Closed
@eleftherias
Copy link
Contributor

Thanks for the report @mftruso.

The reason why the above configuration is not using your custom OpenSamlAuthenticationProvider is because you are configuring saml2Login() as well, which adds its own OpenSamlAuthenticationProvider.
The OpenSamlAuthenticationProvider configured by saml2Login() will process your request first, and therefore the request will not reach the custom OpenSamlAuthenticationProvider.

I have created a new issue gh-7654, to make it easier to set a custom OpenSamlAuthenticationProvider.

As a workaround for the moment, you can use an ObjectPostProcessor.
Here is an example of how it would work with the code you provided.

...
.saml2Login()
    .addObjectPostProcessor(new ObjectPostProcessor<OpenSamlAuthenticationProvider>() {
        public <O extends OpenSamlAuthenticationProvider> O postProcess(
                O samlAuthProvider) {
            samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor);
            samlAuthProvider.setAuthoritiesMapper(authoritiesMapper);
            return samlAuthProvider;
        }
    });

@eleftherias eleftherias added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 18, 2019
@mftruso
Copy link
Contributor Author

mftruso commented Nov 20, 2019

Workaround works great! Thanks @eleftherias!

@eleftherias
Copy link
Contributor

I will close this issue, since we have gh-7654 instead and a workaround for the time being.

@eleftherias eleftherias added the status: duplicate A duplicate of another issue label Dec 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: saml2 An issue in SAML2 modules status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fhanik @mftruso @eleftherias @spring-projects-issues